{"id":14984434,"url":"https://github.com/ansible-thoteam/nexus3-oss","last_synced_at":"2025-10-25T13:11:02.428Z","repository":{"id":44644535,"uuid":"112915877","full_name":"ansible-ThoTeam/nexus3-oss","owner":"ansible-ThoTeam","description":"Ansible role to install and provision sonatype nexus3-oss","archived":false,"fork":false,"pushed_at":"2024-07-19T08:00:14.000Z","size":917,"stargazers_count":296,"open_issues_count":31,"forks_count":206,"subscribers_count":12,"default_branch":"main","last_synced_at":"2025-04-04T09:36:09.020Z","etag":null,"topics":["ansible","ansible-role","devops","groovy","molecule-scenario","nexus","nexus3-oss"],"latest_commit_sha":null,"homepage":"","language":"Groovy","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ansible-ThoTeam.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-12-03T09:35:57.000Z","updated_at":"2025-03-28T07:50:38.000Z","dependencies_parsed_at":"2024-08-03T07:01:23.499Z","dependency_job_id":"9d705628-ccd1-4165-b567-f22bbca1e461","html_url":"https://github.com/ansible-ThoTeam/nexus3-oss","commit_stats":{"total_commits":501,"total_committers":63,"mean_commits":"7.9523809523809526","dds":0.2694610778443114,"last_synced_commit":"ec06f64febabee51bc02907afe06d8a32eda175c"},"previous_names":[],"tags_count":51,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ansible-ThoTeam%2Fnexus3-oss","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ansible-ThoTeam%2Fnexus3-oss/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ansible-ThoTeam%2Fnexus3-oss/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ansible-ThoTeam%2Fnexus3-oss/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ansible-ThoTeam","download_url":"https://codeload.github.com/ansible-ThoTeam/nexus3-oss/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247157281,"owners_count":20893220,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible","ansible-role","devops","groovy","molecule-scenario","nexus","nexus3-oss"],"created_at":"2024-09-24T14:09:02.792Z","updated_at":"2025-10-25T13:10:57.394Z","avatar_url":"https://github.com/ansible-ThoTeam.png","language":"Groovy","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Build Status](https://travis-ci.com/ansible-ThoTeam/nexus3-oss.svg?branch=main)](https://app.travis-ci.com/github/ansible-ThoTeam/nexus3-oss)\n[![GitHub release (latest by date)](https://img.shields.io/github/v/release/ansible-ThoTeam/nexus3-oss)](https://github.com/ansible-ThoTeam/nexus3-oss/releases/latest)\n[![GitHub commits since latest release](https://img.shields.io/github/commits-since/ansible-ThoTeam/nexus3-oss/latest)](https://github.com/ansible-ThoTeam/nexus3-oss/commits/main)\n[![Ansible Role](https://img.shields.io/ansible/role/d/ansible-ThoTeam/nexus3-oss?label=Galaxy%20downloads)](https://galaxy.ansible.com/ui/standalone/roles/ansible-ThoTeam/nexus3-oss/)\n[![GitHub contributors](https://img.shields.io/github/contributors/ansible-ThoTeam/nexus3-oss)](https://github.com/ansible-ThoTeam/nexus3-oss/graphs/contributors)\n[![GitHub licence](https://img.shields.io/github/license/ansible-ThoTeam/nexus3-oss)](https://github.com/ansible-ThoTeam/nexus3-oss/blob/main/LICENSE.md)\n# Ansible Role: Nexus 3 OSS\n\nThis role installs and configures Nexus Repository Manager OSS version 3.x.\n\nAll configuration can be updated by re-running the role, except for the [blobstores](https://help.sonatype.com/display/NXRM3/Repository+Management#RepositoryManagement-BlobStores) related settings, which are immutable in nexus.\n\n\u003cimg src=\"https://docs.travis-ci.com/images/travis-mascot-200px.png\" alt=\"travis-ci.com logo\" width=\"50\" height=\"50\" /\u003e This role's CI is proudly using OSS credits allocated by https://travis.com\n\n## Table of Contents\n**Note**: TOC links will not function appropriately when viewing it from ansible galaxy site.\n[View it on github](https://github.com/ansible-ThoTeam/nexus3-oss/blob/master/README.md#table-of-contents)\n\n_(Created with [gh-md-toc](https://github.com/ekalinin/github-markdown-toc))_\n\u003c!-- Run gh-md-toc --insert README.md to update --\u003e\n\u003c!--ts--\u003e\n* [Ansible Role: Nexus 3 OSS](#ansible-role-nexus-3-oss)\n * [Table of Contents](#table-of-contents)\n * [History / Credits](#history--credits)\n * [Requirements](#requirements)\n * [Role Variables](#role-variables)\n * [General variables](#general-variables)\n * [Download dir for nexus package](#download-dir-for-nexus-package)\n * [Nexus port, context path and listening IP](#nexus-port-context-path-and-listening-ip)\n * [Nexus OS user and group](#nexus-os-user-and-group)\n * [Nexus instance directories](#nexus-instance-directories)\n * [Nexus JVM setting](#nexus-jvm-setting)\n * [Plugin installation](#plugin-installation)\n * [Onboarding Wizard](#onboarding-wizard)\n * [Admin password](#admin-password)\n * [Default anonymous access](#default-anonymous-access)\n * [Public hostname](#public-hostname)\n * [API access for this role](#api-access-for-this-role)\n * [Branding capabalities](#branding-capabalities)\n * [Audit capability](#audit-capability)\n * [Log4j Visualizer](#log4j-visualizer)\n * [Reverse proxy setup](#reverse-proxy-setup)\n * [LDAP configuration](#ldap-configuration)\n * [Privileges](#privileges)\n * [Roles](#roles)\n * [Users](#users)\n * [Content selectors](#content-selectors)\n * [Cleanup policies](#cleanup-policies)\n * [Blobstores and repositories](#blobstores-and-repositories)\n * [Scheduled tasks](#scheduled-tasks)\n * [Backups](#backups)\n * [Restore procedure](#restore-procedure)\n * [Possible limitations](#possible-limitations)\n * [Special maintenance/debug variables](#special-maintenancedebug-variables)\n * [Purge nexus](#purge-nexus)\n * [Force groovy scripts registration](#force-groovy-scripts-registration)\n * [Change admin password after first install](#change-admin-password-after-first-install)\n * [Upgrade nexus to latest version](#upgrade-nexus-to-latest-version)\n * [Fix upgrade failing on timeout waiting for nexus port](#fix-upgrade-failing-on-timeout-waiting-for-nexus-port)\n * [Skip provisionning tasks](#skip-provisionning-tasks)\n * [Force recursive ownership check of blobstores directories](#force-recursive-ownership-check-of-blobstores-directories)\n * [Dependencies](#dependencies)\n * [Example Playbook](#example-playbook)\n * [Development, Contribution and Testing](#development-contribution-and-testing)\n * [Contributions](#contributions)\n * [Testing](#testing)\n * [Groovy syntax](#groovy-syntax)\n * [Molecule default-xxxx scenarii](#molecule-default-xxxx-scenarii)\n * [License](#license)\n * [Author Information](#author-information)\n\n\u003c!-- Added by: olcla, at: jeu 06 oct 2022 23:38:13 CEST --\u003e\n\n\u003c!--te--\u003e\n\n## History / Credits\n\nThis role is a fork of [ansible-nexus3-oss](https://github.com/savoirfairelinux/ansible-nexus3-oss) by [@savoirfairelinux](https://github.com/savoirfairelinux) after they announced end of maintenance.