Sonatype Nexus is an integrated platform that allows developers to proxy, store, and manage Java (Maven) dependencies, Docker, Python, Ruby, NPM, Bower, RPM packages, gitlfs, Apt, Go, Nuget, and distribute their software security.
Why do you need Sonatype Nexus?
- To store private artifacts;
- For caching artifacts that are downloaded from the Internet;
Artifacts supported in the base distribution of Sonatype Nexus:
- Java, Maven (jar)
- Docker
- Python (pip)
- ruby (gem)
- NPM
- bower
- Yum (rpm)
- gitlfs
- Raw
- Apt (deb)
- Go
- nuget
Community-supported artifacts:
- Compose
- Conan
- CPAN
- THE BREAD
- Helmet
- P2
- R
Installing Sonatype Nexus using
Requirements
- Read about using ansible on the web.
- Install ansible
pip install ansibleon the workstation where the playbook is running. - Set on the workstation where the playbook is running.
- Set on the workstation where the playbook is running.
- This role has been tested on CentOS 7, Ubuntu Xenial (16.04) and Bionic (18.04), Debian Jessie and Stretch
jmespathThe library must be installed on the workstation where the playbook is launched. To install, runsudo pip install -r requirements.txt- Save the playbook file (example below) to nexus.yml file
- Run the nexus installation
ansible-playbook -i host nexus.yml
Ansible-playbook example for installing nexus without LDAP with Maven (java), Docker, Python, Ruby, NPM, Bower, RPM and gitlfs repositories.
---
- name: Nexus
hosts: nexus
become: yes
vars:
nexus_timezone: 'Asia/Omsk'
nexus_admin_password: "admin123"
nexus_public_hostname: 'apatsev-nexus-playbook'
httpd_setup_enable: false
nexus_privileges:
- name: all-repos-read
description: 'Read & Browse access to all repos'
repository: '*'
actions:
- read
- browse
- name: company-project-deploy
description: 'Deployments to company-project'
repository: company-project
actions:
- add
- edit
nexus_roles:
- id: Developpers # maps to the LDAP group
name: developers
description: All developers
privileges:
- nx-search-read
- all-repos-read
- company-project-deploy
roles: []
nexus_local_users:
- username: jenkins # used as key to update
first_name: Jenkins
last_name: CI
email: [email protected]
password: "s3cr3t"
roles:
- Developpers # role ID here
nexus_blobstores:
- name: company-artifacts
path: /var/nexus/blobs/company-artifacts
nexus_scheduled_tasks:
- name: compact-blobstore
cron: '0 0 22 * * ?'
typeId: blobstore.compact
taskProperties:
blobstoreName: 'company-artifacts'
nexus_repos_maven_proxy:
- name: central
remote_url: 'https://repo1.maven.org/maven2/'
layout_policy: permissive
- name: jboss
remote_url: 'https://repository.jboss.org/nexus/content/groups/public-jboss/'
- name: vaadin-addons
remote_url: 'https://maven.vaadin.com/vaadin-addons/'
- name: jaspersoft
remote_url: 'https://jaspersoft.artifactoryonline.com/jaspersoft/jaspersoft-repo/'
version_policy: mixed
nexus_repos_maven_hosted:
- name: company-project
version_policy: mixed
write_policy: allow
blob_store: company-artifacts
nexus_repos_maven_group:
- name: public
member_repos:
- central
- jboss
- vaadin-addons
- jaspersoft
# Yum. Change nexus_config_yum to true for create yum repository
nexus_config_yum: true
nexus_repos_yum_hosted:
- name: private_yum_centos_7
repodata_depth: 1
nexus_repos_yum_proxy:
- name: epel_centos_7_x86_64
remote_url: http://download.fedoraproject.org/pub/epel/7/x86_64
maximum_component_age: -1
maximum_metadata_age: -1
negative_cache_ttl: 60
- name: centos-7-os-x86_64
remote_url: http://mirror.centos.org/centos/7/os/x86_64/
maximum_component_age: -1
maximum_metadata_age: -1
negative_cache_ttl: 60
