Sonatype Nexus ã¯ãéçºè ã Java (Maven) äŸåé¢ä¿ãDockerãPythonãRubyãNPMãBower ã€ã¡ãŒãžãRPM ããã±ãŒãžãgitlfsãAptãGoãNuget ããããã·ãä¿åã管çãããœãããŠã§ã¢ ã»ãã¥ãªãã£ãé åžã§ããçµ±åãã©ãããã©ãŒã ã§ãã
Sonatype Nexus ãå¿ èŠãªçç±ã¯äœã§ãã?
- ãã©ã€ããŒããªææç©ãä¿åããããã
- ã€ã³ã¿ãŒãããããããŠã³ããŒããããã¢ãŒãã£ãã¡ã¯ãããã£ãã·ã¥ããããã
åºæ¬ç㪠Sonatype Nexus ããã±ãŒãžã§ãµããŒããããŠããã¢ãŒãã£ãã¡ã¯ã:
- JavaãMaven (jar)
- ããã«ãŒ
- Python (ããã)
- ã«ããŒïŒå®ç³ïŒ
- NPM
- äº
- ããŒã(rpm)
- ã®ã«ãã¹
- Raw
- ã¢ããïŒããïŒ
- Go
- ãã²ãã
ã³ãã¥ããã£ããµããŒãããã¢ãŒãã£ãã¡ã¯ã:
- äœæ²å®¶
- ã³ãã³
- CPAN
- ãšã«ã
- ãã«ã¡ãã
- P2
- R
Sonatype Nexus ã䜿çšããŠã€ã³ã¹ããŒã«ãã https://github.com/ansible-ThoTeam/nexus3-oss
å¿ èŠæ¡ä»¶
- ã€ã³ã¿ãŒãããäžã§ã® ansible ã®äœ¿çšã«ã€ããŠãèªã¿ãã ããã
- ansible ãã€ã³ã¹ããŒã«ãã
pip install ansible
Playbook ãå®è¡ãããã¯ãŒã¯ã¹ããŒã·ã§ã³äžã - ã»ãã
ã²ãŒãªã³ã°ã¬ã€.java Playbook ãå®è¡ãããã¯ãŒã¯ã¹ããŒã·ã§ã³äžã - ã»ãã
ã²ãŒãªã³ã°ã¬ã€.apache Playbook ãå®è¡ãããã¯ãŒã¯ã¹ããŒã·ã§ã³äžã - ãã®ããŒã«ã¯ãCentOS 7ãUbuntu Xenial (16.04)ãBionic (18.04)ãDebian JessieãStretch ã§ãã¹ããããŠããŸãã
jmespath
ã©ã€ãã©ãªã¯ãPlaybook ãå®è¡ãããŠããã¯ãŒã¯ã¹ããŒã·ã§ã³ã«ã€ã³ã¹ããŒã«ããå¿ èŠããããŸãã ã€ã³ã¹ããŒã«ããã«ã¯:sudo pip install -r requirements.txt
- Playbook ãã¡ã€ã« (以äžã®äŸ) ã nexus.yml ãã¡ã€ã«ã«ä¿åããŸãã
- Nexus ã€ã³ã¹ããŒã«ãå®è¡ãã
ansible-playbook -i host nexus.yml
Maven (java)ãDockerãPythonãRubyãNPMãBowerãRPMãããã³ gitlfs ãªããžããªã䜿çšã㊠LDAP ã䜿çšããã« nexus ãã€ã³ã¹ããŒã«ããããã® ansible-playbook ã®äŸã
---
- name: Nexus
hosts: nexus
become: yes
vars:
nexus_timezone: 'Asia/Omsk'
nexus_admin_password: "admin123"
nexus_public_hostname: 'apatsev-nexus-playbook'
httpd_setup_enable: false
nexus_privileges:
- name: all-repos-read
description: 'Read & Browse access to all repos'
repository: '*'
actions:
- read
- browse
- name: company-project-deploy
description: 'Deployments to company-project'
repository: company-project
actions:
- add
- edit
nexus_roles:
- id: Developpers # maps to the LDAP group
name: developers
description: All developers
privileges:
- nx-search-read
- all-repos-read
- company-project-deploy
roles: []
nexus_local_users:
- username: jenkins # used as key to update
first_name: Jenkins
last_name: CI
email: [email protected]
password: "s3cr3t"
roles:
- Developpers # role ID here
nexus_blobstores:
- name: company-artifacts
path: /var/nexus/blobs/company-artifacts
nexus_scheduled_tasks:
- name: compact-blobstore
cron: '0 0 22 * * ?'