\nYou can have a look at the following tickets in the original repository for explanations:\n- https://github.com/savoirfairelinux/ansible-nexus3-oss/issues/36\n- https://github.com/savoirfairelinux/ansible-nexus3-oss/issues/38\n\nWe would like to thank the original authors for the work done.\n\n*In Memoriam [Lionel Lecha] (note from main author):*\n\u003ctable\u003e\n \u003ctr\u003e\n \u003ctd width=\"230px\"\u003e\u003cimg alt=\"Picture of Lionel Lecha\" src=\"docs/images/lionel_lecha.png\" /\u003e\u003c/td\u003e\n \u003ctd\u003e\n This work would never have reached the community as an Open Source project without the unconditional trust\n of Lionel Lecha, director of SMAP APPUI @La Poste when I started to automate the deployment of nexus\n for his unit in 2018 as an external contractor. Lionel died too early on the 17th of february 2023\n at the age of 60. Thanks for your always equal good mood and your confidence.\n \u003c/td\u003e\n \u003c/tr\u003e\n\u003c/table\u003e\n\n\n## Requirements\n\n- Fairly Up-to-date version of ansible. We follow ansible versions during maintenance/development and will take advantage\nof new features if needed (and update meta/main.yml for minimum version)\n- Compatible OS. This role is tested through molecule on travis CI for CentOS 8, Ubuntu Bionic (18.04),\n and Debian buster. Other molecule scenarios can be played locally for CentOS 7, Ubuntu Xenial (16.04), and Debian stretch\n- Rsync has to be installed on the target machine (it is not needed on the host running ansible if different)\n- `jmespath` library needs to be installed on the host running the playbook (needed for the `json_query` filter). See `requirements.txt`\n- Java 8 (mandatory)\n - **Oracle announced Java 8 EOL. Sonatype is now recommending openjdk8**\n - For more information see [nexus3 system requirements](https://help.sonatype.com/display/NXRM3/System+Requirements)\n- Apache HTTPD (optional)\n - Used to setup a SSL reverse-proxy\n - The following modules must be enabled in your configuration: mod_ssl, mod_rewrite, mod_proxy, mod_proxy_http, mod_headers.\n\n(see [Dependencies](#dependencies) section below for matching roles on galaxy)\n\n## Role Variables\n\nAnsible variables, along with the default values (see `default/main.yml`) :\n\n### General variables\n```yaml\n nexus_version: ''\n nexus_timezone: 'UTC'\n nexus_download_url: \"http://download.sonatype.com/nexus/3\"\n # nexus_download_ssl_verify: \u003cunset\u003e\n # nexus_version_running: \u003cunset\u003e\n```\n\nThe role will install latest nexus available version by default. You may fix the version by setting\nthe `nexus_version` variable. See available versions at https://www.sonatype.com/download-oss-sonatype.\nWhen having a slow pull through proxy, a retry can be useful to prevent timeouts. You can add retries to the download by setting these variables:\n```yaml\n nexus_download_retries: 3 # 0 by default\n nexus_download_delay: 15\n```\n\n\nIf you fix the version and change it to a different one, the role will try to upgrade your installation.\n**Make sure to change to a later version in release history**. Downgrading will fail (unless you re-install\nfrom scratch using the [`nexus_purge` special var](#purge-nexus))\n\nIf you don't fix the version and play the role on an existing installation, the current installed version will be used\n(detecting target of `{{ nexus_installation_dir}}/nexus-latest`). If you want to upgrade nexus, you will have to pass\nthe special var `nexus_upgrade=true` on the ansible-playbook command line.\nSee [Upgrade nexus to latest version](#upgrade-nexus-to-latest-version)\n\nIf you use an older version of nexus than the lastest, you should make sure you do not use features which are\nnot available in the installed release (e.g. yum hosted repositories for nexus \u003c 3.8.0, git lfs repo for nexus \u003c 3.3.0, etc.)\n\n`nexus_timezone` is a Java Timezone name and can be useful in combinationwith `nexus_scheduled_tasks` cron expressions below.\n\nYou may change the download site for packages by tuning `nexus_download_url` (e.g. closed environment,\nproxy/cache on your network...). **In this case, the automatic detection of the latest version will most likelly fail\nand you will have to fix the version to download.** If you still want to take advantage of automatic latest version detection,\na call to `\u003cyour_custom_location\u003e/latest-unix.tar.gz` must return an HTTP 302 redirect to the latest available version\nin your cache/proxy. If your download location uses https with a self-signed certificate (or a from a private PKI) and\nyou are having troubles getting it validated (i.e. download errors in the role) and you fully trust the target\nyou can set `nexus_download_ssl_verify: false`.\n\n`nexus_version_running` is a variable used internally. **As such, it should never be set directly**\nIt will exist only if nexus is currently installed on the host and will register the current version prior to running\nthe role. It can be used later in your playbook if needed (e.g. for an upgrade notification email)\n\n### Download dir for nexus package\n```yaml\n nexus_download_dir: '/tmp'\n```\n\nDirectory on target where the nexus package will be downloaded.\n\n**Important note**: if you intend to run the role periodically to maintain/provision your nexus install, you should make\nsure the downloaded files will persist between run. On RHEL/Centos specifically, you should change this dir to a location that\nis not cleaned up automatically. If the package file does not persist, it will be downloaded again which might cause an unnecessary restart of nexus.\n\n### Local tmp dir on controller\n```yaml\nnexus_local_tmp_dir: /tmp\n```\n\nThis directory is used to create a local archive of groovy script prior to sending them to the target.\nOn shared ansible controller, you should modify this path to one you own (e.g. `/home/\u003cuser\u003e/tmp`).\n**Important:** this directory **must** exist.\n\n### Nexus port, context path and listening IP\n```yaml\n nexus_default_port: 8081\n nexus_application_host: '{{ httpd_setup_enable | ternary(\"127.0.0.1\", \"0.0.0.0\") }}'\n nexus_default_context_path: '/'\n```\n\nListening port/ip, and context path of the java nexus process.\n* the listening IP/Interface (i.e. `nexus_application_host`) is by default dependant on the `httpd_setup_enable` setting.\nNexus will listen only on localhost (127.0.0.1) if reverse proxy is enabled or all configured IP (0.0.0.0) if not. You\ncan change this setting to your actual need (i.e. don't install proxy and still bind to 127.0.0.1 only if you install\nyour own proxy)\n* `nexus_default_context_path` has to keep the trailing slash when set, for ex. : `nexus_default_context_path: '/nexus/'`.