Adding support for YUM and APT package repositories and GCP Blobstore

README.md

@@ -213,6 +213,13 @@ Delete the default blobstore from the nexus install initial default configuratio
 
 [Blobstores](https://books.sonatype.com/nexus-book/3.0/reference/admin.html#admin-repository-blobstores) to create. A blobstore path and a repository blobstore cannot be updated after initial creation (any update here will be ignored on re-provisionning).
 
+    nexus_blobstores_gcp: []
+    # example Google Bucket backed blobstore item:
+    #   - name: "gcp_blobstore"
+    #     bucket: "my-gcp-bucket-name"
+    #     credentials: "/opt/nexus-latest/system/gcloud-nexus-key.json"
+Google Cloud Platform storage bucket backed blobstore to create. Note that this requires installation of the GCP Blobstore Nexus plugin before it can be created. If you have an Ansible role to do this you can install it prior to blobstore creation by including the role in the nexus_plugins_installation_roles list.
+
     nexus_scheduled_tasks: []
     #  example task to compact blobstore :
     #  - name: compact-blobstore
@@ -264,7 +271,7 @@ All three repository types are combined with the following default values :
       write_policy: allow_once # allow_once or allow
 ```
 
-Docker, Pypi, Raw, Rubygems, Bower, NPM, and Git-LFS repository types:
+Docker, Pypi, Raw, Rubygems, Bower, NPM, Git-LFS, YUM and APT repository types:
 see `defaults/main.yml` for these options:
 
       nexus_config_pypi: false
@@ -274,6 +281,10 @@ see `defaults/main.yml` for these options:
       nexus_config_bower: false
       nexus_config_npm: false
       nexus_config_gitlfs: false
+      nexus_config_yum: false
+      nexus_config_apt: false
+
+NOTE: APT repositories require the installation of the APT repository Nexus plugin, see the Plugins section towards the end of this document.
 
 These are all false unless you override them from playbook / group_var / cli, these all utilize the same mechanism as maven.
 
@@ -393,6 +404,17 @@ The java and httpd requirements /can/ be fulfilled with the following galaxy rol
 
 ```
 
+Plugins
+-------
+Nexus plugins can be installed as part of the Nexus installation using this role by adding them into the nexus_plugins_installation_roles list. This requires that you have added Ansible roles to do the installation of the plugins. These plugins will be installed after the base Nexus installation, before the creation of blobstores, repositories, etc.
+    nexus_plugins_installation_roles:
+      - "nexus-repository-apt"
+      - "nexus-blobstore-google-cloud"
+For the Google Cloud Platform Nexus Blobstore Nexus plugin see
+https://github.com/sonatype-nexus-community/nexus-blobstore-google-cloud
+For the APT repository plugin see
+https://github.com/sonatype-nexus-community/nexus-repository-apt
+
 License
 -------
 

defaults/main.yml

@@ -85,6 +85,7 @@ nexus_config_rubygems: false
 nexus_config_bower: false
 nexus_config_npm: false
 nexus_config_gitlfs: false
+nexus_config_yum: false
 
 # also see _nexus_privilege_defaults below
 nexus_privileges:
@@ -138,7 +139,8 @@ nexus_blob_names:           # Splited blob name list @ blob_vars.yml
     blob: 'default'
   gitlfs:
     blob: 'default'
-
+  yum:
+    blob: 'default'
 
 nexus_blobstores: []
 # example blobstore item :
@@ -170,9 +172,15 @@ nexus_repos_maven_group:
       - central
       - jboss
 
+nexus_repos_yum_proxy: []
+nexus_repos_yum_hosted: []
+nexus_repos_yum_group: []
+
+nexus_repos_apt_proxy: []
+
 
 nexus_scheduled_tasks:
-  - name: db-backup # Note: CRON must be aligned to nexus-blob-backup.sh cron schedule. -> Task: "Config nexus-backup shell cron"
+  - name: db-backup 
     cron: '0 0 21 * * ?'
     typeId: db.backup
     taskProperties:
@@ -341,6 +349,15 @@ nexus_repos_npm_proxy:
     blob_store: "{{ nexus_blob_names.npm.blob }}"
     remote_url: https://registry.npmjs.org
 