typeId: blobstore.compact
taskProperties:
blobstoreName: 'company-artifacts'
nexus_repos_maven_proxy:
- name: central
remote_url: 'https://repo1.maven.org/maven2/'
layout_policy: permissive
- name: jboss
remote_url: 'https://repository.jboss.org/nexus/content/groups/public-jboss/'
- name: vaadin-addons
remote_url: 'https://maven.vaadin.com/vaadin-addons/'
- name: jaspersoft
remote_url: 'https://jaspersoft.artifactoryonline.com/jaspersoft/jaspersoft-repo/'
version_policy: mixed
nexus_repos_maven_hosted:
- name: company-project
version_policy: mixed
write_policy: allow
blob_store: company-artifacts
nexus_repos_maven_group:
- name: public
member_repos:
- central
- jboss
- vaadin-addons
- jaspersoft
# Yum. Change nexus_config_yum to true for create yum repository
nexus_config_yum: true
nexus_repos_yum_hosted:
- name: private_yum_centos_7
repodata_depth: 1
nexus_repos_yum_proxy:
- name: epel_centos_7_x86_64
remote_url: http://download.fedoraproject.org/pub/epel/7/x86_64
maximum_component_age: -1
maximum_metadata_age: -1
negative_cache_ttl: 60
- name: centos-7-os-x86_64
remote_url: http://mirror.centos.org/centos/7/os/x86_64/
maximum_component_age: -1
maximum_metadata_age: -1
negative_cache_ttl: 60
nexus_repos_yum_group:
- name: yum_all
member_repos:
- private_yum_centos_7
- epel_centos_7_x86_64
# NPM. Change nexus_config_npm to true for create npm repository
nexus_config_npm: true
nexus_repos_npm_hosted: []
nexus_repos_npm_group:
- name: npm-public
member_repos:
- npm-registry
nexus_repos_npm_proxy:
- name: npm-registry
remote_url: https://registry.npmjs.org/
negative_cache_enabled: false
# Docker. Change nexus_config_docker to true for create docker repository
nexus_config_docker: true
nexus_repos_docker_hosted:
- name: docker-hosted
http_port: "{{ nexus_docker_hosted_port }}"
v1_enabled: True
nexus_repos_docker_proxy:
- name: docker-proxy
http_port: "{{ nexus_docker_proxy_port }}"
v1_enabled: True
index_type: "HUB"
remote_url: "https://registry-1.docker.io"
use_nexus_certificates_to_access_index: false
maximum_component_age: 1440
maximum_metadata_age: 1440
negative_cache_enabled: true
negative_cache_ttl: 1440
nexus_repos_docker_group:
- name: docker-group
http_port: "{{ nexus_docker_group_port }}"
v1_enabled: True
member_repos:
- docker-hosted
- docker-proxy
# Bower. Change nexus_config_bower to true for create bower repository
nexus_config_bower: true
nexus_repos_bower_hosted:
- name: bower-hosted
nexus_repos_bower_proxy:
- name: bower-proxy
index_type: "proxy"
remote_url: "https://registry.bower.io"
use_nexus_certificates_to_access_index: false
maximum_component_age: 1440
maximum_metadata_age: 1440
negative_cache_enabled: true
negative_cache_ttl: 1440
nexus_repos_bower_group:
- name: bower-group
member_repos:
- bower-hosted
- bower-proxy
# Pypi. Change nexus_config_pypi to true for create pypi repository
nexus_config_pypi: true
nexus_repos_pypi_hosted:
- name: pypi-hosted
nexus_repos_pypi_proxy:
- name: pypi-proxy
index_type: "proxy"
remote_url: "https://pypi.org/"
use_nexus_certificates_to_access_index: false
maximum_component_age: 1440
maximum_metadata_age: 1440
negative_cache_enabled: true
negative_cache_ttl: 1440
nexus_repos_pypi_group:
- name: pypi-group
member_repos:
- pypi-hosted
- pypi-proxy
# rubygems. Change nexus_config_rubygems to true for create rubygems repository
nexus_config_rubygems: true
nexus_repos_rubygems_hosted:
- name: rubygems-hosted
nexus_repos_rubygems_proxy:
- name: rubygems-proxy
index_type: "proxy"
remote_url: "https://rubygems.org"
use_nexus_certificates_to_access_index: false
maximum_component_age: 1440
maximum_metadata_age: 1440
negative_cache_enabled: true
negative_cache_ttl: 1440
nexus_repos_rubygems_group:
- name: rubygems-group
member_repos:
- rubygems-hosted
- rubygems-proxy
# gitlfs. Change nexus_config_gitlfs to true for create gitlfs repository
nexus_config_gitlfs: true
nexus_repos_gitlfs_hosted:
- name: gitlfs-hosted
roles:
- { role: geerlingguy.java }
# Debian/Ubuntu only
# - { role: geerlingguy.apache, apache_create_vhosts: no, apache_mods_enabled: ["proxy_http.load", "headers.load"], apache_remove_default_vhost: true, tags: ["geerlingguy.apache"] }
# RedHat/CentOS only
- { role: geerlingguy.apache, apache_create_vhosts: no, apache_remove_default_vhost: true, tags: ["geerlingguy.apache"] }
- { role: ansible-thoteam.nexus3-oss, tags: ['ansible-thoteam.nexus3-oss'] }
ã¹ã¯ãªãŒã³ã·ã§ããïŒ
å¯å€çãªåœ¹å²
圹å²å€æ°
ããã©ã«ãå€ãæã€å€æ° (ã default/main.yml
):
äžè¬çãªå€æ°
nexus_version: ''
nexus_timezone: 'UTC'
ããã©ã«ãã§ã¯ããã®ããŒã«ã¯å©çšå¯èœãªææ°ããŒãžã§ã³ã® Nexus ãã€ã³ã¹ããŒã«ããŸãã å€æ°ãå€æŽããããšã§ããŒãžã§ã³ãä¿®æ£ã§ããŸã nexus_version
ã å©çšå¯èœãªããŒãžã§ã³ãåç
§ããŠãã ããã
æ°ããããŒãžã§ã³ã«å€æŽãããšãããŒã«ã¯ Nexus ã€ã³ã¹ããŒã«ãæŽæ°ããããšããŸãã
ææ°ããŒãžã§ã³ãããå€ãããŒãžã§ã³ã® Nexus ã䜿çšããŠããå Žåã¯ãã€ã³ã¹ããŒã«ãããŠãããªãªãŒã¹ã§å©çšã§ããªãæ©èœã䜿çšããŠããªãããšã確èªããå¿ èŠããããŸã (ããšãã°ãyum ãªããžããªã®ãã¹ãã£ã³ã°ã¯ã3.8.0 以éã® Nexusãgit lfs repo ã§å©çšã§ããŸã) 3.3.0 以éã® Nexus ãªã©)
nexus timezone
Java ã¿ã€ã ãŸãŒã³ã®ååã§ããããã¯ãnexus_scheduled ã¿ã¹ã¯ã®æ¬¡ã® cron åŒãšçµã¿åããããšäŸ¿å©ã§ãã
Nexus ããŒããšã³ã³ããã¹ã ãã¹
nexus_default_port: 8081
nexus_default_context_path: '/'
Java æ¥ç¶ããã»ã¹ã®ããŒããšã³ã³ããã¹ã ãã¹ã nexus_default_context_path
èšå®ããå Žåã¯ã¹ã©ãã·ã¥ãå«ããå¿
èŠããããŸããäŸ: nexus_default_context_path: '/nexus/'
.