\n\n### Nexus OS user and group\n```yaml\n nexus_os_group: 'nexus'\n nexus_os_gid: 1000\n nexus_os_user: 'nexus'\n nexus_os_uid: 1000\n```\n\nUser and group used to own the nexus files and run the service, those will be created by the role if absent. If defined a uid and gid will be used apon creation.\n\n```yaml\n nexus_os_user_home_dir: '/home/nexus'\n```\n\nAllow to change the nexus user default home directory\n\n### Nexus instance directories\n```yaml\n nexus_installation_dir: '/opt'\n nexus_data_dir: '/var/nexus'\n nexus_tmp_dir: \"{{ (ansible_os_family == 'RedHat') | ternary('/var/nexus-tmp', '/tmp/nexus') }}\"\n```\n\nNexus directories.\n* `nexus_installation_dir` contains the installed executable(s)\n* `nexus_data_dir` contains all configuration, repositories and uploaded artifacts. Custom blobstores paths outside\nof `nexus_data_dir` can be configured, see `nexus_blobstores` below.\n* `nexus_tmp_dir` contains all temporary files. Default path for redhat has been moved out of `/tmp` to overcome\npotential problems with automatic cleaning procedures. See #168.\n\n### Nexus JVM setting\n```yaml\n nexus_min_heap_size: \"1200M\"\n nexus_max_heap_size: \"{{ nexus_min_heap_size }}\"\n nexus_max_direct_memory: \"2G\"\n```\nThese are the defaults for Nexus. **Please do not modify those values** _unless you have read [the memory section of nexus system requirements](https://help.sonatype.com/repomanager3/system-requirements#SystemRequirements-Memory)_ and you understand what you are doing.\n\nAs a second warning, here is an extract from the above document:\n\u003e Increasing the JVM heap memory larger than recommended values in an attempt to improve performance is not recommended. This actually can have the opposite effect, causing the operating system to thrash needlessly.\n\n```yaml\n nexus_custom_jvm_settings: []\n```\nAdditionnal settings to pass to the jvm. Those are empty by default and should not contain any option related to memory above\n(i.e. anything which starts with Xms, Xmx, or XX:MaxDirectMemorySize=). Each option should be set as an item of the list\nwithout the leading dash (`-`).\n\nHere is an example to change the Garbabe collector to G1 and set GC logs with rotation.\n```yaml\n nexus_custom_jvm_settings:\n - XX:+UseG1GC\n - XX:+PrintGCDetails\n - Xloggc:{{ nexus_installation_dir }}log/gc.log\n - XX:+UseGCLogFileRotation\n - XX:NumberOfGCLogFiles=10\n - XX:GCLogFileSize=50m\n```\n\n### Plugin installation\n```yaml\nnexus_plugin_urls: []\n```\nPut list of urls pointing to plugins build for your Nexus version. Only *.kar bundles can be installed this way.\n\n### Onboarding Wizard\n```yaml\nnexus_onboarding_wizard: false\n```\nControls whether the nexus onboarding wizard runs when the admin user logs in for the first time\n\n### Admin password\n```yaml\n nexus_admin_password: 'changeme'\n```\nThe 'admin' account password to setup. _This works only on first time install by default_. Please see [Change admin password after first install](#change-admin-password-after-first-install) if you want to change it later with the role.\n\n**It is strongly advised that you do not keep your password in clear text in you playbook and use [ansible-vault encryption](https://docs.ansible.com/ansible/latest/user_guide/vault.html) (either inline or in a separate file loaded with include_vars for example)**\n\n\n### Default anonymous access\n```yaml\n nexus_anonymous_access: false\n```\n\nAllow [anonymous access](https://help.sonatype.com/display/NXRM3/Anonymous+Access) to nexus.\n\n### Public hostname\n```yaml\n nexus_public_hostname: 'nexus.vm'\n nexus_public_scheme: https\n```\n\nThe fully qualified domain name and scheme under which the nexus instance will be accessible to its clients.\n\n### API access for this role\n```yaml\n nexus_api_hostname: localhost\n nexus_api_scheme: http\n nexus_api_validate_certs: \"{{ nexus_api_scheme == 'https' }}\"\n nexus_api_context_path: \"{{ nexus_default_context_path }}\"\n nexus_api_port: \"{{ nexus_default_port }}\"\n nexus_api_timeout: 60\n```\nThese vars control how the role connects to the nexus API for provisionning.\n**For advance usage only. You most probably do not want to change these default settings**\n\nNote: the `nexus_api_timeout` was added in v2.4.19 and overrides the default\n[`uri` module timeout](https://docs.ansible.com/ansible/latest/collections/ansible/builtin/uri_module.html) of 30s\nfor all calls to the API\n\n### Branding capabalities\n```yaml\n nexus_branding_header: \"\"\n nexus_branding_footer: \"Last provisionned {{ ansible_date_time.iso8601 }}\"\n```\n\nHeader and footer branding, those can contain HTML.\n\n### Audit capability\n```yaml\n nexus_audit_enabled: false\n```\n\nThe [Auditing capability of nexus](https://help.sonatype.com/repomanager3/security/auditing) is off by default. You can turn it on by switching this to `true`. Please note that the audit data is stored in nexus db, persits accross reboots and is not automatically rotated/cleared.\n\n### Log4j Visualizer\n```yaml\n nexus_log4j_visualizer_enabled: false\n```\n\nBy default the log4j visualizer is set to false. You can enable this by switching to `true`. This will add the log4j-visualizer capability to your Nexus instance.\n\n### Reverse proxy setup\n```yaml\n httpd_setup_enable: false\n httpd_server_name: \"{{ nexus_public_hostname }}\"\n httpd_default_admin_email: \"admin@example.com\"\n httpd_ssl_certificate_file: 'files/nexus.vm.crt'\n httpd_ssl_certificate_key_file: 'files/nexus.vm.key'\n # httpd_ssl_certificate_chain_file: \"{{ httpd_ssl_certificate_file }}\"\n httpd_copy_ssl_files: true\n```\n\nSetup an [SSL Reverse-proxy](https://help.sonatype.com/display/NXRM3/Run+Behind+a+Reverse+Proxy#RunBehindaReverseProxy-Example:ReverseProxySSLTerminationatBasePath).\nThis needs httpd installed. Note : when `httpd_setup_enable` is set to `true`, nexus binds by default to 127.0.0.1:8081\nthus *not* being directly accessible on HTTP port 8081 from an external IP. (If you want to change this, you can explicitely\nset `nexus_application_host: 0.0.0.0`)\n\nThe default hostname used is `nexus_public_hostname`. If you need different names for whatever reason, you can set\n`httpd_server_name` to a different value.\n\nWith `httpd_copy_ssl_files: true` (default), the above certs must exist in your playbook dir and will be copied to the server and configured in apache. `httpd_ssl_certificate_chain_file` is optional and must be left unset if you do not want to configure a chain file.\n\nIf you want to use existing certificates on the server, set `httpd_copy_ssl_files: false` and provide the following variables\n\n```yaml\n # These specifies to the vhost where to find on the remote server file\n # system the certificate files.