nexus-casc-terraform-example/test/default-nexus.yml

---
core:
  baseUrl: ${BASE_URL:""}
  userAgentCustomization: "CasC test"
  connectionTimeout: 60
  connectionRetryAttempts: 10
  # httpProxy:
  #   host: proxy.internal.lan
  #   port: 3128
  #   username: nexus-user
  #   password: ${PROXY_PASSWORD}
  # httpsProxy:
  #   host: proxy.internal.lan
  #   port: 3128
  #   username: nexus-user
  #   password: ${PROXY_PASSWORD}
  #   ntlmHost: dc.internal.lan
  #   ntlmDomain: internal.lan
  # nonProxyHosts:
  #   - host1.internal.lan
  #   - host2.internal.lan
capabilities:
  - type: analytics-configuration
    enabled: false
  - type: OutreachManagementCapability
    enabled: false
security:
  anonymousAccess: true
  pruneUsers: true
  realms:
    - name: "DockerToken"
      enabled: true
    - name: "NpmToken"
      enabled: true
    - name: "NuGetApiKey"
      enabled: true
  privileges:
    - id: system-repository-admin-docker-docker-proxy-update
      enabled: true
      name: system-repository-admin-docker-docker-proxy-update
      description: Permit update to docker-proxy repository configuration
      type: repository-admin
      properties:
        format: docker
        repository: docker-proxy
        actions: read,update
  roles:
    - id: ui-minimal
      enabled: true
      source: default
      name: ui-minimal
      description: "UI Minimal"
      privileges:
        - nx-healthcheck-read
        - nx-search-read
    - id: repository-read-docker-proxy
      enabled: true
      source: default
      name: repository-read-docker-proxy
      description: "Docker Anonymous Access for public proxy repository"
      privileges:
        - nx-repository-view-docker-docker-proxy-browse
        - nx-repository-view-docker-docker-proxy-read
    - id: repository-read-all
      enabled: true
      source: default
      name: repository-read-all
      description: "Read All permission for repositories"
      privileges:
        - nx-apikey-all
        - nx-repository-view-*-*-browse
        - nx-repository-view-*-*-read
    - id: repository-write-all
      enabled: true
      source: default
      name: repository-write-all
      description: "Write All permission for repositories"
      privileges:
        - nx-apikey-all
        - nx-repository-view-*-*-*
    - id: repository-read-nodejs-dist
      enabled: true
      source: default
      name: repository-read-nodejs-dist
      description: "Read permission for NodeJS Dist repository"
      privileges:
        - nx-repository-view-raw-nodejs-dist-browse
        - nx-repository-view-raw-nodejs-dist-read
    - id: repository-read-cypress-dist
      enabled: true
      source: default
      name: repository-read-cypress-dist
      description: "Read permission for Cypress Download repository"
      privileges:
        - nx-repository-view-raw-cypress-dist-browse
        - nx-repository-view-raw-cypress-dist-read
  users:
    - username: anonymous
      firstName: Anonymous
      lastName: User
      password: anonymous
      updateExistingPassword: false
      email: anonymous@example.org
      roles:
        - source: "default"
          role: ui-minimal
        - source: "default"
          role: repository-read-cypress-dist
        - source: "default"
          role: repository-read-docker-proxy
        - source: "default"
          role: repository-read-nodejs-dist
    - username: johndoe
      firstName: John
      lastName: Doe
      password: "${file:/run/secrets/password_johndoe}"
      updateExistingPassword: true
      email: johndoe@example.org
      roles:
        - source: "default"
          role: nx-admin
    - username: janedoe
      firstName: Jane
      lastName: Doe
      password: changeme
      updateExistingPassword: false
      email: janedoe@example.org
      roles:
        - source: "default"
          role: ui-minimal
        - source: "default"
          role: repository-write-all
repository:
  pruneBlobStores: true
  blobStores:
    - name: apt
      type: File
      attributes:
        file:
          path: apt
        blobStoreQuotaConfig:
          quotaLimitBytes: 10240000000
          quotaType: spaceUsedQuota
    - name: docker
      type: File
      attributes:
        file:
          path: docker
        blobStoreQuotaConfig:
          quotaLimitBytes: 10240000000
          quotaType: spaceUsedQuota
    - name: golang
      type: File
      attributes:
        file:
          path: golang