Nexus OS ãŠãŒã¶ãŒãšã°ã«ãŒã
nexus_os_group: 'nexus'
nexus_os_user: 'nexus'
Nexus ãã¡ã€ã«ãææãããµãŒãã¹ãå®è¡ããããã«äœ¿çšããããŠãŒã¶ãŒãšã°ã«ãŒããäžè¶³ããŠããå Žåã¯ãããŒã«ã«ãã£ãŠäœæãããŸãã
nexus_os_user_home_dir: '/home/nexus'
nexus ãŠãŒã¶ãŒã®ããã©ã«ãã®ããŒã ãã£ã¬ã¯ããªã®å€æŽãèš±å¯ãã
Nexus ã€ã³ã¹ã¿ã³ã¹ã®ãã£ã¬ã¯ããª
nexus_installation_dir: '/opt'
nexus_data_dir: '/var/nexus'
nexus_tmp_dir: "{{ (ansible_os_family == 'RedHat') | ternary('/var/nexus-tmp', '/tmp/nexus') }}"
ãã¯ãµã¹ã«ã¿ãã°ã
nexus_installation_dir
ã€ã³ã¹ããŒã«ãããå®è¡å¯èœãã¡ã€ã«ãå«ãŸããŠããŸãnexus_data_dir
ãã¹ãŠã®æ§æããªããžããªãããŠã³ããŒããããã¢ãŒãã£ãã¡ã¯ããå«ãŸããŸãã ã«ã¹ã¿ã ãããã¹ãã¢ãã¹nexus_data_dir
ã«ã¹ã¿ãã€ãºå¯èœã§ãã以äžãåç §ããŠãã ããnexus_blobstores
.nexus_tmp_dir
ãã¹ãŠã®äžæãã¡ã€ã«ãå«ãŸããŸãã redhat ã®ããã©ã«ãã®ãã¹ã¯æ¬¡ãã移åãããŸããã/tmp
èªåæŽæµæé ã«ããæœåšçãªåé¡ã解決ããŸãã #168ãåç §ããŠãã ããã
Nexus JVM ã¡ã¢ãªäœ¿çšéã®æ§æ
nexus_min_heap_size: "1200M"
nexus_max_heap_size: "{{ nexus_min_heap_size }}"
nexus_max_direct_memory: "2G"
ããã㯠Nexus ã®ããã©ã«ãèšå®ã§ãã ãããã®å€ã¯å€æŽããªãã§ãã ãã èªãã§ããªãå Žå
XNUMX çªç®ã®èŠåãšããŠãäžèšã®ææžããã®æç²ã以äžã«ç€ºããŸãã
ããã©ãŒãã³ã¹ãåäžãããããã«ãJVM ããŒã ã¡ã¢ãªãæšå¥šå€ãè¶ ããŠå¢ããããšã¯ãå§ãã§ããŸããã ããã¯å®éã«ã¯éå¹æãšãªãããªãã¬ãŒãã£ã³ã° ã·ã¹ãã ã«äžå¿ èŠãªäœæ¥ãçºçããå¯èœæ§ããããŸãã
管çè ãã¹ã¯ãŒã
nexus_admin_password: 'changeme'
ã»ããã¢ããçšã®ãadminãã¢ã«ãŠã³ãã®ãã¹ã¯ãŒãã ããã¯æåã®ããã©ã«ãã®ã€ã³ã¹ããŒã«ã§ã®ã¿æ©èœããŸãã åŸã§ããŒã«ã䜿çšããŠç®¡çè ãã¹ã¯ãŒããå€æŽããå Žåã¯ã[æåã®ã€ã³ã¹ããŒã«åŸã«ç®¡çè ãã¹ã¯ãŒããå€æŽãã](#change-admin-password-after-first-install)ãåç §ããŠãã ããã
ãã¹ã¯ãŒãããã¬ã€ããã¯ã«å¹³æã§ä¿åããã[ansible-vault æå·å] (
ããã©ã«ãã§ã®å¿åã¢ã¯ã»ã¹
nexus_anonymous_access: false
å¿åã¢ã¯ã»ã¹ã¯ããã©ã«ãã§ã¯ç¡å¹ã«ãªã£ãŠããŸãã 詳ããã¯ãã¡ã
ãããªãã¯ãã¹ãå
nexus_public_hostname: 'nexus.vm'
nexus_public_scheme: https
ã¯ã©ã€ã¢ã³ãã Nexus ã€ã³ã¹ã¿ã³ã¹ã䜿çšã§ããããã«ããå®å šä¿®é£Ÿãã¡ã€ã³åãšã¹ããŒã (https ãŸã㯠http)ã
ãã®ããŒã«ã® API ã¢ã¯ã»ã¹
nexus_api_hostname: localhost
nexus_api_scheme: http
nexus_api_validate_certs: "{{ nexus_api_scheme == 'https' }}"
nexus_api_context_path: "{{ nexus_default_context_path }}"
nexus_api_port: "{{ nexus_default_port }}"
ãããã®å€æ°ã¯ãããããžã§ãã³ã°ã®ããã«ããŒã«ã Nexus API ã«æ¥ç¶ããæ¹æ³ãå¶åŸ¡ããŸãã
äžçŽãŠãŒã¶ãŒã®ã¿ã察象ãšããŠããŸãã ãããããããã®ããã©ã«ãèšå®ãå€æŽããããªãã§ããã
ãªããŒã¹ãããã·ã®èšå®
httpd_setup_enable: false
httpd_server_name: "{{ nexus_public_hostname }}"
httpd_default_admin_email: "[email protected]"
httpd_ssl_certificate_file: 'files/nexus.vm.crt'
httpd_ssl_certificate_key_file: 'files/nexus.vm.key'
# httpd_ssl_certificate_chain_file: "{{ httpd_ssl_certificate_file }}"
httpd_copy_ssl_files: true
ã»ãã
ãããè¡ãã«ã¯ãhttpd ãã€ã³ã¹ããŒã«ããå¿
èŠããããŸãã 泚: ã〠httpd_setup_enable
èšå®å€true
ãnexus 㯠127.0.0.1:8081 ã«é£çµ¡ããããã ã㌠å€éš IP ã¢ãã¬ã¹ãã HTTP ããŒã 8081 çµç±ã§çŽæ¥ã¢ã¯ã»ã¹ã§ããŸãã
䜿çšãããããã©ã«ãã®ãã¹ãåã¯æ¬¡ã®ãšããã§ã nexus_public_hostname
ã äœããã®çç±ã§å¥ã®ååãå¿
èŠãªå Žåã¯ã次ã®ããã«èšå®ã§ããŸãã httpd_server_name
å¥ã®æå³ã§ã
С httpd_copy_ssl_files: true
(ããã©ã«ãã§ã¯) äžèšã®èšŒææžã¯ Playbook ãã£ã¬ã¯ããªã«ååšããå¿
èŠãããããµãŒããŒã«ã³ããŒãããApache ã§èšå®ãããŸãã
ãµãŒããŒäžã®æ¢åã®èšŒææžã䜿çšããå Žåã¯ã次ã®ããã«ã€ã³ã¹ããŒã«ããŸãã httpd_copy_ssl_files: false
次ã®å€æ°ãæå®ããŸãã