\n httpd_ssl_cert_file_location: \"/etc/pki/tls/certs/wildcard.vm.crt\"\n httpd_ssl_cert_key_location: \"/etc/pki/tls/private/wildcard.vm.key\"\n # httpd_ssl_cert_chain_file_location: \"{{ httpd_ssl_cert_file_location }}\"\n```\n\n`httpd_ssl_cert_chain_file_location` is optional and must be left unset if you do not want to configure a chain file\n\n```yaml\n httpd_default_admin_email: \"admin@example.com\"\n```\n\nSet httpd default admin email address\n\n### LDAP configuration\n\nLdap connections and security realm are disabled by default\n\n```yaml\n nexus_ldap_realm: false\n ldap_connections: []\n```\n\n[LDAP connection(s)](https://help.sonatype.com/display/NXRM3/LDAP) setup, each item goes as follow :\n\n```yaml\n nexus_ldap_realm: true\n ldap_connections:\n - ldap_name: 'My Company LDAP' # used as a key to update the ldap config\n ldap_protocol: 'ldaps' # ldap or ldaps\n ldap_hostname: 'ldap.mycompany.com'\n ldap_port: 636\n ldap_use_trust_store: false # Wether or not to use certs in the nexus trust store\n ldap_search_base: 'dc=mycompany,dc=net'\n ldap_auth: 'none' # or simple\n ldap_auth_username: 'username' # if auth = simple\n ldap_auth_password: 'password' # if auth = simple\n ldap_user_base_dn: 'ou=users'\n ldap_user_filter: '(cn=*)' # (optional)\n ldap_user_object_class: 'inetOrgPerson'\n ldap_user_id_attribute: 'uid'\n ldap_user_real_name_attribute: 'cn'\n ldap_user_email_attribute: 'mail'\n ldap_user_subtree: false\n ldap_map_groups_as_roles: false\n ldap_group_base_dn: 'ou=groups'\n ldap_group_object_class: 'posixGroup'\n ldap_group_id_attribute: 'cn'\n ldap_group_member_attribute: 'memberUid'\n ldap_group_member_format: '${username}'\n ldap_group_subtree: false\n```\n\nExample LDAP config for anonymous authentication (anonymous bind), this is also the \"minimal\" config :\n\n```yaml\n nexus_ldap_realm: true\n ldap_connection:\n - ldap_name: 'Simplest LDAP config'\n ldap_protocol: 'ldaps'\n ldap_hostname: 'annuaire.mycompany.com'\n ldap_search_base: 'dc=mycompany,dc=net'\n ldap_port: 636\n ldap_use_trust_store: false\n ldap_user_id_attribute: 'uid'\n ldap_user_real_name_attribute: 'cn'\n ldap_user_email_attribute: 'mail'\n ldap_user_object_class: 'inetOrgPerson'\n```\n\nExample LDAP config for simple authentication (using a DSA account) :\n\n```yaml\n nexus_ldap_realm: true\n ldap_connections:\n - ldap_name: 'LDAP config with DSA'\n ldap_protocol: 'ldaps'\n ldap_hostname: 'annuaire.mycompany.com'\n ldap_port: 636\n ldap_use_trust_store: false\n ldap_auth: 'simple'\n ldap_auth_username: 'cn=mynexus,ou=dsa,dc=mycompany,dc=net'\n ldap_auth_password: \"{{ vault_ldap_dsa_password }}\" # better keep passwords in an ansible vault\n ldap_search_base: 'dc=mycompany,dc=net'\n ldap_user_base_dn: 'ou=users'\n ldap_user_object_class: 'inetOrgPerson'\n ldap_user_id_attribute: 'uid'\n ldap_user_real_name_attribute: 'cn'\n ldap_user_email_attribute: 'mail'\n ldap_user_subtree: false\n```\n\nExample LDAP config for simple authentication (using a DSA account) + groups mapped as roles :\n\n```yaml\n nexus_ldap_realm: true\n ldap_connections\n - ldap_name: 'LDAP config with DSA'\n ldap_protocol: 'ldaps'\n ldap_hostname: 'annuaire.mycompany.com'\n ldap_port: 636\n ldap_use_trust_store: false\n ldap_auth: 'simple'\n ldap_auth_username: 'cn=mynexus,ou=dsa,dc=mycompany,dc=net'\n ldap_auth_password: \"{{ vault_ldap_dsa_password }}\" # better keep passwords in an ansible vault\n ldap_search_base: 'dc=mycompany,dc=net'\n ldap_user_base_dn: 'ou=users'\n ldap_user_object_class: 'inetOrgPerson'\n ldap_user_id_attribute: 'uid'\n ldap_user_real_name_attribute: 'cn'\n ldap_user_email_attribute: 'mail'\n ldap_map_groups_as_roles: true\n ldap_group_base_dn: 'ou=groups'\n ldap_group_object_class: 'groupOfNames'\n ldap_group_id_attribute: 'cn'\n ldap_group_member_attribute: 'member'\n ldap_group_member_format: 'uid=${username},ou=users,dc=mycompany,dc=net'\n ldap_group_subtree: false\n```\n\nExample LDAP config for simple authentication (using a DSA account) + groups mapped as roles dynamically :\n\n```yaml\n nexus_ldap_realm: true\n ldap_connections:\n - ldap_name: 'LDAP config with DSA'\n ldap_protocol: 'ldaps'\n ldap_hostname: 'annuaire.mycompany.com'\n ldap_port: 636\n ldap_use_trust_store: false\n ldap_auth: 'simple'\n ldap_auth_username: 'cn=mynexus,ou=dsa,dc=mycompany,dc=net'\n ldap_auth_password: \"{{ vault_ldap_dsa_password }}\" # better keep passwords in an ansible vault\n ldap_search_base: 'dc=mycompany,dc=net'\n ldap_user_base_dn: 'ou=users'\n ldap_user_object_class: 'inetOrgPerson'\n ldap_user_id_attribute: 'uid'\n ldap_user_real_name_attribute: 'cn'\n ldap_user_email_attribute: 'mail'\n ldap_map_groups_as_roles: true\n ldap_map_groups_as_roles_type: 'dynamic'\n ldap_user_memberof_attribute: 'memberOf'\n```\n\n@nliebelt proposed a configuration with explanations in an issue to [configure nexus for Active Directory](https://github.com/ansible-ThoTeam/nexus3-oss/issues/341)\n\n### Privileges\n```yaml\n nexus_privileges:\n - name: all-repos-read # used as key to update a privilege\n # type: \u003cone of application, repository-admin, repository-content-selector, repository-view, script or wildcard\u003e\n description: 'Read \u0026 Browse access to all repos'\n repository: '*'\n actions: # can be add, browse, create, delete, edit, read or * (all)\n - read\n - browse\n # pattern: pattern\n # domain: domain\n # script_name: name\n```\n\nList of the [privileges](https://help.sonatype.com/display/NXRM3/Privileges) to setup. Please see\ndocumentation and GUI to check out which variables should be set depending on the type of privilege.\n\nThose items are combined with the following default values :\n\n```yaml\n _nexus_privilege_defaults:\n type: repository-view\n format: maven2\n actions:\n - read\n```\n\n### Roles\n```yaml\n nexus_roles:\n - id: Developpers # can map to a LDAP group id, also used as a key to update a role\n name: developers\n description: All developers\n privileges:\n - nx-search-read\n - all-repos-read\n roles: [] # references to other role names\n```\n\nBesides creating roles, it's also possible to define a default role which will be applied to users and anonymous requests when Nexus can not find or map the according role. Default role can be defined using:\n\n```yaml\nnexus_default_role: \"developers\" # uses the 'developers' role to all users/requests without an explicitly assigned role. Default: \"\"\n```\n\nList of the [roles](https://help.sonatype.com/display/NXRM3/Roles) to setup.\n\n### Users\n```yaml\n nexus_local_users: []\n # - username: jenkins # used as key to update\n # state: present # default value if ommited, use 'absent' to remove user\n # first_name: Jenkins\n # last_name: CI\n # email: support@company.com\n # password: \"s3cr3t\"\n # roles:\n # - developers # role ID\n```\nLocal (non-LDAP) users/accounts list to create in nexus. State `absent` will remove the user if it exists\n\n```yaml\n nexus_ldap_users: []\n # - username: j.doe\n # state: present\n # roles:\n # - \"nx-admin\"\n```\nLdap users/roles mappings. State `absent` will remove roles from the existing user if already present.