        blobStoreQuotaConfig:
          quotaLimitBytes: 10240000000
          quotaType: spaceUsedQuota
    - name: maven
      type: File
      attributes:
        file:
          path: maven
        blobStoreQuotaConfig:
          quotaLimitBytes: 10240000000
          quotaType: spaceUsedQuota
    - name: npm
      type: File
      attributes:
        file:
          path: npm
        blobStoreQuotaConfig:
          quotaLimitBytes: 10240000000
          quotaType: spaceUsedQuota
    - name: nuget
      type: File
      attributes:
        file:
          path: nuget
        blobStoreQuotaConfig:
          quotaLimitBytes: 10240000000
          quotaType: spaceUsedQuota
    - name: raw
      type: File
      attributes:
        file:
          path: raw
        blobStoreQuotaConfig:
          quotaLimitBytes: 10240000000
          quotaType: spaceUsedQuota
    - name: rubygems
      type: File
      attributes:
        file:
          path: rubygems
        blobStoreQuotaConfig:
          quotaLimitBytes: 10240000000
          quotaType: spaceUsedQuota
    - name: pypi
      type: File
      attributes:
        file:
          path: pypi
        blobStoreQuotaConfig:
          quotaLimitBytes: 10240000000
          quotaType: spaceUsedQuota
    - name: yum
      type: File
      attributes:
        file:
          path: yum
        blobStoreQuotaConfig:
          quotaLimitBytes: 10240000000
          quotaType: spaceUsedQuota
  pruneCleanupPolicies: true
  cleanupPolicies:
    - name: cleanup-everything
      format: ALL_FORMATS
      notes: ''
      criteria:
        lastDownloaded: 864000
    - name: cleanup-apt-proxy
      format: apt
      notes: ''
      criteria:
        lastDownloaded: 864000
    - name: cleanup-docker-proxy
      format: docker
      notes: ''
      criteria:
        lastDownloaded: 864000
    - name: cleanup-golang-proxy
      format: go
      notes: ''
      criteria:
        lastDownloaded: 864000
    - name: cleanup-maven-proxy
      format: maven2
      notes: ''
      criteria:
        lastDownloaded: 864000
    - name: cleanup-npm-proxy
      format: npm
      notes: ''
      criteria:
        lastDownloaded: 864000
    - name: cleanup-nuget-proxy
      format: nuget
      notes: ''
      criteria:
        lastDownloaded: 864000
    - name: cleanup-pypi-proxy
      format: pypi
      notes: ''
      criteria:
        lastDownloaded: 864000
    - name: cleanup-raw-proxy
      format: raw
      notes: ''
      criteria:
        lastDownloaded: 864000
    - name: cleanup-rubygems-proxy
      format: rubygems
      notes: ''
      criteria:
        lastDownloaded: 864000
    - name: cleanup-yum-proxy
      format: yum
      notes: ''
      criteria:
        lastDownloaded: 864000
  pruneRepositories: true
  repositories:
    # https://help.sonatype.com/repomanager3/formats/apt-repositories
    - name: apt-hosted
      online: true
      recipeName: apt-hosted
      attributes:
        apt:
          distribution: focal
        aptSigning:
          keypair: "${file:/run/secrets/gpg_key_example}"
          passphrase: "${file:/run/secrets/gpg_passphrase_example}"
        storage:
          blobStoreName: apt
          strictContentTypeValidation: true
          writePolicy: ALLOW_ONCE
        cleanup:
          policyName:
            - None
    - name: apt-ubuntu
      online: true
      recipeName: apt-proxy
      attributes:
        apt:
          distribution: focal
        aptSigning:
          keypair: "${file:/run/secrets/gpg_key_example}"
          passphrase: "${file:/run/secrets/gpg_passphrase_example}"
        proxy:
          contentMaxAge: -1
          remoteUrl: https://archive.ubuntu.com/ubuntu/
          metadataMaxAge: 1440
        storage:
          blobStoreName: apt
          strictContentTypeValidation: true
          writePolicy: ALLOW_ONCE
        cleanup:
          policyName:
            - cleanup-apt-proxy
    - name: chromedriver-dist
      online: true
      recipeName: raw-proxy
      attributes:
        raw:
          contentDisposition: ATTACHMENT
        proxy:
          remoteUrl: https://chromedriver.storage.googleapis.com/
          contentMaxAge: -1.0
          metadataMaxAge: 1440.0
        httpclient:
          blocked: false
          autoBlock: true
          connection:
            useTrustStore: false
        storage:
          blobStoreName: raw
          strictContentTypeValidation: true
