This role installs and configures Nexus Repository Manager OSS version 3.x on CentOS/RHEL.
All configuration can be updated by re-running the role, except for the blobstores-related settings, which are immutable in nexus.
- This has only been tested on CentOS 7 + Ubuntu 16.04 (Xenial)
- Oracle Java 8 (mandatory)
- Apache HTTPD (optional, used to setup a SSL reverse-proxy)
(see Dependencies section below for matching roles on galaxy)
Ansible variables, along with the default values (see default/main.yml) :
nexus_version: '3.1.0-04'
nexus_timezone: 'UTC'
nexus_package: "nexus-{{ nexus_version }}-unix.tar.gz"
The nexus version and package to install, see available versions at https://www.sonatype.com/download-oss-sonatype . nexus_timezone is a Java Timezone name and can be useful in combination with nexus_scheduled_tasks cron expressions below.
nexus_download_dir: '/tmp'
Directory on target where the nexus package will be downloaded.
nexus_default_port: 8081
nexus_default_context_path: '/'
Port and context path of the java nexus process. nexus_default_context_path has to keep the trailing slash when set, for ex. : nexus_default_context_path: '/nexus/'.
nexus_os_group: 'nexus'
nexus_os_user: 'nexus'
User and group used to own the nexus files and run the service, those will be created by the role if absent.
nexus_installation_dir: '/opt'
nexus_data_dir: '/var/nexus'
nexus_tmp_dir: '/tmp/nexus'
Nexus directories, nexus_installation_dir contains the installed executable(s), nexus_data_dir contains all configuration, repositories and uploaded artifacts. Note: custom blobstores paths outside of nexus_data_dir can be configured, see nexus_blobstores below.
nexus_admin_password: 'changeme'
The 'admin' account password to setup. Note : admin password change subsequent to first-time provisioning/install is not implemented by this role yet.
nexus_anonymous_access: false
Allow anonymous access to nexus.
public_hostname: 'nexus.vm'
The fully qualified domain name under which the nexus instance will be accessible to its clients.
nexus_branding_header: ""
nexus_branding_footer: "Last provisionned {{ ansible_date_time.iso8601 }}"
Header and footer branding, those can contain HTML.
httpd_setup_enable: false
httpd_ssl_certificate_file: 'files/nexus.vm.crt'
httpd_ssl_certificate_key_file: 'files/nexus.vm.key'
Setup an SSL Reverse-proxy, this needs httpd installed. Note : when httpd_setup_enable is set to true, nexus binds to 127.0.0.1:8081 thus not being directly accessible on HTTP port 8081 from an external IP.
ldap_connections: []
LDAP connection(s) setup, each item goes as follow :
- ldap_name: 'My Company LDAP' # used as a key to update the ldap config
ldap_protocol: 'ldaps' # ldap or ldaps
ldap_hostname: 'ldap.mycompany.com'
ldap_port: 636
ldap_search_base: 'dc=mycompany,dc=net'
ldap_auth: 'none' # or simple
ldap_auth_username: 'username' # if auth = simple
ldap_auth_password: 'password' # if auth = simple
ldap_user_base_dn: 'ou=users'
ldap_user_filter: '(cn=*)' # (optional)
ldap_user_object_class: 'inetOrgPerson'
ldap_user_id_attribute: 'uid'
ldap_user_real_name_attribute: 'cn'
ldap_user_email_attribute: 'mail'
ldap_user_subtree: false
ldap_map_groups_as_roles: false
ldap_group_base_dn: 'ou=groups'
ldap_group_object_class: 'posixGroup'
ldap_group_id_attribute: 'cn'
ldap_group_member_attribute: 'memberUid'
ldap_group_member_format: '${username}'
ldap_group_subtree: false
Example LDAP config for anonymous authentication (anonymous bind), this is also the "minimal" config :
- ldap_name: 'Simplest LDAP config'
ldap_protocol: 'ldaps'
ldap_hostname: 'annuaire.mycompany.com'
ldap_search_base: 'dc=mycompany,dc=net'
ldap_port: 636
ldap_user_id_attribute: 'uid'
ldap_user_real_name_attribute: 'cn'
ldap_user_email_attribute: 'mail'
ldap_user_object_class: 'inetOrgPerson'
Example LDAP config for simple authentication (using a DSA account) :
- ldap_name: 'LDAP config with DSA'
ldap_protocol: 'ldaps'
ldap_hostname: 'annuaire.mycompany.com'
ldap_port: 636
ldap_auth: 'simple'
ldap_auth_username: 'cn=mynexus,ou=dsa,dc=mycompany,dc=net'
ldap_auth_password: "{{ vault_ldap_dsa_password }}" # better keep passwords in an ansible vault
ldap_search_base: 'dc=mycompany,dc=net'
ldap_user_base_dn: 'ou=users'
ldap_user_object_class: 'inetOrgPerson'
ldap_user_id_attribute: 'uid'
ldap_user_real_name_attribute: 'cn'