nexus_repos_yum_group:
- name: yum_all
member_repos:
- private_yum_centos_7
- epel_centos_7_x86_64
# NPM. Change nexus_config_npm to true for create npm repository
nexus_config_npm: true
nexus_repos_npm_hosted: []
nexus_repos_npm_group:
- name: npm-public
member_repos:
- npm-registry
nexus_repos_npm_proxy:
- name: npm-registry
remote_url: https://registry.npmjs.org/
negative_cache_enabled: false
# Docker. Change nexus_config_docker to true for create docker repository
nexus_config_docker: true
nexus_repos_docker_hosted:
- name: docker-hosted
http_port: "{{ nexus_docker_hosted_port }}"
v1_enabled: True
nexus_repos_docker_proxy:
- name: docker-proxy
http_port: "{{ nexus_docker_proxy_port }}"
v1_enabled: True
index_type: "HUB"
remote_url: "https://registry-1.docker.io"
use_nexus_certificates_to_access_index: false
maximum_component_age: 1440
maximum_metadata_age: 1440
negative_cache_enabled: true
negative_cache_ttl: 1440
nexus_repos_docker_group:
- name: docker-group
http_port: "{{ nexus_docker_group_port }}"
v1_enabled: True
member_repos:
- docker-hosted
- docker-proxy
# Bower. Change nexus_config_bower to true for create bower repository
nexus_config_bower: true
nexus_repos_bower_hosted:
- name: bower-hosted
nexus_repos_bower_proxy:
- name: bower-proxy
index_type: "proxy"
remote_url: "https://registry.bower.io"
use_nexus_certificates_to_access_index: false
maximum_component_age: 1440
maximum_metadata_age: 1440
negative_cache_enabled: true
negative_cache_ttl: 1440
nexus_repos_bower_group:
- name: bower-group
member_repos:
- bower-hosted
- bower-proxy
# Pypi. Change nexus_config_pypi to true for create pypi repository
nexus_config_pypi: true
nexus_repos_pypi_hosted:
- name: pypi-hosted
nexus_repos_pypi_proxy:
- name: pypi-proxy
index_type: "proxy"
remote_url: "https://pypi.org/"
use_nexus_certificates_to_access_index: false
maximum_component_age: 1440
maximum_metadata_age: 1440
negative_cache_enabled: true
negative_cache_ttl: 1440
nexus_repos_pypi_group:
- name: pypi-group
member_repos:
- pypi-hosted
- pypi-proxy
# rubygems. Change nexus_config_rubygems to true for create rubygems repository
nexus_config_rubygems: true
nexus_repos_rubygems_hosted:
- name: rubygems-hosted
nexus_repos_rubygems_proxy:
- name: rubygems-proxy
index_type: "proxy"
remote_url: "https://rubygems.org"
use_nexus_certificates_to_access_index: false
maximum_component_age: 1440
maximum_metadata_age: 1440
negative_cache_enabled: true
negative_cache_ttl: 1440
nexus_repos_rubygems_group:
- name: rubygems-group
member_repos:
- rubygems-hosted
- rubygems-proxy
# gitlfs. Change nexus_config_gitlfs to true for create gitlfs repository
nexus_config_gitlfs: true
nexus_repos_gitlfs_hosted:
- name: gitlfs-hosted
roles:
- { role: geerlingguy.java }
# Debian/Ubuntu only
# - { role: geerlingguy.apache, apache_create_vhosts: no, apache_mods_enabled: ["proxy_http.load", "headers.load"], apache_remove_default_vhost: true, tags: ["geerlingguy.apache"] }
# RedHat/CentOS only
- { role: geerlingguy.apache, apache_create_vhosts: no, apache_remove_default_vhost: true, tags: ["geerlingguy.apache"] }
- { role: ansible-thoteam.nexus3-oss, tags: ['ansible-thoteam.nexus3-oss'] }Screenshots:
Role Variables
Role Variables
Variables with default values ββ(see default/main.yml):
General variables
nexus_version: ''
nexus_timezone: 'UTC'By default, the role will install the latest version of Nexus available. You can fix the version by changing the variable nexus_version. See available versions at .
If you change to a newer version, the role will attempt to update your installed Nexus.