\nLdap users are not removed. Trying to set roles on a non existing user will result in an error.\n\n\n### Content selectors\n```yaml\n nexus_content_selectors:\n - name: docker-login\n description: Selector for docker login privilege\n search_expression: format==\"docker\" and path=~\"/v2/\"\n```\n\nFor more info on Content selector see [documentation](https://help.sonatype.com/repomanager3/configuration/repository-management#RepositoryManagement-ContentSelectors)\n\nTo use content selector add new privilege with `type: repository-content-selector` and proper `contentSelector`\n```yaml\n- name: docker-login-privilege\n type: repository-content-selector\n contentSelector: docker-login\n description: 'Login to Docker registry'\n repository: '*'\n actions:\n - read\n - browse\n```\n\n### Cleanup policies\n```yaml\nnexus_repos_cleanup_policies:\n# - name: mvn_cleanup\n# format: maven2\n# mode:\n# notes: \"\"\n# criteria:\n# lastBlobUpdated: 60\n# lastDownloaded: 120\n# preRelease: RELEASES\n# regexKey: \"foo.*\"\n```\n\nCleanup policies definitions. Can be added to repo definitions with the option `cleanup_policies`\n\n### Blobstores and repositories\n```yaml\n nexus_delete_default_repos: false\n```\n\nDelete the repositories from the nexus install initial default configuration. This step is only executed on first-time install (when `nexus_data_dir` has been detected empty).\n\n```yaml\n nexus_delete_default_blobstore: false\n```\n\nDelete the default blobstore from the nexus install initial default configuration. This can be done only if `nexus_delete_default_repos: true` and all configured repositories (see below) have an explicit `blob_store: custom`. This step is only executed on first-time install (when `nexus_data_dir` has been detected empty).\n\n```yaml\n nexus_blobstores: []\n # example blobstore item :\n # - name: separate-storage\n # type: file\n # path: /mnt/custom/path\n # - name: s3-blobstore\n # type: S3\n # config:\n # bucket: s3-blobstore\n # accessKeyId: \"{{ VAULT_ENCRYPTED_KEY_ID }}\"\n # secretAccessKey: \"{{ VAULT_ENCRYPTED_ACCESS_KEY }}\"\n```\n\n[Blobstores](https://help.sonatype.com/display/NXRM3/Repository+Management#RepositoryManagement-BlobStores) to create. A blobstore path and a repository blobstore cannot be updated after initial creation (any update here will be ignored on re-provisionning).\n\nConfiguring blobstore on S3 is provided as a convenience and is not part of the automated tests we run on travis. Please note that storing on S3 is only recommended for instances deployed on AWS.\n\n```yaml\n nexus_repos_maven_proxy:\n - name: central\n remote_url: 'https://repo1.maven.org/maven2/'\n layout_policy: permissive\n # cleanup_policies:\n # - mvn_cleanup\n # maximum_component_age: -1\n # maximum_metadata_age: 1440\n # negative_cache_enabled: true\n # negative_cache_ttl: 1440\n # Content disposition is only supported for raw and maven2 proxies and can be set to attachment or inline. Inline is Nexus default, even when the property is not set explicitly.\n # content_disposition: inline\n - name: jboss\n remote_url: 'https://repository.jboss.org/nexus/content/groups/public-jboss/'\n # cleanup_policies:\n # - mvn_cleanup\n # maximum_component_age: -1\n # maximum_metadata_age: 1440\n # negative_cache_enabled: true\n # negative_cache_ttl: 1440\n # Content disposition is only supported for raw and maven2 proxies and can be set to attachment or inline. Inline is Nexus default, even when the property is not set explicitly.\n # content_disposition: inline\n # example with a login/password :\n # - name: secret-remote-repo\n # remote_url: 'https://company.com/repo/secure/private/go/away'\n # remote_username: 'username'\n # remote_password: 'secret'\n # # maximum_component_age: -1\n # # maximum_metadata_age: 1440\n # # negative_cache_enabled: true\n # # negative_cache_ttl: 1440\n # Content disposition is only supported for raw and maven2 proxies and can be set to attachment or inline. Inline is Nexus default, even when the property is not set explicitly.\n # To set HTTP request settings:\n # # enable_circular_redirects: true\n # # enable_cookies: true\n```\n\nMaven [proxy repositories](https://help.sonatype.com/display/NXRM3/Repository+Management#RepositoryManagement-ProxyRepository) configuration.\n\n```yaml\n nexus_repos_maven_hosted:\n - name: private-release\n version_policy: release\n write_policy: allow_once # one of \"allow\", \"allow_once\" or \"deny\"\n # cleanup_policies:\n # - mvn_cleanup\n```\n\nMaven [hosted repositories](https://help.sonatype.com/display/NXRM3/Repository+Management#RepositoryManagement-HostedRepository) configuration. Negative cache config is optionnal and will default to the above values if omitted.\n\n```yaml\n nexus_repos_maven_group:\n - name: public\n member_repos:\n - central\n - jboss\n```\n\nMaven [group repositories](https://help.sonatype.com/display/NXRM3/Repository+Management#RepositoryManagement-RepositoryGroup) configuration.\n\nAll three repository types are combined with the following default values :\n\n```yaml\n _nexus_repos_maven_defaults:\n blob_store: default # Note : cannot be updated once the repo has been created\n strict_content_validation: true\n version_policy: release # release, snapshot or mixed\n layout_policy: strict # strict or permissive\n write_policy: allow_once # one of \"allow\", \"allow_once\" or \"deny\"\n maximum_component_age: -1 # Nexus gui default. For proxies only\n maximum_metadata_age: 1440 # Nexus gui default. For proxies only\n negative_cache_enabled: true # Nexus gui default. For proxies only\n negative_cache_ttl: 1440 # Nexus gui default. For proxies only\n```\n\nDocker repositories\n\n```yaml\nnexus_repos_docker_group:\n - name: some-docker-group\n sub_domain: hub-proxy # When set this will expose a subdomain url e.g: https://hub-proxy.your-nexus-instance.com\n writable_member_repo: docker-hosted-repo\n blob_store: docker-blob\n v1_enabled: False\n member_repos:\n - docker-hosted-repo\n```\n\n```yaml\nnexus_repos_docker_hosted:\n - name: some-docker-repo\n blob_store: docker-blob\n v1_enabled: false\n write_policy: allow_once # Values: \"allow\", \"allow_once\" or \"deny\"\n # When set, it will ignore the defined write_policy and allows to redeploy container images with the tag 'latest' only.