ldap_user_email_attribute: 'mail'
ldap_user_subtree: false
Example LDAP config for simple authentication (using a DSA account) + groups mapped as roles :
- ldap_name: 'LDAP config with DSA'
ldap_protocol: 'ldaps'
ldap_hostname: 'annuaire.mycompany.com'
ldap_port: 636
ldap_auth: 'simple'
ldap_auth_username: 'cn=mynexus,ou=dsa,dc=mycompany,dc=net'
ldap_auth_password: "{{ vault_ldap_dsa_password }}" # better keep passwords in an ansible vault
ldap_search_base: 'dc=mycompany,dc=net'
ldap_user_base_dn: 'ou=users'
ldap_user_object_class: 'inetOrgPerson'
ldap_user_id_attribute: 'uid'
ldap_user_real_name_attribute: 'cn'
ldap_user_email_attribute: 'mail'
ldap_map_groups_as_roles: true
ldap_group_base_dn: 'ou=groups'
ldap_group_object_class: 'groupOfNames'
ldap_group_id_attribute: 'cn'
ldap_group_member_attribute: 'member'
ldap_group_member_format: 'uid=${username},ou=users,dc=mycompany,dc=net'
ldap_group_subtree: false
nexus_privileges:
- name: all-repos-read # used as key to update a privilege
description: 'Read & Browse access to all repos'
repository: '*'
actions: # can be add, browse, create, delete, edit, read or * (all)
- read
- browse
List of the privileges to setup. Those items are combined with the following default values :
_nexus_privilege_defaults:
type: repository-view
format: maven2
actions:
- read
nexus_roles:
- id: Developpers # can map to a LDAP group id, also used as a key to update a role
name: developers
description: All developers
privileges:
- nx-search-read
- all-repos-read
roles: [] # references to other role names
List of the roles to setup.
nexus_local_users: []
Local (non-LDAP) users/accounts to create in nexus, items go as follow :
- username: jenkins # used as key to update
first_name: Jenkins
last_name: CI
email: support@company.com
password: "s3cr3t"
roles:
- developers # role ID
nexus_delete_default_repos: false
Delete the repositories from the nexus install initial default configuration. This step is only executed on first-time install (when nexus_data_dir has been detected empty).
nexus_delete_default_blobstore: false
Delete the default blobstore from the nexus install initial default configuration. This can be done only if nexus_delete_default_repos: true and all configured repositories (see below) have an explicit blob_store: custom. This step is only executed on first-time install (when nexus_data_dir has been detected empty).
nexus_blobstores: []
# example blobstore item :
# - name: separate-storage
# path: /mnt/custom/path
Blobstores to create. A blobstore path and a repository blobstore cannot be updated after initial creation (any update here will be ignored on re-provisionning).
nexus_blobstores_gcp: []
# example Google Bucket backed blobstore item:
# - name: "gcp_blobstore"
# bucket: "my-gcp-bucket-name"
# credentials: "/opt/nexus-latest/system/gcloud-nexus-key.json"
Google Cloud Platform storage bucket backed blobstore to create. Note that this requires installation of the GCP Blobstore Nexus plugin before it can be created. If you have an Ansible role to do this you can install it prior to blobstore creation by including the role in the nexus_plugins_installation_roles list.
nexus_scheduled_tasks: []
# example task to compact blobstore :
# - name: compact-blobstore
# cron: '0 0 22 * * ?'
# typeId: blobstore.compact
# taskProperties:
# blobstoreName: 'default' # all task attributes are stored as strings by nexus internally
Scheduled tasks to setup. typeId and task-specific taskProperties can be guessed either from the java type hierarchy of org.sonatype.nexus.scheduling.TaskDescriptorSupport or from peeking at the browser AJAX requests while manually configuring a task.
nexus_repos_maven_proxy:
- name: central
remote_url: 'https://repo1.maven.org/maven2/'
layout_policy: permissive
- name: jboss
remote_url: 'https://repository.jboss.org/nexus/content/groups/public-jboss/'
# example with a login/password :
# - name: secret-remote-repo
# remote_url: 'https://company.com/repo/secure/private/go/away'
# remote_username: 'username'
# remote_password: 'secret'
Maven proxy repositories configuration.
nexus_repos_maven_hosted:
- name: private-release
version_policy: release
write_policy: allow_once
Maven hosted repositories configuration.
nexus_repos_maven_group:
- name: public
member_repos:
- central
- jboss
Maven group repositories configuration.
