Gitea - Hardened Self-Hosted Git Service on Ubuntu 24.04

This is a repackaged software product wherein additional charges apply for hardening, security configuration, and support.

WHAT IS GITEA

Gitea is a lightweight, open-source self-hosted Git service written in Go. It provides a complete code hosting platform including repositories, branches, tags, code review, pull requests, issue tracking, milestones, wikis, and webhooks - all in a single binary with minimal resource requirements.

Gitea is compatible with the GitHub API, enabling existing GitHub clients and integrations to work with minimal reconfiguration. Gitea Actions support is included, providing GitHub Actions-compatible CI/CD workflows using standard YAML syntax. SSH clone is available on port 2222; HTTPS clone on port 443.

WHY SELF-HOST YOUR GIT SERVICE

Cloud Git platforms expose your proprietary code to third-party infrastructure. Self-hosted Gitea keeps all repositories, commit history, and CI/CD artifacts within your own VPC. For regulated industries, GDPR compliance, or avoiding vendor lock-in, a self-hosted Git service is the practical solution.

The Gitea binary is approximately 100 MB with no external runtime dependencies - significantly lighter than GitLab CE, which requires multiple processes and services.

ENHANCED SECURITY OUT OF THE BOX

Default Gitea installations require manual steps to configure a database, set up a reverse proxy, generate internal secrets, and restrict network access. Leaving these unconfigured exposes the instance to unauthorized repository access and data leakage.

This AMI pre-configures all of these for you at first boot.

WHAT THIS AMI ADDS

Security defaults:

• Admin account created with a unique password (EC2 Instance ID) at first boot
• Four internal secrets generated per instance at first boot - INTERNAL_TOKEN, JWT_SECRET, LFS_JWT_SECRET, SECRET_KEY - never shared across deployments
• Gitea binary verified with upstream GPG signature before installation
• Nginx reverse proxy with TLS - HTTP on port 80 redirects to HTTPS on port 443
• UFW firewall - ports 22, 80, 443, and 2222 open; all other ports blocked
• fail2ban - SSH brute-force protection
• AppArmor - mandatory access control

Database:

• PostgreSQL 16 local database, listening on 127.0.0.1 only - not exposed to the network

OS hardening (CIS Level 1):

• CIS Ubuntu 24.04 LTS Level 1 benchmark applied via ansible-lockdown
• auditd - system call auditing
• SSH hardening - PasswordAuthentication disabled, key-only access
• Kernel hardening - SYN cookies, ASLR, rp_filter, TCP BBR
• IMDSv2 enforced - SSRF protection

Compliance artifacts (inside the AMI):

• SBOM - CycloneDX 1.6 software bill of materials at /etc/lynxroute/sbom.json
• CIS Conformance Report - OpenSCAP HTML report at /etc/lynxroute/cis-report.html
• Tailored CIS profile - documents all applied controls and deviations at /usr/share/doc/lynxroute/CIS_TAILORED_PROFILE.md

Quick Start:

1. Launch instance (t3.small recommended)
2. Open Security Group - allow TCP 443 and TCP 2222 from your IP
3. SSH: ssh -i key.pem ubuntu@<PUBLIC_IP>
4. Read credentials: sudo cat /root/gitea-credentials.txt
5. Open https://<PUBLIC_IP> in your browser - accept the self-signed certificate warning
6. Log in with admin credentials from the credentials file

Admin password equals the EC2 Instance ID. Credentials are saved to /root/gitea-credentials.txt at first boot. Replace the self-signed TLS certificate with a CA-signed certificate for production use.