ee5e319dad
- Add ADR.md documenting all technology stack decisions with rationale - Create comprehensive ROADMAP.md with 10-phase implementation plan - Add 3 architecture diagrams (AWS infrastructure, application stack, network) - Document collaboration guidelines in `.github/copilot-instructions.md` - Technology stack descisions: AWS, Terraform, Ansible, Docker Compose, PostgreSQL Phase 1 establishes foundation for automated Gitea deployment with proper decision tracking and incremental development approach.
3.4 KiB
3.4 KiB
Network Architecture Diagram
This diagram shows the VPC network design, subnets, and security group rules.
%%{init: {'theme':'base', 'themeVariables': { 'primaryColor':'#e5e7eb','primaryTextColor':'#111827','primaryBorderColor':'#9ca3af','lineColor':'#111827','secondaryColor':'#d1d5db','tertiaryColor':'#f3f4f6','edgeLabelBackground':'#ffffff','mainBkg':'#f5f5f4','nodeBorder':'#9ca3af','background':'#f5f5f4','clusterBkg':'transparent'},'themeCSS':'.node rect, .node circle, .node ellipse, .node polygon, .node path { filter: none !important; box-shadow: none !important; } .cluster rect { filter: none !important; box-shadow: none !important; } svg { background-color: #f5f5f4 !important; } .cluster-label { background-color: #ffffff !important; padding: 6px 12px !important; border-radius: 4px !important; font-size: 16px !important; font-weight: 700 !important; box-shadow: 0 1px 3px rgba(0,0,0,0.12) !important; border: 1px solid #d1d5db !important; } .edgePath, .edgePath path, .flowchart-link { z-index: 1 !important; }'}}%%
graph TB
Internet([Internet])
IGW[Internet Gateway]
subgraph VPC["VPC 10.0.0.0/16"]
IGW
subgraph PublicSubnet["Public Subnet 10.0.1.0/24"]
EC2[EC2 Instance<br/>Docker Host]
end
subgraph SG["Security Group: EC2"]
direction TB
SGRules["Inbound:<br/>- 22 SSH from Admin IP<br/>- 80 HTTP from 0.0.0.0/0<br/>- 443 HTTPS from 0.0.0.0/0<br/><br/>Outbound:<br/>- All traffic"]
end
end
Internet -->|HTTPS/HTTP| IGW
IGW --> PublicSubnet
EC2 -.->|Protected by| SG
style VPC fill:#e5e7eb,stroke:#4b5563,stroke-width:2px,stroke-dasharray: 5 5
style PublicSubnet fill:#d1d5db,stroke:#4b5563,stroke-width:2px,stroke-dasharray: 5 5
style SG fill:#f3f4f6,stroke:#6b7280,stroke-width:1px,stroke-dasharray: 5 5
style EC2 fill:#10B981,stroke:#333,stroke-width:1px,color:#fff
style IGW fill:#6366F1,stroke:#333,stroke-width:1px,color:#fff
style SGRules fill:#EF4444,stroke:#333,stroke-width:1px,color:#fff
Network Components
VPC Configuration
- CIDR Block:
10.0.0.0/16(65,536 IP addresses) - Region: Single AWS region
- DNS Hostnames: Enabled
- DNS Resolution: Enabled
Subnets
- Public Subnet:
10.0.1.0/24(256 IP addresses)- Auto-assign public IP: Enabled
- Contains: EC2 instance
- Route table: Routes to Internet Gateway
Internet Gateway
- Attached to VPC
- Enables internet access for resources in public subnet
Security Groups
EC2 Security Group:
- Inbound Rules:
- Port 22 (SSH): From admin IP only (for management)
- Port 80 (HTTP): From 0.0.0.0/0 (redirects to HTTPS)
- Port 443 (HTTPS): From 0.0.0.0/0 (Gitea access)
- Outbound Rules:
- All traffic: To 0.0.0.0/0 (for updates, backups to S3)
Security Considerations
- SSH Access: Restricted to specific admin IP address (your IP)
- HTTP/HTTPS: Open to internet (required for Gitea web access)
- No Direct Gitea Access: Port 3000 not exposed; only nginx on 80/443
- Outbound: Allowed for Docker image pulls, package updates, S3 backups
Traffic Flow
- User request → Internet → Internet Gateway
- Internet Gateway → Public Subnet → EC2 instance
- Security Group inspects and allows traffic on ports 80/443
- Nginx receives request, terminates SSL, proxies to Gitea