# These specifies to the vhost where to find on the remote server file
# system the certificate files.
httpd_ssl_cert_file_location: "/etc/pki/tls/certs/wildcard.vm.crt"
httpd_ssl_cert_key_location: "/etc/pki/tls/private/wildcard.vm.key"
# httpd_ssl_cert_chain_file_location: "{{ httpd_ssl_cert_file_location }}"
httpd_ssl_cert_chain_file_location
ã¯ãªãã·ã§ã³ã§ããããã§ãŒã³ ãã¡ã€ã«ãã«ã¹ã¿ãã€ãºããããªãå Žåã¯æªèšå®ã®ãŸãŸã«ããå¿
èŠããããŸã
httpd_default_admin_email: "[email protected]"
ããã©ã«ãã®ç®¡çè ã®é»åã¡ãŒã« ã¢ãã¬ã¹ãèšå®ãã
LDAPèšå®
LDAP æ¥ç¶ãšã»ãã¥ãªã㣠ã¬ã«ã ã¯ããã©ã«ãã§ç¡å¹ã«ãªã£ãŠããŸã
nexus_ldap_realm: false
ldap_connections: []
nexus_ldap_realm: true
ldap_connections:
- ldap_name: 'My Company LDAP' # used as a key to update the ldap config
ldap_protocol: 'ldaps' # ldap or ldaps
ldap_hostname: 'ldap.mycompany.com'
ldap_port: 636
ldap_use_trust_store: false # Wether or not to use certs in the nexus trust store
ldap_search_base: 'dc=mycompany,dc=net'
ldap_auth: 'none' # or simple
ldap_auth_username: 'username' # if auth = simple
ldap_auth_password: 'password' # if auth = simple
ldap_user_base_dn: 'ou=users'
ldap_user_filter: '(cn=*)' # (optional)
ldap_user_object_class: 'inetOrgPerson'
ldap_user_id_attribute: 'uid'
ldap_user_real_name_attribute: 'cn'
ldap_user_email_attribute: 'mail'
ldap_user_subtree: false
ldap_map_groups_as_roles: false
ldap_group_base_dn: 'ou=groups'
ldap_group_object_class: 'posixGroup'
ldap_group_id_attribute: 'cn'
ldap_group_member_attribute: 'memberUid'
ldap_group_member_format: '${username}'
ldap_group_subtree: false
å¿åèªèšŒ (å¿åãã€ã³ãã£ã³ã°) ã® LDAP æ§æã®äŸãããããæå°éã®ãæ§æã§ãã
nexus_ldap_realm: true
ldap_connection:
- ldap_name: 'Simplest LDAP config'
ldap_protocol: 'ldaps'
ldap_hostname: 'annuaire.mycompany.com'
ldap_search_base: 'dc=mycompany,dc=net'
ldap_port: 636
ldap_use_trust_store: false
ldap_user_id_attribute: 'uid'
ldap_user_real_name_attribute: 'cn'
ldap_user_email_attribute: 'mail'
ldap_user_object_class: 'inetOrgPerson'
åçŽãªèªèšŒã®ããã® LDAP èšå®ã®äŸ (DSA ã¢ã«ãŠã³ãã䜿çš):
nexus_ldap_realm: true
ldap_connections:
- ldap_name: 'LDAP config with DSA'
ldap_protocol: 'ldaps'
ldap_hostname: 'annuaire.mycompany.com'
ldap_port: 636
ldap_use_trust_store: false
ldap_auth: 'simple'
ldap_auth_username: 'cn=mynexus,ou=dsa,dc=mycompany,dc=net'
ldap_auth_password: "{{ vault_ldap_dsa_password }}" # better keep passwords in an ansible vault
ldap_search_base: 'dc=mycompany,dc=net'
ldap_user_base_dn: 'ou=users'
ldap_user_object_class: 'inetOrgPerson'
ldap_user_id_attribute: 'uid'
ldap_user_real_name_attribute: 'cn'
ldap_user_email_attribute: 'mail'
ldap_user_subtree: false
åçŽãªèªèšŒ (DSA ã¢ã«ãŠã³ãã䜿çš) + ããŒã«ãšããŠããããããã°ã«ãŒãã® LDAP æ§æã®äŸ:
nexus_ldap_realm: true
ldap_connections
- ldap_name: 'LDAP config with DSA'
ldap_protocol: 'ldaps'
ldap_hostname: 'annuaire.mycompany.com'
ldap_port: 636
ldap_use_trust_store: false
ldap_auth: 'simple'
ldap_auth_username: 'cn=mynexus,ou=dsa,dc=mycompany,dc=net'
ldap_auth_password: "{{ vault_ldap_dsa_password }}" # better keep passwords in an ansible vault
ldap_search_base: 'dc=mycompany,dc=net'
