Tommi's Scribbles
How To Set Up JetBrains Team Tools
- Published on 2021-12-18
https://www.jetbrains.com JetBrains is a software developer famous for their amazing Integrated Development Environments (IDE), but the company also makes some nifty team tools. The kicker is that for small teams or solo developers, using these tools is free.
However, the JetBrains documentation doesn't clearly cover the full setup, which can leave some question marks. In this guide I try to fill in the blanks and guide you through the setup of standalone JetBrains Hub, YouTrack, UpSource, and TeamCity servers, and an Apache reverse proxy server in front of them.
NOTE: This setup is for a full Continous Development / Continous Integration (CD/CI) setup. If you only need a single part of the system, you can likely find an easier time using a single cloud service. For example, Youtrack has a cloud version if you only need project management and tasking features, while GitHub might be enough if you just want to do code reviews. JetBrains is offering a TeamCity Cloud beta if you only need the builds, or you can migrate to AWS like I have done.
Few background details
I have done this setup both using Hetzner Cloud and Amazon Web Services (AWS) , using both the standalone installation method and the Docker container method. As the details between the methods and services are minute and to keep things simpler, I will demonstrate the standalone installation method on Debian 10 in Hetzner Cloud. The basic principles remain the same even if using the Docker installation method or utilizing AWS, so the below should be easily adaptable to your needs. For other Virtual Private Server (VPS) or cloud services such as Linode or Azure, this guide should work close to as is as long as the service offers private networking between instances.
NOTE ABOUT PRICING: while the Jetbrains software is free for small teams, running the infrastructure comes with a price tag. On AWS, an always-on setup tallied about $150 a month. You can price optimize it a bit, but probably not much. On Hetzner, the pricing was about $35 a month, but there are trade-offs with the lower cost, so consider your needs and options carefully.
Things to consider before getting started
Having access to your own domain makes life easier. That way you can use subdomains such as hub.yourdomain.com and youtrack.yourdomain.com for pointing to the services. However, getting a domain and setting up Domain Name (DNS) records will not be covered in this article. Those tasks are rather simple and most larger domain services have good tutorials on how to set up things.
NOTE: I will assume that you have your own domain/subdomains to use. You should be able to modify accordingly on your own if you don't own a domain, but that can make things more complex. I also expect you use the same ports I am using, but you can of course change them and use whatever ports you want. Be careful to update the port in all the relevant places in that case.
Also, keep in mind is that this writeup was done on Debian 10 and using 2020.1 and 2019.4 versions of the JetBrains services. Using other versions or Linux distributions might have differences. For example, the url for the wget command to get the installation packages from JetBrains servers, or the directories where configuration files are located, or the commands used can be different (e.g. ufw vs. firewalld, apt vs. yum, apache2 vs. httpd).
The principles remain the same though, and you should be able to search for your particular commands and configuration file locations if working on different distributions easily.
NOTE: I also expect you to know how to spin instances and access the Command Line Interface (CLI) of your instances without instructions. If unfamiliar, you can likely find instructions from your service provider.
Infrastructure
For this basic setup, there will be 6 separate instances. The servers are all placed in the same internal network with only the reverse proxy web server allowing outside public HTTP and HTTPS traffic. I chose to utilize ports from 4444 to 4449 for the internal communications with the instance ip addresses in 10.0.0.X. range. You can choose what ever you want, but take care to update them correctly everywhere. In my non-mission-critical setup, all the servers allowed SSH access with authorized key pairs, including access as the root user. It is recommended as a best practice to disable root user remote access altogether, but since this was a conscious decision I was okay with the compromise as it provided convenience.
NOTE: user management, ssh access setup, using bastion hosts, and other access and security features are not covered in this write-up apart from the simple ufw to demonstrate what you should open to allow the services to work.
The instance setup is the following:
- the Hub server
- the UpSource server
- the YouTrack server
- the TeamCity server
- one TeamCity agent
- a reverse proxy web server
NOTE: Depending on your needs, you could also rock multiple TeamCity agents instead of just one. As installing multiple agents is the same process, covering only one should be enough for you to be able to do the other two you get with the free license on your own.
Setting up a reverse proxy web server for the services
Lets start with the reverse proxy web server as that is used to access the JetBrains services. The setup is simple and basic. I chose to use the lowest qualifying instance available for the server. Hetzner, as well as AWS, allow easy upscaling should you need more performance, so starting low and scaling up makes sense.
NOTE: If starting with fresh instances, as a best practice you should update and upgrade your system before using the commands in this guide. On Debian 10, that means apt-get update and apt-get upgrade with possibly an apt-get dist-upgrade, depending how old the images your service provider uses are.
Below is the list of commands to get started with the reverse proxy server. The commands install the Apache web server, the ufw firewall management interface, and open the needed ports on the firewall with http/https used for web access and ssh used to manage the server. We disable any other incoming traffic by default.
NOTE: Since I used a root user account, if you are using a limited user account you might have to run some commands in this guide with elevated user privileges e.g. sudo.
apt install apache2 apt install ufw ufw deny all ufw allow http ufw allow https ufw allow ssh ufw default deny incoming ufw enable
Next, you'll want to enable the necessary mods for apache. This list should cover it all. If any of the mods fail to enable, you will likely need to install them with your package manager.
NOTE: not all distributions have the a2enmod shorthand available. In that case, you need to modify your apache configuration files to enable the mods. Look for your distribution specific instructions online.
a2enmod headers a2enmod rewrite a2enmod proxy_http a2enmod http2 a2enmod ssl a2enmod proxy_wstunnel
With all the mods active, it is time to install certbot, which allows you to get signed certificates to use HTTPS without your browser going bonkers about it.
apt install certbot
However, before getting your certificates with certbot, you'll want to set up your sites so certbot can update the config files for you. Do note that this automatic update can add the http to https redirection that is already portrayed in some of the below configurations, so you can leave that out. The same goes for adding the location of your SSL certificate files and enabling the SSL engine, so you can omit those too and have certbot add them for you. The reason they are provided below is for you to see what a final site config file can look like.
NOTE: If you have any issues with access down the line, I recommend reviewing your site configuration files to make sure they are close to what is portrayed here; paths, ports, and addresses should be the main sources of differences.
Here are the config files for each site. Remember to enable the sites with a2ensite after finalizing the configs.
Hub site config for Apache
ServerName hub.yourdomain.com Protocols h2 http/1.1 RequestHeader set X-Forwarded-Proto "https" DefaultType none RewriteEngine on AllowEncodedSlashes on