+_nexus_repos_yum_defaults:
+  blob_store: "{{ nexus_blob_names.npm.blob }}"
+  strict_content_validation: true
+  write_policy: allow_once # allow_once or allow
+
+_nexus_repos_apt_defaults:
+  blob_store: "{{ nexus_blob_names.npm.blob }}"
+  strict_content_validation: true
+
 # gitlfs support
 _nexus_repos_gitlfs_defaults:
   blob_store: "{{ nexus_blob_names.gitlfs.blob }}"

files/groovy/create_blobstore_gcp.groovy

@@ -0,0 +1,24 @@
+import groovy.json.JsonSlurper
+import org.sonatype.nexus.blobstore.api.BlobStoreManager
+
+parsed_args = new JsonSlurper().parseText(args)
+
+existingBlobStore = blobStore.getBlobStoreManager().get(parsed_args.name)
+if (existingBlobStore == null) {
+
+    def blobStoreManager = container.lookup(BlobStoreManager.class.name)
+    def config = blobStoreManager.newConfiguration()
+    config.name = 'gcp'
+    config.type = 'Google Cloud Storage'
+    config.setAttributes(
+      'google cloud storage': [
+        bucket: parsed_args.bucket,
+        credential_file: parsed_args.credentials,
+        region: parsed_args.region
+      ]
+    )
+
+    blobStoreManager.create(config)
+
+}
+

files/groovy/create_repo_apt_proxy.groovy

@@ -0,0 +1,63 @@
+import groovy.json.JsonSlurper
+import org.sonatype.nexus.repository.config.Configuration
+
+parsed_args = new JsonSlurper().parseText(args)
+
+repositoryManager = repository.repositoryManager
+
+authentication = parsed_args.remote_username == null ? null : [
+        type: 'username',
+        username: parsed_args.remote_username,
+        password: parsed_args.remote_password
+]
+
+existingRepository = repositoryManager.get(parsed_args.name)
+
+if (existingRepository != null) {
+
+    newConfig = existingRepository.configuration.copy()
+    // We only update values we are allowed to change (cf. greyed out options in gui)
+    newConfig.attributes['proxy']['remoteUrl'] = parsed_args.remote_url
+    newConfig.attributes['httpclient']['authentication'] = authentication
+    newConfig.attributes['storage']['strictContentTypeValidation'] = Boolean.valueOf(parsed_args.strict_content_validation)
+
+    repositoryManager.update(newConfig)
+
+} else {
+
+    configuration = new Configuration(
+            repositoryName: parsed_args.name,
+            recipeName: 'apt-proxy',
+            online: true,
+            attributes: [
+                    apt: [
+                            distribution: parsed_args.distribution,
+                            flat: parsed_args.get('flat', false) 
+                    ],
+                    proxy  : [
+                            remoteUrl: parsed_args.remote_url,
+                            contentMaxAge: parsed_args.get('content_max_age', 1440.0),
+                            metadataMaxAge: parsed_args.get('metadata_max_age', 1440.0)
+                    ],
+                    httpclient: [
+                            blocked: false,
+                            autoBlock: true,
+                            authentication: authentication,
+                            connection: [
+                                    useTrustStore: false
+                            ]
+                    ],
+                    storage: [
+                            blobStoreName: parsed_args.blob_store,
+                            strictContentTypeValidation: Boolean.valueOf(parsed_args.strict_content_validation)
+                    ],
+                    negativeCache: [
+                            enabled: parsed_args.get("negative_cache_enabled", true),
+                            timeToLive: parsed_args.get("negative_cache_ttl", 1440.0)
+                    ]
+            ]
+    )
+
+    repositoryManager.create(configuration)
+
+}

files/groovy/create_repo_yum_group.groovy

@@ -0,0 +1,38 @@
+import groovy.json.JsonSlurper
+import org.sonatype.nexus.repository.config.Configuration
+
+parsed_args = new JsonSlurper().parseText(args)
+
+repositoryManager = repository.repositoryManager
+
+existingRepository = repositoryManager.get(parsed_args.name)
+
+if (existingRepository != null) {
+
+    newConfig = existingRepository.configuration.copy()
+    // We only update values we are allowed to change (cf. greyed out options in gui)
+    newConfig.attributes['group']['memberNames'] = parsed_args.member_repos
+    newConfig.attributes['storage']['strictContentTypeValidation'] = Boolean.valueOf(parsed_args.strict_content_validation)
+
+    repositoryManager.update(newConfig)
+
+} else {
+
+    configuration = new Configuration(
+            repositoryName: parsed_args.name,
+            recipeName: 'yum-group',
+            online: true,
+            attributes: [
+                    group  : [
+                            memberNames: parsed_args.member_repos
+                    ],
+                    storage: [
+                            blobStoreName: parsed_args.blob_store,
+                            strictContentTypeValidation: Boolean.valueOf(parsed_args.strict_content_validation)
+                    ]
+            ]
+    )
+
+    repositoryManager.create(configuration)
+
+}