\n allow_redeploy_latest: true\n```\n\nMaven, Pypi, Docker, Raw, Rubygems, Bower, NPM, Git-LFS, yum, apt, helm, r, p2, conda and go repository types:\nsee `defaults/main.yml` for these options. For historical reasons and to keep backward compatibility,\nmaven is configured by default\n\n```yaml\n nexus_config_maven: true\n nexus_config_pypi: false\n nexus_config_docker: false\n nexus_config_raw: false\n nexus_config_rubygems: false\n nexus_config_bower: false\n nexus_config_npm: false\n nexus_config_gitlfs: false\n nexus_config_yum: false\n nexus_config_apt: false\n nexus_config_helm: false\n nexus_config_r: false\n nexus_config_p2: false\n nexus_config_conda: false\n nexus_config_go: false\n```\n\nThese are all false unless you override them from playbook / group_var / cli, these all utilize the same mechanism as maven.\n\nNote that you might need to enable certain security realms if you want to use other repository types than maven. These are\nfalse by default\n\n```yaml\nnexus_nuget_api_key_realm: false\nnexus_npm_bearer_token_realm: false\nnexus_docker_bearer_token_realm: false # required for docker anonymous access\n```\n\nThe Remote User Realm can also be enabled with\n\n```yaml\nnexus_rut_auth_realm: true\n```\n\nand the header can be configured by defining\n\n```yaml\nnexus_rut_auth_header: \"CUSTOM_HEADER\"\n```\n\n### Scheduled tasks\n\nThese are quick examples and instruction to setup scheduled tasks. For in depth information on available tasks types\nand schedule types, please refer to [the specific section in the repo wiki](https://github.com/ansible-ThoTeam/nexus3-oss/wiki/Scheduled-tasks-configuration)\n\n```yaml\n nexus_scheduled_tasks: []\n # # Example task to compact blobstore :\n # - name: compact-docker-blobstore\n # cron: '0 0 22 * * ?'\n # typeId: blobstore.compact\n # task_alert_email: alerts@example.org # optional\n # taskProperties:\n # blobstoreName: {{ nexus_blob_names.docker.blob }} # all task attributes are stored as strings by nexus internally\n # # Example task to purge maven snapshots\n # - name: Purge-maven-snapshots\n # cron: '0 50 23 * * ?'\n # typeId: repository.maven.remove-snapshots\n # task_alert_email: alerts@example.org # optional\n # taskProperties:\n # repositoryName: \"*\" # * for all repos. Change to a repository name if you only want a specific one\n # minimumRetained: \"2\"\n # snapshotRetentionDays: \"2\"\n # gracePeriodInDays: \"2\"\n # booleanTaskProperties:\n # removeIfReleased: true\n # # Example task to purge unused docker manifest and images\n # - name: Purge unused docker manifests and images\n # cron: '0 55 23 * * ?'\n # typeId: \"repository.docker.gc\"\n # task_alert_email: alerts@example.org # optional\n # taskProperties:\n # repositoryName: \"*\" # * for all repos. Change to a repository name if you only want a specific one\n # # Example task to purge incomplete docker uploads\n # - name: Purge incomplete docker uploads\n # cron: '0 0 0 * * ?'\n # typeId: \"repository.docker.upload-purge\"\n # task_alert_email: alerts@example.org # optional\n # taskProperties:\n # age: \"24\"\n```\n\n[Scheduled tasks](https://help.sonatype.com/display/NXRM3/System+Configuration#SystemConfiguration-ConfiguringandExecutingTasks) to setup. `typeId` and task-specific `taskProperties`/`booleanTaskProperties` can be guessed either:\n* from the java type hierarchy of `org.sonatype.nexus.scheduling.TaskDescriptorSupport`\n* by inspecting the task creation html form in your browser\n* from peeking at the browser AJAX requests while manually configuring a task.\n\n**Task properties must be declared in the correct yaml block depending on their type**:\n* `taskProperties` for all string properties (i.e. repository names, blobstore names, time periods...).\n* `booleanTaskProperties` for all boolean properties (i.e. mainly checkboxes in nexus create task GUI).\n\n\n### Backups\n```yaml\n nexus_backup_configure: false\n nexus_backup_schedule_type: cron\n nexus_backup_cron: '0 0 21 * * ?' # See cron expressions definition in nexus create task gui\n # nexus_backup_start_date_time: \"yyyy-MM-dd'T'HH:mm:ss\"\n # nexus_backup_weekly_days: ['MON', 'TUE', 'WED', 'THU', 'FRI', 'SAT']\n # nexus_backup_monthly_days: {{ range(1,32) | list + [999] }}\n nexus_backup_dir: '/var/nexus-backup'\n nexus_backup_dir_create: true\n nexus_restore_log: '{{ nexus_backup_dir }}/nexus-restore.log'\n nexus_backup_rotate: false\n nexus_backup_rotate_first: false\n nexus_backup_keep_rotations: 4 # Keep 4 backup rotation by default (current + last 3)\n```\n\nBackup will not be configured unless you switch `nexus_backup_configure: true`.\nIn this case, a script task will be configured in nexus.\n\nThe script task schedule will be set as `cron` by default and runs every day at 21:00. You can define whatever\nschedule you like by setting accordingly the variables `nexus_backup_schedule_type`, `nexus_backup_cron`,\n`nexus_backup_start_date_time`, `nexus_backup_weekly_days` and `nexus_backup_monthly_days`. To understand\ntheir usage depending on the type of schedule you choose, please see [Scheduled tasks](#scheduled-tasks)\n\nSee [the groovy template for this task](templates/backup.groovy.j2) for details.\nThis scheduled task is independent from the other `nexus_scheduled_tasks` you\ndeclare in your playbook\n\nIf you want to rotate backups, set `nexus_backup_rotate: true` and adjust\nthe number of rotations you would like to keep with `nexus_backup_keep_rotations`\n(defaults to 4).\n\nWhen using rotation, if you want to save extra disk space during the backup process,\nyou can set `nexus_backup_rotate_first: true`. This will configure a pre-rotation\nrather than the default post-rotation. Please note than in this case, old backup(s)\nis/are removed before the current one is done and successful.\n\nIf you want to backup to a mounted directory (like s3fs), you can set the `nexus_backup_dir_create` to false.\n\n#### Restore procedure\nRun your playbook with parameter `-e nexus_restore_point=\u003cYYYY-MM-dd-HH-mm-ss\u003e`\n(e.g. 2017-12-17-21-00-00 for 17th of December 2017 at 21h00m00s)\n\n#### Possible limitations\nBlobstore copies are made directly from nexus by the script scheduled task.\nThis has only been tested on rather small blobstores (less than 50Go) and should\nbe used with caution and tested carefully on larger installations before moving\nto production. In any case, you are free to implement your own backup scenario\noutside of this role.\n\n### Special maintenance/debug variables\n\nThese are not present in `defaults/main.yml` and are meant to be used on the command line only for maintenance/debug reasons.\n\n#### Purge nexus\n\n** Warning: this will completely erase the current data. Make sure to backup previously if needed **\n\nUse the `nexus_purge` variable if you need to restart from scratch and re-install a blank instance of nexus.\n\n```bash\nansible-playbook -i your/inventory.ini your_nexus_playbook.yml -e nexus_purge=true\n```\n\n#### Force groovy scripts registration\n\n_This one is safe and will only make the playbook run longer if it wasn't needed_\n\nFor performance sake, we use a little trick with several rsync to detect which maintenance groovy scripts need to be registered in Nexus. On some occasions (e.g. bad admin password, recovering a backup from a previous nexus instance with unregistered scripts...), this can lead to situation where the role will fail when attempting to run the needed groovy scripts.