If you are using an older version of Nexus than the latest, you must ensure that you are not using features that are not available in the installed release (e.g. hosting yum repositories available for nexus greater than 3.8.0, git lfs repo for nexus greater than 3.3.0 etc.)
nexus timezone is the Java time zone name, which can be useful in combination with the following cron expressions for nexus_scheduled tasks.
Nexus port and context path
nexus_default_port: 8081
nexus_default_context_path: '/'The port and context path of the Java connection process. nexus_default_context_path must contain a slash when set, e.g.: nexus_default_context_path: '/nexus/'.
Nexus OS user and group
nexus_os_group: 'nexus'
nexus_os_user: 'nexus'The user and group used to own the Nexus files and run the service will be created by the role, if not present.
nexus_os_user_home_dir: '/home/nexus'Allow changing default home directory for nexus user
Nexus instance directories
nexus_installation_dir: '/opt'
nexus_data_dir: '/var/nexus'
nexus_tmp_dir: "{{ (ansible_os_family == 'RedHat') | ternary('/var/nexus-tmp', '/tmp/nexus') }}"Nexus directories.
nexus_installation_dircontains installed executablesnexus_data_dircontains all configuration, repositories and downloaded artifacts. Custom blobstore pathsnexus_data_dircan be customized, see belownexus_blobstores.nexus_tmp_dircontains all temporary files. The default path for redhat has been moved from/tmpto overcome potential problems with automatic cleaning procedures. See #168.
Setting Nexus JVM Memory Usage
nexus_min_heap_size: "1200M"
nexus_max_heap_size: "{{ nexus_min_heap_size }}"
nexus_max_direct_memory: "2G"These are the default settings for the Nexus. Please do not change these values. If you haven't read and don't know what they're doing.
As a second warning, here is an excerpt from the above document:
It is not recommended to increase the JVM heap beyond the recommended values ββin an attempt to improve performance. It can actually have the opposite effect, causing the operating system to run unnecessarily.
Administrator password
nexus_admin_password: 'changeme'Account password "admin" for configuration. This only works on first install by default. Please see [Change admin password after first install](# change-admin-password-after-first-install) if you want to change it later with a role.
It is highly recommended not to store your password in cleartext in the playbook, but to use [ansible-vault encryption] () (either built-in or in a separate file loaded, for example, using include_vars)
Anonymous access by default
nexus_anonymous_access: falseAnonymous access is disabled by default. More about .
Public hostname
nexus_public_hostname: 'nexus.vm'
nexus_public_scheme: httpsThe fully qualified domain name and scheme (https or http) by which the Nexus instance will be accessible to its clients.
API access for this role
nexus_api_hostname: localhost
nexus_api_scheme: http
nexus_api_validate_certs: "{{ nexus_api_scheme == 'https' }}"
nexus_api_context_path: "{{ nexus_default_context_path }}"
nexus_api_port: "{{ nexus_default_port }}"These variables control how the role connects to the Nexus API for provisioning.
For advanced users only. Chances are you don't want to change these default settings.
Reverse proxy setup
httpd_setup_enable: false
httpd_server_name: "{{ nexus_public_hostname }}"
httpd_default_admin_email: "[email protected]"
httpd_ssl_certificate_file: 'files/nexus.vm.crt'
httpd_ssl_certificate_key_file: 'files/nexus.vm.key'
# httpd_ssl_certificate_chain_file: "{{ httpd_ssl_certificate_file }}"
httpd_copy_ssl_files: trueSet .
To do this, you need to install httpd. Note: when for httpd_setup_enable set valuetrue, nexus binds to 127.0.0.1:8081, so not being directly accessible on HTTP port 8081 from an external IP address.
The default hostname to use is nexus_public_hostname. If you need different names for whatever reason, you can set httpd_server_name with a different meaning.
Π‘ httpd_copy_ssl_files: true (default) The above certificates must exist in your playbook directory and will be copied to the server and configured in apache.