ldap_user_base_dn: 'ou=users'
ldap_user_object_class: 'inetOrgPerson'
ldap_user_id_attribute: 'uid'
ldap_user_real_name_attribute: 'cn'
ldap_user_email_attribute: 'mail'
ldap_map_groups_as_roles: true
ldap_group_base_dn: 'ou=groups'
ldap_group_object_class: 'groupOfNames'
ldap_group_id_attribute: 'cn'
ldap_group_member_attribute: 'member'
ldap_group_member_format: 'uid=${username},ou=users,dc=mycompany,dc=net'
ldap_group_subtree: false
åçŽãªèªèšŒ (DSA ã¢ã«ãŠã³ãã䜿çš) + ããŒã«ãšããŠåçã«ããããããã°ã«ãŒãã® LDAP æ§æã®äŸ:
nexus_ldap_realm: true
ldap_connections:
- ldap_name: 'LDAP config with DSA'
ldap_protocol: 'ldaps'
ldap_hostname: 'annuaire.mycompany.com'
ldap_port: 636
ldap_use_trust_store: false
ldap_auth: 'simple'
ldap_auth_username: 'cn=mynexus,ou=dsa,dc=mycompany,dc=net'
ldap_auth_password: "{{ vault_ldap_dsa_password }}" # better keep passwords in an ansible vault
ldap_search_base: 'dc=mycompany,dc=net'
ldap_user_base_dn: 'ou=users'
ldap_user_object_class: 'inetOrgPerson'
ldap_user_id_attribute: 'uid'
ldap_user_real_name_attribute: 'cn'
ldap_user_email_attribute: 'mail'
ldap_map_groups_as_roles: true
ldap_map_groups_as_roles_type: 'dynamic'
ldap_user_memberof_attribute: 'memberOf'
ç¹æš©
nexus_privileges:
- name: all-repos-read # used as key to update a privilege
# type: <one of application, repository-admin, repository-content-selector, repository-view, script or wildcard>
description: 'Read & Browse access to all repos'
repository: '*'
actions: # can be add, browse, create, delete, edit, read or * (all)
- read
- browse
# pattern: pattern
# domain: domain
# script_name: name
ãªã¹ã
ãããã®èŠçŽ ã¯ã次ã®ããã©ã«ãå€ãšçµã¿åããããŸãã
_nexus_privilege_defaults:
type: repository-view
format: maven2
actions:
- read
åœ¹å² (Nexus å ã§ã®åœ¹å²ãæå³ããŸã)
nexus_roles:
- id: Developpers # can map to a LDAP group id, also used as a key to update a role
name: developers
description: All developers
privileges:
- nx-search-read
- all-repos-read
roles: [] # references to other role names
ãªã¹ã
ã¡ã³ããŒ
nexus_local_users: []
# - username: jenkins # used as key to update
# state: present # default value if ommited, use 'absent' to remove user
# first_name: Jenkins
# last_name: CI
# email: [email protected]
# password: "s3cr3t"
# roles:
# - developers # role ID
Nexus ã§äœæããããŒã«ã« (é LDAP) ãŠãŒã¶ãŒ/ã¢ã«ãŠã³ãã®ãªã¹ãã
Nexus ã§äœæããããŒã«ã« (é LDAP) ãŠãŒã¶ãŒ/ã¢ã«ãŠã³ãã®ãªã¹ãã
nexus_ldap_users: []
# - username: j.doe
# state: present
# roles:
# - "nx-admin"
ãŠãŒã¶ãŒ/ããŒã«ã® LDAP ãããã³ã°ã å· absent
æ¢åã®ãŠãŒã¶ãŒããã§ã«ååšããå Žåã¯ãæ¢åã®ãŠãŒã¶ãŒããããŒã«ãåé€ããŸãã
LDAP ãŠãŒã¶ãŒã¯åé€ãããŸããã ååšããªããŠãŒã¶ãŒã«ããŒã«ãèšå®ããããšãããšãšã©ãŒãçºçããŸãã
ã³ã³ãã³ãã»ã¬ã¯ã¿ãŒ
nexus_content_selectors:
- name: docker-login
description: Selector for docker login privilege
search_expression: format=="docker" and path=~"/v2/"
ã³ã³ãã³ã ã»ã¬ã¯ã¿ãŒã®è©³çŽ°ã«ã€ããŠã¯ã次ãåç
§ããŠãã ããã
ã³ã³ãã³ã ã»ã¬ã¯ã¿ãŒã䜿çšããã«ã¯ã次ã®ã³ãã³ãã䜿çšããŠæ°ããæš©éãè¿œå ããŸãã type: repository-content-selector
ãããŠé¢é£æ§ã®ããcontentSelector
- name: docker-login-privilege
type: repository-content-selector
contentSelector: docker-login
description: 'Login to Docker registry'