\n\nThe symptom: you get HTTP 404 errors when the role tries to run scripts like in the following example (use `-v` option for ansible playbook):\n\n```bash\nfatal: [nexus3-oss]: FAILED! =\u003e {\"changed\": false, \"connection\": \"close\", \"content\": \"\", \"date\": \"Tue, 11 Sep 2018 07:57:44 GMT\", \"msg\": \"Status code was 404 and not [200, 204]: HTTP Error 404: Not Found\", \"redirected\": false, \"server\": \"Nexus/3.13.0-01 (OSS)\", \"status\": 404, \"url\": \"http://localhost:8081/service/rest/v1/script/update_admin_password/run\", \"x_content_type_options\": \"nosniff\", \"x_siesta_faultid\": \"914acef2-f644-4bd6-9a7d-ce19255ea3dd\"}\n```\n\nIn such cases, you can force the (re-)registration of the groovy scripts with the `nexus_force_groovy_scripts_registration` variable:\n```bash\nansible-playbook -i your/inventory.ini your_playbook.yml -e nexus_force_groovy_scripts_registration=true\n```\n\n#### Change admin password after first install\n\n```yaml\n nexus_default_admin_password: 'admin123'\n```\n**This should not be changed in your playbook**. This var is filled with the default nexus admin password on first install and ensures we can change the admin password to `nexus_admin_password`.\n\nIf you want to change your admin password after first install, you can temporarily change this to your old password from the command line. After changing `nexus_admin_password` in your playbook, you can run:\n\n```bash\nansible-playbook -i your/inventory.ini your_playbook.yml -e nexus_default_admin_password=oldPassword\n```\n\n#### Upgrade nexus to latest version\n\n```yaml\n nexus_upgrade: true\n```\n**This variable has no effect if `nexus_version` is fixed in your vars**\n\nUnless you set this variable, the role will keep the current installed nexus version when running against\nan already provisioned host. Passing this extra var will trigger automatic latest nexus version detection and upgrade\nif a newer version is available.\n\n**Setting this var as part of your playbook breaks idempotence** (i.e. your playbook will make changes to your system\nif a new version is available although no parameters have changed)\n\nWe strongly suggest to use this variable only as an extra var to ansible-playbook call\n```bash\nansible-playbook -i your/inventory.ini your_playbook.yml -e nexus_upgrade=true\n```\n\n##### Fix upgrade failing on timeout waiting for nexus port\nIf you have a large nexus repository, you may occasionally see an error message when upgrading\n```\nRUNNING HANDLER [nexus3-oss : wait-for-nexus-port] *************\nfatal: [nexushost]: FAILED! =\u003e {\"changed\": false, \"elapsed\": 300, \"msg\": \"Timeout when waiting for 127.0.0.1:8081\"}\n```\nThis is most likely because the nexus upgrade process (i.e. migrating internal orientdb) is taking longer than\nthe default 300 seconds. You can overcome this situation by setting a custom timeout in seconds to or/and a number of retries\nfor the handler task.\n```\nansible-playbook -i your/inventory.ini your_playbook.yml \\\n-e nexus_upgrade=true \\\n-e nexus_wait_for_port_timeout=600\n-e nexus_wait_for_port_retries=2\n```\n\n#### Skip provisionning tasks\n```yaml\n nexus_run_provisionning: false\n```\nThis var is unset by default and will default to `true`. Setting it to `false` will cause the role to skip all of the\nprovisionning tasks and will therefore *not create/update*:\n* ldap configurations\n* content selectors\n* privileges\n* roles\n* users (except checking/updating admin password)\n* blobstores\n* repositories\n* tasks (backup will still be configured if enabled)\n\nThis can save time if you have lots of configured repositories/users/roles... and you want to play the role\nto simply check nexus is correctly installed, or restore a backup, or upgrade nexus version.\n\nWe strongly suggest to use this variable only as an extra var to ansible-playbook call\n```bash\nansible-playbook -i your/inventory.ini your_playbook.yml -e nexus_run_provisionning=false\n```\n\n#### Force recursive ownership check of blobstores directories\n_Introduced in version 2.4.9_\n```yaml\n nexus_blobstores_recurse_owner: true\n```\nIn versions prior to 2.4.9, the task creating the blobstores directories was recursively checking the ownership\nof all files. This was not a problem on creation (where dir is empty) or with installations with small\nblobstores, but could lead to extremely long delays for large blobstores with lots of files.\n\nRecursive checking of ownership has been turned off by default to prevent this extra delay. If for some\nreason you need to make sure all files in the blobstore directories are owned by the nexus user, you can\nforce the check:\n```bash\nansible-playbook -i your/inventory.ini your_playbook.yml -e nexus_blobstores_recurse_owner=true\n```\n\n## Dependencies\n\nThe java and httpd requirements /can/ be fulfilled with the following galaxy roles :\n - [geerlingguy.java](https://galaxy.ansible.com/geerlingguy/java/)\n - [geerlingguy.apache](https://galaxy.ansible.com/geerlingguy/apache/)\n\nFeel free to use them or implement your own install scenario at your convenience.\n\n## Example Playbook\n\n```yaml\n\n---\n- name: Nexus\n hosts: nexus\n become: yes\n\n vars:\n nexus_timezone: 'Canada/Eastern'\n nexus_admin_password: \"{{ vault_nexus_admin_password }}\"\n nexus_public_hostname: 'nexus.vm'\n httpd_setup_enable: true\n httpd_ssl_certificate_file: \"{{ vault_httpd_ssl_certificate_file }}\"\n httpd_ssl_certificate_key_file: \"{{ vault_httpd_ssl_certificate_key_file }}\"\n ldap_connections:\n - ldap_name: 'Company LDAP'\n ldap_protocol: 'ldaps'\n ldap_hostname: 'ldap.company.com'\n ldap_port: 636\n ldap_search_base: 'dc=company,dc=net'\n ldap_user_base_dn: 'ou=users'\n ldap_user_object_class: 'inetOrgPerson'\n ldap_user_id_attribute: 'uid'\n ldap_user_real_name_attribute: 'cn'\n ldap_user_email_attribute: 'mail'\n ldap_group_base_dn: 'ou=groups'\n ldap_group_object_class: 'posixGroup'\n ldap_group_id_attribute: 'cn'\n ldap_group_member_attribute: 'memberUid'\n ldap_group_member_format: '${username}'\n nexus_privileges:\n - name: all-repos-read\n description: 'Read \u0026 Browse access to all repos'\n repository: '*'\n actions:\n - read\n - browse\n - name: company-project-deploy\n description: 'Deployments to company-project'\n repository: company-project\n actions:\n - add\n - edit\n nexus_roles:\n - id: Developpers # maps to the LDAP group\n name: developers\n description: All developers\n privileges:\n - nx-search-read\n - all-repos-read\n - company-project-deploy\n roles: []\n nexus_local_users:\n - username: jenkins # used as key to update\n first_name: Jenkins\n last_name: CI\n email: support@company.com\n password: \"s3cr3t\"\n roles:\n - Developpers # role ID here\n nexus_blobstores:\n - name: company-artifacts\n path: /var/nexus/blobs/company-artifacts\n nexus_scheduled_tasks:\n - name: compact-blobstore\n cron: '0 0 22 * * ?'