1. VPC
    创建一个带有公有子网和私有子网的VPC, 名为vpc-git

    并修改VPC的子网设置,公有子网选择启用自动分配IP地址和资源DNS解析记录

  2. ACM
    创建一个SSL证书, 注意Region需要是us-east-1, CloudFront只能使用这个区域的证书

  3. IAM
    在IAM中创建一个Policy, 名为iam-policy-s3-git, 用于EC2在不配置Access Key的情况下访问S3, 权限配置如下:

     1{
 2    "Version": "2012-10-17",
 3    "Statement": [
 4        {
 5            "Sid": "VisualEditor0",
 6            "Effect": "Allow",
 7            "Action": [
 8                "s3:PutObject",
 9                "s3:GetObject",
10                "s3:ListBucket",
11                "s3:DeleteObject"
12            ],
13            "Resource": [
14                "arn:aws:s3:::s3-git",
15                "arn:aws:s3:::s3-git/*"
16            ]
17        },
18        {
19            "Sid": "VisualEditor1",
20            "Effect": "Allow",
21            "Action": "s3:ListAllMyBuckets",
22            "Resource": "*"
23        }
24    ]
25}

    创建一个IAM Role, 名为iam-role-ec2-git

    • Trusted entity type选择AWS service
    • Service or use case和Use case都选择EC2
    • Permissions policies选择iam-policy-s3-git

  4. S3
    创建一个S3 Bucket, 名为s3-git

  5. Security Group
    创建安全组sg-ssh, inbound放通0.0.0.0/0的TCP 22端口,方便后续连接服务器进行配置

    下面所有的安全组outbound都放通0.0.0.0/0的All Traffic方便使用, 也可精确放通某一个

    创建安全组sg-alb-git-http, 后续还有其他配置需要添加

    创建安全组sg-nlb-git-ssh, inbound放通0.0.0.0/TCP 22端口, 方便ssh连接Git服务器

    创建安全组sg-ec2-git, inbound放通sg-alb-git-http的TCP 3000端口, 用于网页访问, 放通TCP 2222端口用于SSH连接

    创建安全组sg-valkey-git, inbound放通sg-ec2-git的TCP 6379端口, 用于EC2访问Valkey

    创建安全组sg-rds-git, inbound放通sg-ec2-git的TCP 5432端口, 用于EC2访问PostgreSQL

  6. Postgres
    创建一个数据库, 名为rds-git, 安全组选择sg-rds-git, 注意设置初始数据库名和用户名密码, 并记住Endpoint地址

  7. Valkey
    创建一个Valkey, 名为valkey-git, 安全组选择sg-valkey-git, 注意设置是否强制SSL及密码, 并记住Endpoint地址

    可以只选私有子网

  8. EC2
    创建一个EC2服务器, 使用公有子网, 名为ec2-git, 安全组选择sg-ec2-git和sg-ssh, 安装并配置Gitea

    为EC2服务器授予iam-role-ec2-git

  9. ALB
    创建一个Target Group, 名为tg-git-http, Protocol为HTTP, Port为80, target选择ec2-git的HTTP 3000端口

    创建一个ALB, 名为alb-git-http

    • Scheme选择Internal
    • Availability Zones and subnets中选择私有子网
    • 安全组选择sg-alb-git-http
    • Listener选择Protocol HTTP, Port 80, Routing action选择Foward to target groups, Target group选择tg-git-http

  10. CloudFront
    创建一个VPC origin, 名为vpc-origin-git, Protocol选择HTTP only, Origin ARN为alb-git-http, HTTP port为80

    VPC origin创建后会自动生成一个名为CloudFront-VPCOrigins-Service-SG的安全组, 需要在sg-alb-git中inbound放通CloudFront-VPCOrigins-Service-SG的TCP 80端口

    创建一个CloudFront节点, 名为cdn-git

    • 填写一个域名, 要和上面在ACM中的证书兼容
    • Origin type选择VPC origin并选择Origin为vpc-origin-git
    • Cache Settings选择Customize cache Settings
    • Allowed HTTP methods选择GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE
    • Cache policy选择Caching Disabled
    • Origin request policy选择All Viewer

    创建完成后在Behaviours中添加两个新的Behaviour, 确保新创建的Behaviour在Default之上

    • Origin and origin groups选择唯一的一个origin
    • Path pattern分别填写/assets/* 和/avatars/*
    • Allowed HTTP methods选择GET, HEAD
    • Cache policy选择UseOriginCacheControlHeaders-QueryStrings

  11. NLB
    创建一个Target Group, 名为tg-git-ssh, Protocol为TCP, Port为22, target选择ec2-git的TCP 2222端口

    创建一个NLB, 名为nlb-git-ssh

    • Scheme选择Internet-facing
    • Availability Zones and subnets中选择公有子网
    • 安全组选择sg-nlb-git-ssh
    • Listener选择Protocol TCP, Port 22, Target group选择tg-git-ssh

  12. GA
    创建一个GA, 名为ga-git-ssh

    • Ports为22, Protocol为TCP
    • Region选择NLB所在的Region
    • 添加一个Endpoint, Endpoint type选择Network Load Balancer, Endpoint选择nlb-git-ssh