repository: '*'
actions:
- read
- browse
ãããã¹ãã¢ãšãªããžããª
nexus_delete_default_repos: false
nexus ã€ã³ã¹ããŒã«ã®åæããã©ã«ãèšå®ãããªããžããªãåé€ããŸãã ãã®ã¹ãããã¯ãååã€ã³ã¹ããŒã«æã®ã¿å®è¡ãããŸã ( nexus_data_dir
空ã§ããããšãæ€åºãããŸãã)ã
Nexus ã®ããã©ã«ãã®ããã©ã«ãèšå®ãããªããžããªãåé€ããŸãã ãã®æé ã¯ãæåã®ã€ã³ã¹ããŒã«æ ( nexus_data_dir
空ã®ïŒã
nexus_delete_default_blobstore: false
nexus ã€ã³ã¹ããŒã«ã®åæããã©ã«ãæ§æããããã©ã«ãã® blobstore ãåé€ããŸãã ããã¯æ¬¡ã®å Žåã«ã®ã¿å®è¡ã§ããŸã nexus_delete_default_repos: true
ãã¹ãŠã®èšå®æžã¿ãªããžã㪠(以äžãåç
§) ã«ã¯æ瀺ç㪠blob_store: custom
ã ãã®ã¹ãããã¯ãååã€ã³ã¹ããŒã«æã®ã¿å®è¡ãããŸã ( nexus_data_dir
空ã§ããããšãæ€åºãããŸãã)ã
BLOB ã¹ãã¬ãŒãž (ãã€ã㪠ã¢ãŒãã£ãã¡ã¯ã) ã®åé€ã¯ãåææ§æã§ã¯æ¢å®ã§ç¡å¹ã«ãªã£ãŠããŸãã BLOB ã¹ãã¬ãŒãž (ãã€ã㪠ã¢ãŒãã£ãã¡ã¯ã) ãåé€ããã«ã¯ããªãã«ããŸã nexus_delete_default_repos: true
ã ãã®æé ã¯ãæåã®ã€ã³ã¹ããŒã«æ ( nexus_data_dir
空ã®ïŒã
nexus_blobstores: []
# example blobstore item :
# - name: separate-storage
# type: file
# path: /mnt/custom/path
# - name: s3-blobstore
# type: S3
# config:
# bucket: s3-blobstore
# accessKeyId: "{{ VAULT_ENCRYPTED_KEY_ID }}"
# secretAccessKey: "{{ VAULT_ENCRYPTED_ACCESS_KEY }}"
S3 ã§ã® blobstore ã®æ§æã¯äŸ¿å®çã«æäŸãããŠãããtravis ã§å®è¡ããèªåãã¹ãã®äžéšã§ã¯ãããŸããã S3 ãžã®ä¿åã¯ãAWS ã«ãããã€ãããã€ã³ã¹ã¿ã³ã¹ã«å¯ŸããŠã®ã¿æšå¥šãããããšã«æ³šæããŠãã ããã
åµé
S3 ã§ã® BLOB ã¹ãã¬ãŒãžã®ã»ããã¢ããã¯äŸ¿å®ã®ããã«æäŸãããŠããŸãã S3 ã¹ãã¬ãŒãžã¯ãAWS ã«ãããã€ãããã€ã³ã¹ã¿ã³ã¹ã«ã®ã¿æšå¥šãããããšã«æ³šæããŠãã ããã
nexus_repos_maven_proxy:
- name: central
remote_url: 'https://repo1.maven.org/maven2/'
layout_policy: permissive
# maximum_component_age: -1
# maximum_metadata_age: 1440
# negative_cache_enabled: true
# negative_cache_ttl: 1440
- name: jboss
remote_url: 'https://repository.jboss.org/nexus/content/groups/public-jboss/'
# maximum_component_age: -1
# maximum_metadata_age: 1440
# negative_cache_enabled: true
# negative_cache_ttl: 1440
# example with a login/password :
# - name: secret-remote-repo
# remote_url: 'https://company.com/repo/secure/private/go/away'
# remote_username: 'username'
# remote_password: 'secret'
# # maximum_component_age: -1
# # maximum_metadata_age: 1440
# # negative_cache_enabled: true
# # negative_cache_ttl: 1440
äžèšã¯æ§æäŸã§ã
nexus_repos_maven_hosted:
- name: private-release
version_policy: release
write_policy: allow_once # one of "allow", "allow_once" or "deny"
é人
èšå®
nexus_repos_maven_group:
- name: public
member_repos:
- central
- jboss
èšå®
XNUMX ã€ã®ãªããžã㪠ã¿ã€ãã¯ãã¹ãŠã次ã®ããã©ã«ãå€ãšçµã¿åããããŸãã
_nexus_repos_maven_defaults:
blob_store: default # Note : cannot be updated once the repo has been created
strict_content_validation: true
version_policy: release # release, snapshot or mixed
layout_policy: strict # strict or permissive
write_policy: allow_once # one of "allow", "allow_once" or "deny"
maximum_component_age: -1 # Nexus gui default. For proxies only
maximum_metadata_age: 1440 # Nexus gui default. For proxies only
negative_cache_enabled: true # Nexus gui default. For proxies only
negative_cache_ttl: 1440 # Nexus gui default. For proxies only
DockerãPypiãRawãRubygemsãBowerãNPMãGit-LFSãããã³ yum ãªããžã㪠ã¿ã€ã:
defaults/main.yml