If you want to use existing certificates on the server, install httpd_copy_ssl_files: false and provide the following variables:
# These specifies to the vhost where to find on the remote server file
# system the certificate files.
httpd_ssl_cert_file_location: "/etc/pki/tls/certs/wildcard.vm.crt"
httpd_ssl_cert_key_location: "/etc/pki/tls/private/wildcard.vm.key"
# httpd_ssl_cert_chain_file_location: "{{ httpd_ssl_cert_file_location }}"httpd_ssl_cert_chain_file_location is optional and should be left unset if you don't want to customize the chain file
httpd_default_admin_email: "[email protected]"Set default admin email address
LDAP Configuration
LDAP connections and security scope disabled by default
nexus_ldap_realm: false
ldap_connections: [], each element looks like this:
nexus_ldap_realm: true
ldap_connections:
- ldap_name: 'My Company LDAP' # used as a key to update the ldap config
ldap_protocol: 'ldaps' # ldap or ldaps
ldap_hostname: 'ldap.mycompany.com'
ldap_port: 636
ldap_use_trust_store: false # Wether or not to use certs in the nexus trust store
ldap_search_base: 'dc=mycompany,dc=net'
ldap_auth: 'none' # or simple
ldap_auth_username: 'username' # if auth = simple
ldap_auth_password: 'password' # if auth = simple
ldap_user_base_dn: 'ou=users'
ldap_user_filter: '(cn=*)' # (optional)
ldap_user_object_class: 'inetOrgPerson'
ldap_user_id_attribute: 'uid'
ldap_user_real_name_attribute: 'cn'
ldap_user_email_attribute: 'mail'
ldap_user_subtree: false
ldap_map_groups_as_roles: false
ldap_group_base_dn: 'ou=groups'
ldap_group_object_class: 'posixGroup'
ldap_group_id_attribute: 'cn'
ldap_group_member_attribute: 'memberUid'
ldap_group_member_format: '${username}'
ldap_group_subtree: falseExample LDAP configuration for anonymous authentication (anonymous bind), this is also a "minimal" configuration:
nexus_ldap_realm: true
ldap_connection:
- ldap_name: 'Simplest LDAP config'
ldap_protocol: 'ldaps'
ldap_hostname: 'annuaire.mycompany.com'
ldap_search_base: 'dc=mycompany,dc=net'
ldap_port: 636
ldap_use_trust_store: false
ldap_user_id_attribute: 'uid'
ldap_user_real_name_attribute: 'cn'
ldap_user_email_attribute: 'mail'
ldap_user_object_class: 'inetOrgPerson'Example LDAP configuration for simple authentication (using DSA account):
nexus_ldap_realm: true
ldap_connections:
- ldap_name: 'LDAP config with DSA'
ldap_protocol: 'ldaps'
ldap_hostname: 'annuaire.mycompany.com'
ldap_port: 636
ldap_use_trust_store: false
ldap_auth: 'simple'
ldap_auth_username: 'cn=mynexus,ou=dsa,dc=mycompany,dc=net'
ldap_auth_password: "{{ vault_ldap_dsa_password }}" # better keep passwords in an ansible vault
ldap_search_base: 'dc=mycompany,dc=net'
ldap_user_base_dn: 'ou=users'
ldap_user_object_class: 'inetOrgPerson'
ldap_user_id_attribute: 'uid'
ldap_user_real_name_attribute: 'cn'
ldap_user_email_attribute: 'mail'
ldap_user_subtree: falseExample LDAP configuration for simple authentication (using DSA account) + groups mapped as roles:
nexus_ldap_realm: true
ldap_connections
- ldap_name: 'LDAP config with DSA'
ldap_protocol: 'ldaps'
ldap_hostname: 'annuaire.mycompany.com'
ldap_port: 636
ldap_use_trust_store: false
ldap_auth: 'simple'
ldap_auth_username: 'cn=mynexus,ou=dsa,dc=mycompany,dc=net'
ldap_auth_password: "{{ vault_ldap_dsa_password }}" # better keep passwords in an ansible vault
ldap_search_base: 'dc=mycompany,dc=net'
ldap_user_base_dn: 'ou=users'
ldap_user_object_class: 'inetOrgPerson'
ldap_user_id_attribute: 'uid'
ldap_user_real_name_attribute: 'cn'
ldap_user_email_attribute: 'mail'
ldap_map_groups_as_roles: true
ldap_group_base_dn: 'ou=groups'
ldap_group_object_class: 'groupOfNames'
ldap_group_id_attribute: 'cn'
ldap_group_member_attribute: 'member'