  13. Gitea参考配置
    docker-compose.yaml

     1services:
 2  gitea:
 3    image: gitea/gitea:1.25
 4    restart: always
 5    environment:
 6      - USER_UID=1001
 7      - USER_GID=1001
 8    volumes:
 9      - /data/gitea:/data
10      - /etc/timezone:/etc/timezone:ro
11      - /etc/localtime:/etc/localtime:ro
12    ports:
13      - 3000:3000
14      - 2222:22

    app.ini

      1APP_NAME = Gitea: Git with a cup of tea
  2RUN_MODE = prod
  3RUN_USER = git
  4WORK_PATH = /data/gitea
  5
  6[repository]
  7ROOT = /data/git/repositories
  8
  9[repository.local]
 10LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
 11
 12[repository.upload]
 13TEMP_PATH = /data/gitea/uploads
 14
 15[server]
 16APP_DATA_PATH = /data/gitea
 17DOMAIN = git.huwenqiang.cn
 18SSH_DOMAIN = ssh.git.huwenqiang.cn
 19HTTP_PORT = 3000
 20ROOT_URL = https://git.huwenqiang.cn/
 21DISABLE_SSH = false
 22SSH_PORT = 22
 23SSH_LISTEN_PORT = 22
 24LFS_START_SERVER = true
 25LFS_JWT_SECRET = 
 26OFFLINE_MODE = true
 27
 28[database]
 29PATH = /data/gitea/gitea.db
 30DB_TYPE = postgres
 31HOST = git-huwenqiang-cn.xxxxxxxxxxxx.ap-east-1.rds.amazonaws.com
 32NAME = gitea
 33USER = gitea
 34PASSWD = 
 35LOG_SQL = false
 36SCHEMA =
 37SSL_MODE = require
 38
 39[indexer]
 40ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
 41REPO_INDEXER_ENABLED = true
 42REPO_INDEXER_REPO_TYPES = sources,forks,mirrors,templates
 43REPO_INDEXER_TYPE = bleve
 44
 45[session]
 46PROVIDER = redis
 47PROVIDER_CONFIG = rediss://clustercfg.git-huwenqiang-cn.xxxxxx.ape1.cache.amazonaws.com:6379/0?pool_size=100&idle_timeout=180s
 48
 49[picture]
 50AVATAR_UPLOAD_PATH = /data/gitea/avatars
 51REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
 52DISABLE_GRAVATAR = false
 53ENABLE_FEDERATED_AVATAR = true
 54REPOSITORY_AVATAR_FALLBACK = random
 55
 56[attachment]
 57PATH = /data/gitea/attachments
 58STORAGE_TYPE = minio
 59SERVE_DIRECT = true
 60
 61[log]
 62MODE = file
 63LEVEL = info
 64ROOT_PATH = /data/gitea/log
 65
 66[security]
 67INSTALL_LOCK = true
 68SECRET_KEY =
 69REVERSE_PROXY_LIMIT = 1
 70REVERSE_PROXY_TRUSTED_PROXIES = *
 71INTERNAL_TOKEN = 
 72PASSWORD_HASH_ALGO = pbkdf2
 73
 74[service]
 75DISABLE_REGISTRATION = true
 76REQUIRE_SIGNIN_VIEW = true
 77REGISTER_EMAIL_CONFIRM = false
 78ENABLE_NOTIFY_MAIL = false
 79ALLOW_ONLY_EXTERNAL_REGISTRATION = false
 80ENABLE_CAPTCHA = false
 81DEFAULT_KEEP_EMAIL_PRIVATE = false
 82DEFAULT_ALLOW_CREATE_ORGANIZATION = true
 83DEFAULT_ENABLE_TIMETRACKING = true
 84NO_REPLY_ADDRESS = noreply.git.huwenqiang.cn
 85
 86[lfs]
 87PATH = /data/git/lfs
 88STORAGE_TYPE = minio
 89SERVE_DIRECT = true
 90
 91[mailer]
 92ENABLED = false
 93
 94[openid]
 95ENABLE_OPENID_SIGNIN = false
 96ENABLE_OPENID_SIGNUP = false
 97
 98[cron.update_checker]
 99ENABLED = true
100
101[repository.pull-request]
102DEFAULT_MERGE_STYLE = merge
103
104[repository.signing]
105DEFAULT_TRUST_MODEL = committer
106
107[oauth2]
108JWT_SECRET = 
109
110[federation]
111ENABLED = true
112
113[packages]
114ENABLED = true
115STORAGE_TYPE = minio
116SERVE_DIRECT = true
117
118[repo-archive]
119STORAGE_TYPE = minio
120
121[storage]
122STORAGE_TYPE = minio
123MINIO_ENDPOINT = s3.ap-east-1.amazonaws.com
124MINIO_BUCKET = storage-git-huwenqiang-cn
125MINIO_LOCATION = ap-east-1
126MINIO_USE_SSL = true
127MINIO_BUCKET_LOOKUP_TYPE = dns
128
129[storage.minio]
130STORAGE_TYPE = minio
131MINIO_ENDPOINT = s3.ap-east-1.amazonaws.com
132MINIO_BUCKET = storage-git-huwenqiang-cn
133MINIO_LOCATION = ap-east-1
134MINIO_USE_SSL = true
135MINIO_BUCKET_LOOKUP_TYPE = dns
136
137[actions]
138ENABLED = true
139
140[storage.actions_log]
141STORAGE_TYPE = minio