ãããã®ãªãã·ã§ã³ã®å Žå:
DockerãPypiãRawãRubygemsãBowerãNPMãGit-LFSãããã³ yum ãªããžããªã¯ããã©ã«ãã§ç¡å¹ã«ãªã£ãŠããŸãã
èŠãŸã defaults/main.yml
ãããã®ãªãã·ã§ã³ã®å Žå:
nexus_config_pypi: false
nexus_config_docker: false
nexus_config_raw: false
nexus_config_rubygems: false
nexus_config_bower: false
nexus_config_npm: false
nexus_config_gitlfs: false
nexus_config_yum: false
Maven 以å€ã®ä»ã®çš®é¡ã®ãªããžããªã䜿çšããå Žåã¯ãç¹å®ã®ã»ãã¥ãªã㣠ã¹ã³ãŒããæå¹ã«ããå¿ èŠãããå Žåãããããšã«æ³šæããŠãã ããã ããã¯ããã©ã«ãã§ã¯ false ã§ã
nexus_nuget_api_key_realm: false
nexus_npm_bearer_token_realm: false
nexus_docker_bearer_token_realm: false # required for docker anonymous access
ãªã¢ãŒã ãŠãŒã¶ãŒ ã¬ã«ã ã¯ã以äžã䜿çšããŠæå¹ã«ããããšãã§ããŸãã
nexus_rut_auth_realm: true
ã¿ã€ãã«ã¯å®çŸ©ããããšã§ã«ã¹ã¿ãã€ãºã§ããŸã
nexus_rut_auth_header: "CUSTOM_HEADER"
ã¹ã±ãžã¥ãŒã«ãããã¿ã¹ã¯
nexus_scheduled_tasks: []
# # Example task to compact blobstore :
# - name: compact-docker-blobstore
# cron: '0 0 22 * * ?'
# typeId: blobstore.compact
# task_alert_email: [email protected] # optional
# taskProperties:
# blobstoreName: {{ nexus_blob_names.docker.blob }} # all task attributes are stored as strings by nexus internally
# # Example task to purge maven snapshots
# - name: Purge-maven-snapshots
# cron: '0 50 23 * * ?'
# typeId: repository.maven.remove-snapshots
# task_alert_email: [email protected] # optional
# taskProperties:
# repositoryName: "*" # * for all repos. Change to a repository name if you only want a specific one
# minimumRetained: "2"
# snapshotRetentionDays: "2"
# gracePeriodInDays: "2"
# booleanTaskProperties:
# removeIfReleased: true
# # Example task to purge unused docker manifest and images
# - name: Purge unused docker manifests and images
# cron: '0 55 23 * * ?'
# typeId: "repository.docker.gc"
# task_alert_email: [email protected] # optional
# taskProperties:
# repositoryName: "*" # * for all repos. Change to a repository name if you only want a specific one
# # Example task to purge incomplete docker uploads
# - name: Purge incomplete docker uploads
# cron: '0 0 0 * * ?'
# typeId: "repository.docker.upload-purge"
# task_alert_email: [email protected] # optional
# taskProperties:
# age: "24"
typeId
ãããŠã¿ã¹ã¯åºæã®taskProperties
/booleanTaskProperties
次ã®ãããããæšæž¬ã§ããŸãã
- Java åéå±€ãã
org.sonatype.nexus.scheduling.TaskDescriptorSupport
- ãã©ãŠã¶ã§ HTML ã¿ã¹ã¯äœæãã©ãŒã ã確èªãã
- ã¿ã¹ã¯ãæåã§èšå®ãããšãã«ãã©ãŠã¶ãŒã§ AJAX ãªã¯ãšã¹ãã衚瀺ã§ããªãããã«ããŸãã
ã¿ã¹ã¯ã®ããããã£ã¯ããã®ã¿ã€ãã«å¿ããŠæ£ãã yaml ãããââã¯ã§å®£èšããå¿ èŠããããŸã:
taskProperties
ãã¹ãŠã®æååãããã㣠(ã€ãŸãããªããžããªåããªããžããªåãæéãªã©)ãbooleanTaskProperties
ãã¹ãŠã®è«çãããã㣠(ã€ãŸããäž»ã«ãã¯ãµã¹äœæã¿ã¹ã¯ã® GUI ã®ãã§ãã¯ããã¯ã¹) ã«å¯ŸããŠã
ããã¯ã¢ãã
nexus_backup_configure: false
nexus_backup_cron: '0 0 21 * * ?' # See cron expressions definition in nexus create task gui
nexus_backup_dir: '/var/nexus-backup'
nexus_restore_log: '{{ nexus_backup_dir }}/nexus-restore.log'
nexus_backup_rotate: false
nexus_backup_rotate_first: false
nexus_backup_keep_rotations: 4 # Keep 4 backup rotation by default (current + last 3)
åãæ¿ãããŸã§ããã¯ã¢ããã¯æ§æãããŸãã nexus_backup_configure
в true
.