        negativeCache:
          enabled: true
          timeToLive: 1440.0
        cleanup:
          policyName:
            - cleanup-raw-proxy
    - name: cypress-dist
      online: true
      recipeName: raw-proxy
      attributes:
        raw:
          contentDisposition: ATTACHMENT
        proxy:
          remoteUrl: https://download.cypress.io/
          contentMaxAge: -1.0
          metadataMaxAge: 1440.0
        httpclient:
          blocked: false
          autoBlock: true
          connection:
            useTrustStore: false
        storage:
          blobStoreName: raw
          strictContentTypeValidation: true
        negativeCache:
          enabled: true
          timeToLive: 1440.0
        cleanup:
          policyName:
            - cleanup-raw-proxy
    # https://help.sonatype.com/repomanager3/formats/docker-registry
    - name: docker-hosted
      online: true
      recipeName: docker-hosted
      attributes:
        docker:
          forceBasicAuth: true  # Do not permit anonymous access to this repository
          v1Enabled: true
          # httpPort: 8082   # Uncomment to activate
          # httpsPort: 8083  # Requires Nexus Jetty be configured to use SSL Certificates
        storage:
          blobStoreName: docker
          strictContentTypeValidation: true
          writePolicy: ALLOW
        cleanup:
          policyName:
            - None
    - name: docker-proxy
      online: true
      recipeName: docker-proxy
      attributes:
        docker:
          forceBasicAuth: false  # Allow anonymous access
          v1Enabled: true
        proxy:
          remoteUrl: https://registry-1.docker.io
          contentMaxAge: -1.0
          metadataMaxAge: 1440.0
        dockerProxy:
          indexType: HUB
          cacheForeignLayers: true
          foreignLayerUrlWhitelist:
            - '.*'
        httpclient:
          blocked: false
          autoBlock: true
          connection:
            useTrustStore: false
        storage:
          blobStoreName: docker
          strictContentTypeValidation: true
        routingRules:
          routingRuleId: null
        negativeCache:
          enabled: true
          timeToLive: 1440.0
        cleanup:
          policyName:
            - cleanup-docker-proxy
    - name: docker
      online: true
      recipeName: docker-group
      attributes:
        docker:
          forceBasicAuth: false  # Each repo uses its own setting
          v1Enabled: true
        storage:
          blobStoreName: docker
          strictContentTypeValidation: true
        group:
          memberNames:
            - "docker-hosted"
            - "docker-proxy"
    # https://help.sonatype.com/repomanager3/formats/go-repositories
    # GOPROXY should point to the _group_ repository URL
    # golang requires anonymous access for this to work
    - name: golang-gonexus-proxy
      online: true
      recipeName: go-proxy
      attributes:
        golang:
          forceBasicAuth: false  # Allow anonymous access
          v1Enabled: true
        proxy:
          remoteUrl: https://gonexus.dev
          contentMaxAge: -1.0
          metadataMaxAge: 1440.0
        httpclient:
          blocked: false
          autoBlock: true
          connection:
            useTrustStore: false
        storage:
          blobStoreName: golang
          strictContentTypeValidation: true
        routingRules:
          routingRuleId: null
        negativeCache:
          enabled: true
          timeToLive: 1440.0
        cleanup:
          policyName:
            - cleanup-golang-proxy
    - name: golang-group
      online: true
      recipeName: go-group
      attributes:
        golang:
          forceBasicAuth: false  # Each repo uses its own setting
          v1Enabled: true
        storage:
          blobStoreName: golang
          strictContentTypeValidation: true
        group:
          memberNames:
            - "golang-gonexus-proxy"
    # https://help.sonatype.com/repomanager3/formats/maven-repositories
    - name: maven-snapshots
      online: true
      recipeName: maven2-hosted
      attributes:
        maven:
          versionPolicy: SNAPSHOT
          layoutPolicy: STRICT
        storage:
          writePolicy: ALLOW
          strictContentTypeValidation: true
          blobStoreName: maven
    - name: maven-releases
      online: true
      recipeName: maven2-hosted
      attributes:
        maven:
          versionPolicy: RELEASE
