This project provisions a minimal, secure-ish self-hosted Git server on AWS:
- Git operations (clone/push/pull): SSH only
- Web UI: GitWeb behind CloudFront (HTTPS)
- EC2 HTTP (port 80): not public, allowed only from CloudFront origin-facing IP range
- Admin access: SSH restricted to your IP (/32)
Link to the repository --> here
- EC2 (Ubuntu, t3.small) runs:
- git, git-shell
- gitweb + fcgiwrap
- nginx (serves GitWeb CGI)
- CloudFront:
- exposes GitWeb to the internet over HTTPS
- origin is the EC2 public IP (Elastic IP)
- Terraform >= 1.14
- AWS credentials configured (e.g.
aws configure) - An existing EC2 Key Pair in the target region
- Your public IP address (CIDR /32)
- Go to terraform folder:
cd terraform- Create your tfvars:
cp terraform.tfvars.example terraform.tfvars
# edit terraform.tfvars with your values- Init & apply:
terraform init
terraform applyTerraform will output:
- the instance Public IP
- an SSH command
- the CloudFront URL for GitWeb
Open the output URL:
https://<cloudfront-domain>/cgi-bin/gitweb.cgi
-
SSH into the instance as ubuntu (use the output ssh command).
-
Create a bare repository:
sudo -u git git init --bare /var/lib/git/<project-name>.git- From your workstation, add remote and push:
git remote add origin ssh://git@<EC2_PUBLIC_IP>:/var/lib/git/<project-name>.git
git push -u origin mainNotes:
- This project copies the ubuntu user's
authorized_keysto thegituser at boot so the same key pair can be used for bothubuntu@andgit@.
- SSH (22): only from
my_ip_cidr - HTTP (80): only from AWS-managed prefix list
com.amazonaws.global.cloudfront.origin-facing - CloudFront viewer: HTTPS-only (CloudFront default cert)
cd terraform
terraform destroy- No additional EBS volume: repositories live on the root disk
- No end-to-end TLS to origin: origin is HTTP but restricted to CloudFront IPs only
- No WAF, no logging to S3 (can be added as a next iteration)