ãã®å Žåãã¹ã±ãžã¥ãŒã«ãããã¹ã¯ãªãã ã¿ã¹ã¯ã¯ Nexus ã§å®è¡ãããããã«æ§æãããŸãã
ã§æå®ãããéé㧠nexus_backup_cron
(ããã©ã«ãã¯æ¯æ¥ 21:00)ã
詳现ã«ã€ããŠã¯ã[ãã®ã¿ã¹ã¯ã® groovy ãã³ãã¬ãŒã](templates/backup.groovy.j2) ãåç
§ããŠãã ããã
ãã®ã¹ã±ãžã¥ãŒã«ãããã¿ã¹ã¯ã¯ä»ã®ã¿ã¹ã¯ããç¬ç«ããŠããŸã nexus_scheduled_tasks
ããªãã¯
ãã¬ã€ããã¯ã§çºè¡šããŸãã
ããã¯ã¢ãããããŒããŒã·ã§ã³/åé€ãããå Žåã¯ãã€ã³ã¹ããŒã«ããŠãã ãã nexus_backup_rotate: true
ã䜿çšããŠãä¿åããããã¯ã¢ããã®æ°ãèšå®ããŸãã nexus_backup_keep_rotations
(ããã©ã«ã㯠4)ã
ããŒããŒã·ã§ã³ã䜿çšããå Žåãããã¯ã¢ãã ããã»ã¹äžã«è¿œå ã®ãã£ã¹ã¯é åãç¯çŽãããå Žåã¯ã
ã€ã³ã¹ããŒã«ã§ããŸã nexus_backup_rotate_first: true
ã ããã«ãããããã¯ã¢ããåã®äºåããŒããŒã·ã§ã³/åé€ãæ§æãããŸãã ããã©ã«ãã§ã¯ãããã¯ã¢ããã®äœæåŸã«ããŒããŒã·ã§ã³ãè¡ãããŸãã ãã®å Žåãå€ãããã¯ã¢ããã倱ãããããšã«æ³šæããŠãã ããã
çŸåšã®ããã¯ã¢ãããäœæãããåã«åé€ãããŸãã
å埩æé
ãã©ã¡ãŒã¿ãæå®ããŠãã¬ã€ããã¯ãå®è¡ãã -e nexus_restore_point=<YYYY-MM-dd-HH-mm-ss>
(äŸ: 2017 幎 12 æ 17 æ¥ 21:00 ã®å Žåã00-17-2017-21-00-XNUMX
ãã¯ãµã¹ã®åé€
èŠå: ããã«ãããçŸåšã®ããŒã¿ãå®å šã«åé€ãããŸãã å¿ èŠã«å¿ããŠäºåã«ããã¯ã¢ãããäœæããŠãã ãã
å€æ°ã䜿çšãã nexus_purge
æåããåèµ·åãããã¹ãŠã®ããŒã¿ãåé€ã㊠Nexus ã€ã³ã¹ã¿ã³ã¹ãåã€ã³ã¹ããŒã«ããå¿
èŠãããå Žåã
ansible-playbook -i your/inventory.ini your_nexus_playbook.yml -e nexus_purge=true
æåã®ã€ã³ã¹ããŒã«åŸã«ç®¡çè ãã¹ã¯ãŒããå€æŽãã
nexus_default_admin_password: 'admin123'
ããã¯ãã¬ã€ããã¯ã§å€æŽããªãã§ãã ããã ãã®å€æ°ã«ã¯ãæåã«ã€ã³ã¹ããŒã«ãããšãã«ããã©ã«ãã® Nexus 管çè
ãã¹ã¯ãŒããèšå®ãããŠããã管çè
ãã¹ã¯ãŒãã次ã®ããã«å€æŽã§ããããšãä¿èšŒãããŸãã nexus_admin_password
.
æåã®ã€ã³ã¹ããŒã«åŸã«ç®¡çè
ãã¹ã¯ãŒããå€æŽããå Žåã¯ãã³ãã³ã ã©ã€ã³ããäžæçã«å€ããã¹ã¯ãŒãã«å€æŽã§ããŸãã å€æŽåŸ nexus_admin_password
Playbook ã§ã¯ä»¥äžãå®è¡ã§ããŸãã
ansible-playbook -i your/inventory.ini your_playbook.yml -e nexus_default_admin_password=oldPassword
Nexus Sonatype ã®ãã¬ã°ã©ã ãã£ãã«:
ç»é²ãŠãŒã¶ãŒã®ã¿ãã¢ã³ã±ãŒãã«åå ã§ããŸãã
ã©ã®ãããªææç©ãªããžããªã䜿çšããŠããŸãã?
-
Sonatype Nexus ã¯ç¡æã§ã
-
Sonatype Nexus ã®æ¯æãæžã¿
-
ã¢ãŒãã£ãã¡ã¯ãã¯ç¡æã§ã
-
人工çã«æ¯æããã
-
枯
-
ãã«ã
9 人ã®ãŠãŒã¶ãŒãæ祚ããŸããã 3åã®ãŠãŒã¶ãŒãæ£æš©ããã
åºæïŒ habr.com