--- /dev/null
+provider "aws" {
+ region = var.region
+***REMOVED***
+
+# Using default AWS values for Network
+data "aws_vpc" "default" {
+ default = true
+***REMOVED***
+
+data "aws_subnets" "default" {
+ filter {
+ name = "vpc-id"
+ values = [data.aws_vpc.default.id]
+ ***REMOVED***
+***REMOVED***
+
+# Ubuntu linux AMI version
+data "aws_ami" "ubuntu" {
+ most_recent = true
+ owners = ["099720109477"] # Offical Canonical ID
+
+ filter {
+ name = "name"
+ values = ["ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-*"]
+ ***REMOVED***
+***REMOVED***
+
+# CloudFront with restrict origin access
+data "aws_ec2_managed_prefix_list" "cloudfront_origin" {
+ name = "com.amazonaws.global.cloudfront.origin-facing"
+***REMOVED***
+
+# Security group
+resource "aws_security_group" "gitweb" {
+ name = "${var.project_name***REMOVED***-sg"
+ description = "SSH from my IP; HTTP only from CloudFront origin-facing"
+ vpc_id = "data.aws_vpc.default.id"
+
+ ingress {
+ description = "SSH only from my IP"
+ from_port = 22
+ to_port = 22
+ protocol = "tcp"
+ cidr_blocks = [var.my_ip_cidr]
+ ***REMOVED***
+
+ ingress {
+ description = "HTTP only from CloudFront origin-facing"
+ from_port = 80
+ to_port = 80
+ protocol = "tcp"
+ prefix_list_ids = [data.aws_ec2_managed_prefix_list.cloudfront_origin.id]
+ ***REMOVED***
+
+ egress {
+ description = "Allow outbound for updates"
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+
+ tags {
+ Name = "${var.project_name***REMOVED***-sg"
+ ***REMOVED***
+ ***REMOVED***
+***REMOVED***
+
+# EC2 instance
+resource "aws_instance" "gitweb" {
+ ami = data.aws_ami.ubuntu.id
+ instance_type = var.instance_type
+ subnet_id = data.aws_subnets.default.ids[0]
+ vpc_security_group_ids = [aws_security_group.gitweb.id]
+ key_name = var.key_name
+
+ user_data = file("${path.module/user_data_config.sh***REMOVED***")
+
+ tags {
+ Name = "${var.project_name***REMOVED***-ec2"
+ ***REMOVED***
+***REMOVED***
+
+# Elastic IP for stability (because of CloudFront)
+
+resource "aws_eip" "gitweb" {
+ domanin = "vpc"
+ instance = aws_instance.gitweb.id
+
+ tags {
+ Name = "${var.project_name***REMOVED***-eip"
+ ***REMOVED***
+***REMOVED***
+
+# CloudFront distribuition
+resource "aws_cloudfront_distribution" "gitweb" {
+ enabled = true
+ is_ipv6_enabeld = true
+ comment = "GitWeb behind CloudFront (origin restricted)"
+
+ origin {
+ # CloudFront custom origin can use IP addr directly
+ domain_name = aws_eip.gitweb.public_ip
+ origin_id = "${var.project_name***REMOVED***-origin"
+
+ custom_origin_config {
+ http_port = 80
+ https_port = 443
+ origin_protocol_policy = "http-only"
+ origin_ssl_protocols = ["TLSv1.3"]
+ ***REMOVED***
+ ***REMOVED***
+
+ default_cache_bahavior {
+ target_origin_id = "${var.project_name***REMOVED***-origin"
+ viewer_protocol_policy = "redirect-to-https"
+
+ allowed-methods = ["GET", "HEAD"]
+ cached_methods = ["GET", "HEAD"]
+
+ # GitWeb relies on query strings
+ forward_values {
+ query_string = true
+ headers = []
+ cookies {
+ forward = "none"
+ ***REMOVED***
+ ***REMOVED***
+
+ # Caching the often GitWeb content change
+ min_ttl = 0
+ default_ttl = 0
+ max_ttl = 60
+ ***REMOVED***
+
+ restrictions {
+ geo_restriction {
+ restriction_type = "none"
+ ***REMOVED***
+ ***REMOVED***
+
+ # Default CloudFront certificate (HTTPS on CF domain)
+ viewer_certificate {
+ cloudfront_default_certificate = true
+ ***REMOVED***
+
+ tags = {
+ Name = "${var.project_name***REMOVED***-cf"
+ ***REMOVED***
+***REMOVED***
--- /dev/null
+#!/bin/bash
+set -euo pipefail
+export DEBIAN_FRONTEND=noninteractive
+
+apt-get update
+apt-get install -y git gitweb fcgiwrap nginx
+
+# --- A dedicated 'git' user, git-shell only ---
+if ! id git >/dev/null 2>&1; then
+ useradd -m -d /home/git -s /usr/bin/git-shell git
+fi
+
+# Repo root
+mkdir -p /var/lib/git
+chown -R git:git /var/lib/git
+chmod 2750 /var/lib/git
+
+# --- GitWeb config ---
+cat >/etc/gitweb.conf <<'***REMOVED***'
+$projectroot = "/var/lib/git";
+$projects_list = $projectroot;
+$site_name = "My Git Server (GitWeb)";
+$feature{'blame'***REMOVED*** = 1;
+$feature{'snapshot'***REMOVED*** = 1;
+***REMOVED***
+
+systemctl enable --now fcgiwrap
+
+# --- Nginx serving GitWeb via fcgiwrap ---
+cat >/etc/nginx/sites-available/gitweb <<'***REMOVED***'
+server {
+ listen 80;
+ server_name _;
+
+ add_header X-Content-Type-Options nosniff always;
+ add_header X-Frame-Options SAMEORIGIN always;
+ add_header Referrer-Policy no-referrer always;
+
+ location = / { return 302 /cgi-bin/gitweb.cgi; ***REMOVED***
+
+ location /gitweb/static/ {
+ alias /usr/share/gitweb/static/;
+ ***REMOVED***
+
+ location /cgi-bin/gitweb.cgi {
+ include fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME /usr/lib/cgi-bin/gitweb.cgi;
+ fastcgi_param GITWEB_CONFIG /etc/gitweb.conf;
+ fastcgi_pass unix:/run/fcgiwrap.socket;
+ ***REMOVED***
+***REMOVED***
+***REMOVED***
+
+rm -f /etc/nginx/sites-enabled/default
+ln -sf /etc/nginx/sites-available/gitweb /etc/nginx/sites-enabled/gitweb
+nginx -t
+systemctl enable --now nginx
+
+# --- SSH hardening
+sed -i 's/^#\?PasswordAuthentication .*/PasswordAuthentication no/' /etc/ssh/sshd_config
+
+# Your requirement: allow root login (key-only)
+sed -i 's/^#\?PermitRootLogin .*/PermitRootLogin yes/' /etc/ssh/sshd_config
+systemctl restart ssh
+
+# Convenience: allow same key used for ubuntu user to be used for git user
+if [ -f /home/ubuntu/.ssh/authorized_keys ]; then
+ install -d -m 700 -o git -g git /home/git/.ssh
+ cat /home/ubuntu/.ssh/authorized_keys > /home/git/.ssh/authorized_keys
+ chown git:git /home/git/.ssh/authorized_keys
+ chmod 600 /home/git/.ssh/authorized_keys
+fi
projects / host-gitweb.git / commitdiff