\n typeId: blobstore.compact\n taskProperties:\n blobstoreName: 'company-artifacts'\n nexus_repos_maven_proxy:\n - name: central\n remote_url: 'https://repo1.maven.org/maven2/'\n layout_policy: permissive\n - name: alfresco\n remote_url: 'https://artifacts.alfresco.com/nexus/content/groups/private/'\n remote_username: 'secret-username'\n remote_password: \"{{ vault_alfresco_private_password }}\"\n - name: jboss\n remote_url: 'https://repository.jboss.org/nexus/content/groups/public-jboss/'\n - name: vaadin-addons\n remote_url: 'https://maven.vaadin.com/vaadin-addons/'\n - name: jaspersoft\n remote_url: 'https://jaspersoft.artifactoryonline.com/jaspersoft/jaspersoft-repo/'\n version_policy: mixed\n nexus_repos_maven_hosted:\n - name: company-project\n version_policy: mixed\n write_policy: allow\n blob_store: company-artifacts\n nexus_repos_maven_group:\n - name: public\n member_repos:\n - central\n - jboss\n - vaadin-addons\n - jaspersoft\n nexus_repos_docker_group:\n - name: some-docker-group\n sub_domain: hub-proxy\n writable_member_repo: docker-hosted-repo\n blob_store: docker-blob\n v1_enabled: False\n member_repos:\n - docker-hosted-repo\n nexus_repos_npm_proxy:\n - name: npm-proxy-name\n blob_store: company-artifacts\n blocked: false # Default is false\n auto_block: true # Default is true\n connection_timeout: 200 # Default is unset\n connection_retries: 5 # Default is unset\n user_agent_suffix: custom-agent # Default is unset\n remote_url: https://some-private-registry.dev/\n remote_username: 'secret-username'\n remote_password: \"{{ vault_alfresco_secret_password }}\"\n # You can use a Preemptive Bearer Token as well by defining the bearerToken property\n # bearerToken: \"{{ vault_alfresco_secret_bearertoken }}\"\n\n roles:\n\n\n - { role: geerlingguy.java, vars: See role doc for your distribution/version }\n # Debian/Ubuntu only\n # - { role: geerlingguy.apache, apache_create_vhosts: no, apache_mods_enabled: [\"proxy.load\", \"proxy_http.load\", \"headers.load\", \"ssl.load\", \"rewrite.load\"], apache_remove_default_vhost: true, tags: [\"geerlingguy.apache\"] }\n # RedHat/CentOS only\n - { role: geerlingguy.apache, apache_create_vhosts: no, apache_remove_default_vhost: true, tags: [\"geerlingguy.apache\"] }\n - { role: ansible-thoteam.nexus3-oss, tags: ['ansible-thoteam.nexus3-oss'] }\n```\n\n## Development, Contribution and Testing\n\n### Contributions\n\nAll contributions to this role are welcome, either for bugfixes, new features or documentation.\n\nIf you wish to contribute:\n- Fork the repo under your own name/organisation through github interface\n- Create a branch in your own repo with a meaningfull name. We suggest the following naming convention:\n - `feat/\u003csomeFeature\u003e` for features\n - `fix/\u003csomeBugFix\u003e` for bug fixes\n - `docfix/\u003csomeDocFix\u003e` for documentation only fixes\n- If starting an important feature change, open a pull request early describing what you want to do so we can discuss it if needed. This will prevent you from doing a lot of hard work on a lot of code for changes that we cannot finally merge.\n- If there are build error on your pull request, have a look at the travis log and fix the relevant errors.\n\nMoreover, if you have time to devote for code review, merge for realeases, etc... drop an email to contact@thoteam.com to get in touch.\n\n\n### Testing\n\nThis role includes tests and CI integration through travis. At time being, we test:\n* groovy scripts syntax\n* yaml syntax and coding standard (yamllint)\n* ansible good practices (ansible lint)\n* a set of basic deployments on 2 different linux platforms\n * Rockylinux 9 (as a close parent of RHEL products since centos is deprecated)\n * Debian 12 Bookworm\n\nOther tests are available for older/different platforms but not played on CI for performance reasons:\n* Rockylinux 8\n* Debian 11 bullseye\n* Ubuntu 20.04 Focal\n* Ubuntu 22.04 Jammy\n\n\n#### Groovy syntax\n\nThis role contains a set of groovy files used to provision nexus.\n\nIf you submit changes to groovy files, please run the groovy syntax check locally before pushing your changes\n```bash\n./tests/test_groovySyntax.sh\n```\nThis will ensure you push groovy files with correct syntax limiting the number of check errors on travis.\n\nYou will need the groovy package installed locally to run this test.\n\n#### Molecule default-xxxx scenarii\n\nThe role is tested on travis with [molecule](https://pypi.python.org/pypi/molecule). You can run these tests locally. The best way to achieve this is through a python virtualenv. You can find some more details in [requirements.txt](requirements.txt).\n```bash\n# Note: the following path should be outside the working dir\nvirtualenv /path/to/some/pyenv\n. /path/to/some/pyenv/bin/activate\npip install -r requirements.txt\nmolecule [create|converge|destroy|test] -s \u003cscenario name\u003e\ndeactivate\n```\nPlease have a look at molecule documentation (a good start is `molecule --help`) for further usage.\n\nThe current proposed scenarii refer to the tested platforms (see `molecule/` directory). If you launch a scenario\nand leave the container running (i.e. using `converge` for a simple deploy), you can access the running instance\nfrom your browser at https://localhost:\u003clinkedPort\u003e. See the `molecule/\u003cscenario\u003e/molecule.yml` file for detail.\nAs a convenience, here is the correspondence between scenarii and configured ports:\n* default-rockylinux8 =\u003e https://localhost:8090\n* default-rockylinux9 =\u003e https://localhost:8091\n* efault-debian_bullseye =\u003e https://localhost:8092\n* default-debian_bookworm =\u003e https://localhost:8093\n* default-ubuntu_20.04 =\u003e https://localhost:8094\n* default-ubuntu_22.04 =\u003e https://localhost:8095\n\nTo speed up tests, molecule uses prebuilt docker hub images.\n* Git repo: https://github.com/docker-ThoTeam/molecule_apache_openjdk8\n* Docker hub registry: https://hub.docker.com/repository/docker/thoteam/molecule_apache_openjdk8\n\nNote that these images are built and pushed on a best effort basis whenever required for changes on this repo\n\n## License\n\nGNU GPLv3\n\n## Author Information\n\nSee: https://github.com/ansible-ThoTeam\n\n\n[Lionel Lecha]: https://www.linkedin.com/in/lionellecha/\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fansible-thoteam%2Fnexus3-oss","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fansible-thoteam%2Fnexus3-oss","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fansible-thoteam%2Fnexus3-oss/lists"}