ldap_group_member_format: 'uid=${username},ou=users,dc=mycompany,dc=net'
ldap_group_subtree: falseExample LDAP configuration for simple authentication (using DSA account) + groups dynamically mapped as roles:
nexus_ldap_realm: true
ldap_connections:
- ldap_name: 'LDAP config with DSA'
ldap_protocol: 'ldaps'
ldap_hostname: 'annuaire.mycompany.com'
ldap_port: 636
ldap_use_trust_store: false
ldap_auth: 'simple'
ldap_auth_username: 'cn=mynexus,ou=dsa,dc=mycompany,dc=net'
ldap_auth_password: "{{ vault_ldap_dsa_password }}" # better keep passwords in an ansible vault
ldap_search_base: 'dc=mycompany,dc=net'
ldap_user_base_dn: 'ou=users'
ldap_user_object_class: 'inetOrgPerson'
ldap_user_id_attribute: 'uid'
ldap_user_real_name_attribute: 'cn'
ldap_user_email_attribute: 'mail'
ldap_map_groups_as_roles: true
ldap_map_groups_as_roles_type: 'dynamic'
ldap_user_memberof_attribute: 'memberOf'Privilege
nexus_privileges:
- name: all-repos-read # used as key to update a privilege
# type: <one of application, repository-admin, repository-content-selector, repository-view, script or wildcard>
description: 'Read & Browse access to all repos'
repository: '*'
actions: # can be add, browse, create, delete, edit, read or * (all)
- read
- browse
# pattern: pattern
# domain: domain
# script_name: nameList for settings. Look at the documentation and GUI to check which variables should be set depending on the privilege type.
These elements are merged with the following defaults:
_nexus_privilege_defaults:
type: repository-view
format: maven2
actions:
- readRoles (meaning inside Nexus)
nexus_roles:
- id: Developpers # can map to a LDAP group id, also used as a key to update a role
name: developers
description: All developers
privileges:
- nx-search-read
- all-repos-read
roles: [] # references to other role namesList for settings.
Members
nexus_local_users: []
# - username: jenkins # used as key to update
# state: present # default value if ommited, use 'absent' to remove user
# first_name: Jenkins
# last_name: CI
# email: [email protected]
# password: "s3cr3t"
# roles:
# - developers # role IDLocal (non-LDAP) users/accounts list to create in nexus.
List of local (non-LDAP) users/accounts to create on Nexus.
nexus_ldap_users: []
# - username: j.doe
# state: present
# roles:
# - "nx-admin"Mapping Ldap users/roles. State absent will remove roles from an existing user if it already exists.
Ldap users are not deleted. Attempting to set a role for a non-existent user will result in an error.
Content selectors
nexus_content_selectors:
- name: docker-login
description: Selector for docker login privilege
search_expression: format=="docker" and path=~"/v2/"For more information about the content selector, see .
To use the content selector, add a new privilege with type: repository-content-selector and relevantcontentSelector
- name: docker-login-privilege
type: repository-content-selector
contentSelector: docker-login
description: 'Login to Docker registry'
repository: '*'
actions:
- read
- browseBlobstores and repositories
nexus_delete_default_repos: falseDelete the repositories from the nexus install initial default configuration. This step is only executed on first-time install (when nexus_data_dir has been detected empty).
Removing repositories from the original Nexus default configuration. This step is only performed during the first installation (when nexus_data_dir empty).
nexus_delete_default_blobstore: falseDelete the default blobstore from the nexus install initial default configuration. This can only be done if nexus_delete_default_repos: true and all configured repositories (see below) have an explicit blob_store: custom. This step is only executed on first-time install (when nexus_data_dir has been detected empty).