          layoutPolicy: STRICT
        storage:
          writePolicy: ALLOW_ONCE
          strictContentTypeValidation: true
          blobStoreName: maven
    - name: maven-central
      online: true
      recipeName: maven2-proxy
      attributes:
        proxy:
          contentMaxAge: -1
          remoteUrl: https://repo1.maven.org/maven2/
          metadataMaxAge: 1440
        negativeCache:
          timeToLive: 1440
          enabled: true
        storage:
          strictContentTypeValidation: false
          blobStoreName: maven
        httpclient:
          connection:
            blocked: false
            autoBlock: true
        maven:
          versionPolicy: RELEASE
          layoutPolicy: PERMISSIVE
        cleanup:
          policyName:
            - cleanup-maven-proxy
    - name: maven
      online: true
      recipeName: maven2-group
      attributes:
        maven:
          versionPolicy: MIXED
        group:
          memberNames:
            - "maven-snapshots"
            - "maven-releases"
            - "maven-central"
        storage:
          blobStoreName: maven
    # https://help.sonatype.com/repomanager3/formats/npm-registry
    - name: npm-hosted
      online: true
      recipeName: npm-hosted
      attributes:
        storage:
          blobStoreName: npm
          strictContentTypeValidation: true
          writePolicy: ALLOW_ONCE
        cleanup:
          policyName:
            - None
    - name: npm-proxy
      online: true
      recipeName: npm-proxy
      attributes:
        proxy:
          remoteUrl: https://registry.npmjs.org
          contentMaxAge: -1.0
          metadataMaxAge: 1440.0
        httpclient:
          blocked: false
          autoBlock: true
          connection:
            useTrustStore: false
        storage:
          blobStoreName: npm
          strictContentTypeValidation: true
        routingRules:
          routingRuleId: null
        negativeCache:
          enabled: true
          timeToLive: 1440.0
        cleanup:
          policyName:
            - cleanup-npm-proxy
    - name: npm
      online: true
      recipeName: npm-group
      attributes:
        storage:
          blobStoreName: npm
          strictContentTypeValidation: true
        group:
          memberNames:
            - "npm-proxy"
            - "npm-hosted"
    # NuGet Support: https://help.sonatype.com/repomanager3/formats/nuget-repositories
    # v3 URLs must be used if v3 proxy is present
    - name: nuget-proxy
      online: true
      recipeName: nuget-proxy
      attributes:
        proxy:
          remoteUrl: https://api.nuget.org/v3/index.json
          contentMaxAge: -1.0
          metadataMaxAge: 1440.0
        httpclient:
          blocked: false
          autoBlock: true
          connection:
            useTrustStore: false
        storage:
          blobStoreName: nuget
          strictContentTypeValidation: true
        negativeCache:
          enabled: true
          timeToLive: 1440.0
        cleanup:
          policyName:
            - cleanup-nuget-proxy
    - name: nuget-hosted
      online: true
      recipeName: nuget-hosted
      attributes:
        storage:
          blobStoreName: nuget
          strictContentTypeValidation: true
          writePolicy: ALLOW_ONCE
    - name: nuget
      online: true
      recipeName: nuget-group
      attributes:
        storage:
          blobStoreName: nuget
          strictContentTypeValidation: true
        group:
          memberNames:
            - "nuget-hosted"
            - "nuget-proxy"
    # https://help.sonatype.com/repomanager3/formats/pypi-repositories
    - name: pypi-proxy
      online: true
      recipeName: pypi-proxy
      attributes:
        proxy:
          remoteUrl: https://pypi.org/
          contentMaxAge: -1.0
          metadataMaxAge: 1440.0
        httpclient:
          blocked: false
          autoBlock: true
          connection:
            useTrustStore: false
        storage:
          blobStoreName: pypi
          strictContentTypeValidation: true
        negativeCache:
          enabled: true
          timeToLive: 1440.0
        cleanup:
          policyName:
            - cleanup-pypi-proxy
    - name: pypi-hosted
      online: true
      recipeName: pypi-hosted
      attributes:
        storage:
          blobStoreName: pypi
          strictContentTypeValidation: true
          writePolicy: ALLOW_ONCE
    - name: pypi-group