All three repository types are combined with the following default values :
_nexus_repos_maven_defaults:
blob_store: default # Note : cannot be updated once the repo has been created
strict_content_validation: true
version_policy: release # release, snapshot or mixed
layout_policy: strict # strict or permissive
write_policy: allow_once # allow_once or allow
Docker, Pypi, Raw, Rubygems, Bower, NPM, Git-LFS, YUM and APT repository types:
see defaults/main.yml for these options:
nexus_config_pypi: false
nexus_config_docker: false
nexus_config_raw: false
nexus_config_rubygems: false
nexus_config_bower: false
nexus_config_npm: false
nexus_config_gitlfs: false
nexus_config_yum: false
nexus_config_apt: false
NOTE: APT repositories require the installation of the APT repository Nexus plugin, see the Plugins section towards the end of this document.
These are all false unless you override them from playbook / group_var / cli, these all utilize the same mechanism as maven.
This role requires Ansible 2.1 or higher.
The java and httpd requirements /can/ be fulfilled with the following galaxy roles :
---
- name: Nexus
hosts: nexus
become: yes
vars:
nexus_version: '3.1.0-04'
nexus_timezone: 'Canada/Eastern'
nexus_admin_password: "{{ vault_nexus_admin_password }}"
httpd_server_name: 'nexus.vm'
httpd_setup_enable: true
httpd_ssl_certificate_file: "{{ vault_httpd_ssl_certificate_file }}"
httpd_ssl_certificate_key_file: "{{ vault_httpd_ssl_certificate_key_file }}"
ldap_connections:
- ldap_name: 'Company LDAP'
ldap_protocol: 'ldaps'
ldap_hostname: 'ldap.company.com'
ldap_port: 636
ldap_search_base: 'dc=company,dc=net'
ldap_user_base_dn: 'ou=users'
ldap_user_object_class: 'inetOrgPerson'
ldap_user_id_attribute: 'uid'
ldap_user_real_name_attribute: 'cn'
ldap_user_email_attribute: 'mail'
ldap_group_base_dn: 'ou=groups'
ldap_group_object_class: 'posixGroup'
ldap_group_id_attribute: 'cn'
ldap_group_member_attribute: 'memberUid'
ldap_group_member_format: '${username}'
nexus_privileges:
- name: all-repos-read
description: 'Read & Browse access to all repos'
repository: '*'
actions:
- read
- browse
- name: company-project-deploy
description: 'Deployments to company-project'
repository: company-project
actions:
- add
- edit
nexus_roles:
- id: Developpers # maps to the LDAP group
name: developers
description: All developers
privileges:
- nx-search-read
- all-repos-read
- company-project-deploy
roles: []
nexus_local_users:
- username: jenkins # used as key to update
first_name: Jenkins
last_name: CI
email: support@company.com
password: "s3cr3t"
roles:
- Developpers # role ID here
nexus_blobstores:
- name: company-artifacts
path: /var/nexus/blobs/company-artifacts
nexus_scheduled_tasks:
- name: compact-blobstore
cron: '0 0 22 * * ?'
typeId: blobstore.compact
taskProperties:
blobstoreName: 'company-artifacts'
nexus_repos_maven_proxy:
- name: central
remote_url: 'https://repo1.maven.org/maven2/'
layout_policy: permissive
- name: alfresco
remote_url: 'https://artifacts.alfresco.com/nexus/content/groups/private/'
remote_username: 'secret-username'
remote_password: "{{ vault_alfresco_private_password }}"
- name: jboss
remote_url: 'https://repository.jboss.org/nexus/content/groups/public-jboss/'
- name: vaadin-addons
remote_url: 'https://maven.vaadin.com/vaadin-addons/'
- name: jaspersoft
remote_url: 'https://jaspersoft.artifactoryonline.com/jaspersoft/jaspersoft-repo/'
version_policy: mixed
nexus_repos_maven_hosted:
- name: company-project
version_policy: mixed
write_policy: allow
blob_store: company-artifacts
nexus_repos_maven_group:
- name: public
member_repos:
- central
- jboss
- vaadin-addons
- jaspersoft
roles:
- role: ansiblebit.oracle-java
oracle_java_set_as_default: yes
- role: geerlingguy.apache
apache_create_vhosts: no
- role: savoirfairelinux.nexus3-oss
Nexus plugins can be installed as part of the Nexus installation using this role by adding them into the nexus_plugins_installation_roles list. This requires that you have added Ansible roles to do the installation of the plugins. These plugins will be installed after the base Nexus installation, before the creation of blobstores, repositories, etc. nexus_plugins_installation_roles: - "nexus-repository-apt" - "nexus-blobstore-google-cloud" For the Google Cloud Platform Nexus Blobstore Nexus plugin see https://github.com/sonatype-nexus-community/nexus-blobstore-google-cloud For the APT repository plugin see https://github.com/sonatype-nexus-community/nexus-repository-apt
GNU GPLv3
See https://github.com/savoirfairelinux/ansible-nexus3-oss