Deleting blob storage (binary artifacts) is disabled by default from the initial configuration. To remove blob storage (binary artifacts), turn off nexus_delete_default_repos: true. This step is only performed during the first installation (when nexus_data_dir empty).
nexus_blobstores: []
# example blobstore item :
# - name: separate-storage
# type: file
# path: /mnt/custom/path
# - name: s3-blobstore
# type: S3
# config:
# bucket: s3-blobstore
# accessKeyId: "{{ VAULT_ENCRYPTED_KEY_ID }}"
# secretAccessKey: "{{ VAULT_ENCRYPTED_ACCESS_KEY }}"to create. A blobstore path and a repository blobstore cannot be updated after initial creation (any update here will be ignored on re-provisionning).
Configuring blobstore on S3 is provided as a convenience and is not part of the automated tests we run on travis. Please note that storing on S3 is only recommended for instances deployed on AWS.
Creation . The repository path and repository repository cannot be updated after initial creation (any update here will be ignored on reinstallation).
Setting up blob storage on S3 is provided as a convenience. Please note that S3 storage is only recommended for instances deployed on AWS.
nexus_repos_maven_proxy:
- name: central
remote_url: 'https://repo1.maven.org/maven2/'
layout_policy: permissive
# maximum_component_age: -1
# maximum_metadata_age: 1440
# negative_cache_enabled: true
# negative_cache_ttl: 1440
- name: jboss
remote_url: 'https://repository.jboss.org/nexus/content/groups/public-jboss/'
# maximum_component_age: -1
# maximum_metadata_age: 1440
# negative_cache_enabled: true
# negative_cache_ttl: 1440
# example with a login/password :
# - name: secret-remote-repo
# remote_url: 'https://company.com/repo/secure/private/go/away'
# remote_username: 'username'
# remote_password: 'secret'
# # maximum_component_age: -1
# # maximum_metadata_age: 1440
# # negative_cache_enabled: true
# # negative_cache_ttl: 1440Above configuration example Maven.
nexus_repos_maven_hosted:
- name: private-release
version_policy: release
write_policy: allow_once # one of "allow", "allow_once" or "deny"Maven configuration. Negative cache config is optionnal and will default to the above values ββif omitted.
Configuration Maven. The negative cache configuration (-1) is optional and will default to the above values ββif not specified.
nexus_repos_maven_group:
- name: public
member_repos:
- central
- jbossConfiguration Maven.
All three repository types are combined with the following defaults:
_nexus_repos_maven_defaults:
blob_store: default # Note : cannot be updated once the repo has been created
strict_content_validation: true
version_policy: release # release, snapshot or mixed
layout_policy: strict # strict or permissive
write_policy: allow_once # one of "allow", "allow_once" or "deny"
maximum_component_age: -1 # Nexus gui default. For proxies only
maximum_metadata_age: 1440 # Nexus gui default. For proxies only
negative_cache_enabled: true # Nexus gui default. For proxies only
negative_cache_ttl: 1440 # Nexus gui default. For proxies onlyDocker, Pypi, Raw, Rubygems, Bower, NPM, Git-LFS and yum repository types:
see defaults/main.yml for these options:
Docker, Pypi, Raw, Rubygems, Bower, NPM, Git-LFS and yum repositories are disabled by default:
See defaults/main.yml for these options:
nexus_config_pypi: false
nexus_config_docker: false
nexus_config_raw: false
nexus_config_rubygems: false
nexus_config_bower: false
nexus_config_npm: false
nexus_config_gitlfs: false
nexus_config_yum: falsePlease note that you may need to enable certain security areas if you want to use other types of repositories than maven. This is false by default.
nexus_nuget_api_key_realm: false
nexus_npm_bearer_token_realm: false
nexus_docker_bearer_token_realm: false # required for docker anonymous accessRemote User Realm can also be enabled using
nexus_rut_auth_realm: trueand the title can be customized by defining
nexus_rut_auth_header: "CUSTOM_HEADER"Scheduled Tasks
nexus_scheduled_tasks: []