      online: true
      recipeName: pypi-group
      attributes:
        storage:
          blobStoreName: pypi
          strictContentTypeValidation: true
        group:
          memberNames:
            - "pypi-hosted"
            - "pypi-proxy"
    # https://help.sonatype.com/repomanager3/formats/raw-repositories
    - name: raw-hosted
      online: true
      recipeName: raw-hosted
      attributes:
        storage:
          blobStoreName: raw
          strictContentTypeValidation: true
          writePolicy: ALLOW
        cleanup:
          policyName:
            - None
        # How to configure proprietary component - requires Nexus firewall
        raw:
          contentDisposition: ATTACHMENT  # or inline
        component:
          proprietaryComponents: true
    - name: nodejs-dist
      online: true
      recipeName: raw-proxy
      attributes:
        raw:
          contentDisposition: ATTACHMENT
        proxy:
          remoteUrl: https://nodejs.org/dist/
          contentMaxAge: -1.0
          metadataMaxAge: 1440.0
        httpclient:
          blocked: false
          autoBlock: true
          connection:
            useTrustStore: false
        storage:
          blobStoreName: raw
          strictContentTypeValidation: true
        negativeCache:
          enabled: true
          timeToLive: 1440.0
        cleanup:
          policyName:
            - cleanup-raw-proxy
    # https://help.sonatype.com/repomanager3/formats/rubygems-repositories
    - name: rubygems-proxy
      online: true
      recipeName: rubygems-proxy
      attributes:
        proxy:
          remoteUrl: https://rubygems.org/
          contentMaxAge: -1.0
          metadataMaxAge: 1440.0
        httpclient:
          blocked: false
          autoBlock: true
          connection:
            useTrustStore: false
        storage:
          blobStoreName: rubygems
          strictContentTypeValidation: true
        negativeCache:
          enabled: true
          timeToLive: 1440.0
        cleanup:
          policyName:
            - cleanup-rubygems-proxy
    - name: rubygems-hosted
      online: true
      recipeName: rubygems-hosted
      attributes:
        storage:
          blobStoreName: rubygems
          strictContentTypeValidation: true
          writePolicy: ALLOW_ONCE
    - name: rubygems-group
      online: true
      recipeName: rubygems-group
      attributes:
        storage:
          blobStoreName: rubygems
          strictContentTypeValidation: true
        group:
          memberNames:
            - "rubygems-hosted"
            - "rubygems-proxy"
    # https://help.sonatype.com/repomanager3/formats/yum-repositories
    # Please read the documentation around repodataDepth
    - name: yum-hosted
      online: true
      recipeName: yum-hosted
      attributes:
        yum:
          repodataDepth: 3
          deployPolicy: STRICT  # PERMISSIVE for maven yum deployment
        storage:
          blobStoreName: yum
          strictContentTypeValidation: true
          writePolicy: ALLOW
        cleanup:
          policyName:
            - None
    - name: yum-centos
      online: true
      recipeName: yum-proxy
      attributes:
        yum:
          repodataDepth: 3
          deployPolicy: STRICT  # PERMISSIVE for maven yum deployment
        yumSigning:
          keypair: "${file:/run/secrets/gpg_key_example}"
          passphrase: "${file:/run/secrets/gpg_passphrase_example}"
        httpclient:
          blocked: false
          autoBlock: true
          connection:
            useTrustStore: false
        negativeCache:
          enabled: true
          timeToLive: 1440.0
        proxy:
          contentMaxAge: -1
          remoteUrl: http://mirror.centos.org/centos/
          metadataMaxAge: 1440
        storage:
          blobStoreName: yum
          strictContentTypeValidation: true
          writePolicy: ALLOW_ONCE
        cleanup:
          policyName:
            - cleanup-yum-proxy
    - name: yum-group
      online: true
      recipeName: yum-group
      attributes:
        group:
          memberNames:
            - yum-hosted
            - yum-centos
        yumSigning:
          keypair: "${file:/run/secrets/gpg_key_example}"
          passphrase: "${file:/run/secrets/gpg_passphrase_example}"
        storage:
          blobStoreName: yum
          strictContentTypeValidation: true
        cleanup:
          policyName:
            - cleanup-yum-proxy