# # Example task to compact blobstore :
# - name: compact-docker-blobstore
# cron: '0 0 22 * * ?'
# typeId: blobstore.compact
# task_alert_email: [email protected] # optional
# taskProperties:
# blobstoreName: {{ nexus_blob_names.docker.blob }} # all task attributes are stored as strings by nexus internally
# # Example task to purge maven snapshots
# - name: Purge-maven-snapshots
# cron: '0 50 23 * * ?'
# typeId: repository.maven.remove-snapshots
# task_alert_email: [email protected] # optional
# taskProperties:
# repositoryName: "*" # * for all repos. Change to a repository name if you only want a specific one
# minimumRetained: "2"
# snapshotRetentionDays: "2"
# gracePeriodInDays: "2"
# booleanTaskProperties:
# removeIfReleased: true
# # Example task to purge unused docker manifest and images
# - name: Purge unused docker manifests and images
# cron: '0 55 23 * * ?'
# typeId: "repository.docker.gc"
# task_alert_email: [email protected] # optional
# taskProperties:
# repositoryName: "*" # * for all repos. Change to a repository name if you only want a specific one
# # Example task to purge incomplete docker uploads
# - name: Purge incomplete docker uploads
# cron: '0 0 0 * * ?'
# typeId: "repository.docker.upload-purge"
# task_alert_email: [email protected] # optional
# taskProperties:
# age: "24" for settings. typeId and task-specifictaskProperties/booleanTaskProperties you can either guess:
- from the Java type hierarchy
org.sonatype.nexus.scheduling.TaskDescriptorSupport - validating the task creation HTML form in your browser
- from viewing AJAX requests in the browser while manually configuring the task.
Task properties must be declared in the correct yaml block depending on their type:
taskPropertiesfor all string properties (i.e. repository names, repository names, time periods...).booleanTaskPropertiesfor all boolean properties (i.e. basically checkboxes in the GUI of the nexus creation task).
Backups
nexus_backup_configure: false
nexus_backup_cron: '0 0 21 * * ?' # See cron expressions definition in nexus create task gui
nexus_backup_dir: '/var/nexus-backup'
nexus_restore_log: '{{ nexus_backup_dir }}/nexus-restore.log'
nexus_backup_rotate: false
nexus_backup_rotate_first: false
nexus_backup_keep_rotations: 4 # Keep 4 backup rotation by default (current + last 3)The backup will not be configured until you switch nexus_backup_configure Π² true.
In this case, the script scheduled task will be configured to run on the Nexus
at the interval specified in nexus_backup_cron (default 21:00 every day).
See the [groovy template for this task](templates / backup.groovy.j2) for details.
This scheduled task is independent of others nexus_scheduled_taskswhich you
announce in your playbook.
If you want to rotate/delete backups, install nexus_backup_rotate: true and set the number of backups you would like to keep with nexus_backup_keep_rotations (default 4).
When using rotation, if you want to save extra disk space during the backup process,
You can install nexus_backup_rotate_first: true. This will set up pre-rotation/removal before backup. By default, rotation occurs after the backup is created. Note than in this case old backups
will be deleted before the current backup is made.
Recovery procedure
Run playbook with parameter -e nexus_restore_point=<YYYY-MM-dd-HH-mm-ss>
(for example, 2017-12-17-21-00-00 for December 17, 2017 at 21:00
Removing nexus
Warning: this will completely delete the current data. Be sure to back up earlier if needed
Use a variable nexus_purgeif you need to restart from scratch and reinstall the nexus instance with all data removed.
ansible-playbook -i your/inventory.ini your_nexus_playbook.yml -e nexus_purge=trueChange administrator password after first installation
nexus_default_admin_password: 'admin123'This should not be changed in your playbook. This variable is populated with the default Nexus admin password on first install and ensures that we can change the admin password to nexus_admin_password.
If you want to change the administrator password after the first installation, you can temporarily change it to the old password from the command line. After the change nexus_admin_password in your playbook you can run:
ansible-playbook -i your/inventory.ini your_playbook.yml -e nexus_default_admin_password=oldPasswordTelegram channel for Nexus Sonatype:
Only registered users can participate in the survey. , you are welcome.
What artifact repositories do you use?
-
Sonatype Nexus Free
-
Sonatype Nexus paid
-
Artifactory free
-
Artifactory Paid
-
Harbor
-
Pulp
9 users voted. 3 users abstained.
Source: habr.com