files/groovy/create_repo_yum_hosted.groovy

@@ -0,0 +1,41 @@
+import groovy.json.JsonSlurper
+import org.sonatype.nexus.repository.config.Configuration
+
+parsed_args = new JsonSlurper().parseText(args)
+
+repositoryManager = repository.repositoryManager
+
+existingRepository = repositoryManager.get(parsed_args.name)
+
+if (existingRepository != null) {
+
+    newConfig = existingRepository.configuration.copy()
+    // We only update values we are allowed to change (cf. greyed out options in gui)
+    newConfig.attributes['yum']['repodataDepth'] = parsed_args.repodata_depth as Integer
+    newConfig.attributes['yum']['layoutPolicy'] = parsed_args.layout_policy.toUpperCase()
+    newConfig.attributes['storage']['writePolicy'] = parsed_args.write_policy.toUpperCase()
+    newConfig.attributes['storage']['strictContentTypeValidation'] = Boolean.valueOf(parsed_args.strict_content_validation)
+
+    repositoryManager.update(newConfig)
+
+} else {
+
+    configuration = new Configuration(
+            repositoryName: parsed_args.name,
+            recipeName: 'yum-hosted',
+            online: true,
+            attributes: [
+                    yum  : [
+                            repodataDepth : parsed_args.repodata_depth.toInteger(),
+                            layoutPolicy : parsed_args.layout_policy.toUpperCase()
+                    ],
+                    storage: [
+                            writePolicy: parsed_args.write_policy.toUpperCase(),
+                            blobStoreName: parsed_args.blob_store,
+                            strictContentTypeValidation: Boolean.valueOf(parsed_args.strict_content_validation)
+                    ]
+            ]
+    )
+
+    repositoryManager.create(configuration)
+}

files/groovy/create_repo_yum_proxy.groovy

@@ -0,0 +1,59 @@
+import groovy.json.JsonSlurper
+import org.sonatype.nexus.repository.config.Configuration
+
+parsed_args = new JsonSlurper().parseText(args)
+
+repositoryManager = repository.repositoryManager
+
+authentication = parsed_args.remote_username == null ? null : [
+        type: 'username',
+        username: parsed_args.remote_username,
+        password: parsed_args.remote_password
+]
+
+existingRepository = repositoryManager.get(parsed_args.name)
+
+if (existingRepository != null) {
+
+    newConfig = existingRepository.configuration.copy()
+    // We only update values we are allowed to change (cf. greyed out options in gui)
+    newConfig.attributes['proxy']['remoteUrl'] = parsed_args.remote_url
+    newConfig.attributes['httpclient']['authentication'] = authentication
+    newConfig.attributes['storage']['strictContentTypeValidation'] = Boolean.valueOf(parsed_args.strict_content_validation)
+
+    repositoryManager.update(newConfig)
+
+} else {
+
+    configuration = new Configuration(
+            repositoryName: parsed_args.name,
+            recipeName: 'yum-proxy',
+            online: true,
+            attributes: [
+                    proxy  : [
+                            remoteUrl: parsed_args.remote_url,
+                            contentMaxAge: parsed_args.get('content_max_age', 1440.0),
+                            metadataMaxAge: parsed_args.get('metadata_max_age', 1440.0)
+                    ],
+                    httpclient: [
+                            blocked: false,
+                            autoBlock: true,
+                            authentication: authentication,
+                            connection: [
+                                    useTrustStore: false
+                            ]
+                    ],
+                    storage: [
+                            blobStoreName: parsed_args.blob_store,
+                            strictContentTypeValidation: Boolean.valueOf(parsed_args.strict_content_validation)
+                    ],
+                    negativeCache: [
+                            enabled: parsed_args.get("negative_cache_enabled", true),
+                            timeToLive: parsed_args.get("negative_cache_ttl", 1440.0)
+                    ]
+            ]
+    )
+
+    repositoryManager.create(configuration)
+
+}

tasks/call_script.yml

@@ -1,7 +1,7 @@
 ---
 - name: Calling Groovy script {{ script_name }}
   uri:
-    url: "http://localhost:{{ nexus_default_port }}{{ nexus_default_context_path }}service/siesta/rest/v1/script/{{ script_name }}/run"
+    url: "http://localhost:{{ nexus_default_port }}{{ nexus_default_context_path }}service/rest/v1/script/{{ script_name }}/run"
     user: 'admin'
     password: "{{ current_nexus_admin_password }}"
     headers:

tasks/change_admin_password.yml

@@ -0,0 +1,36 @@
+---
+
+- name: Check if admin password written by system
+  stat:
+    path: "{{ nexus_data_dir }}/admin.password"
+  register: password_file
+
+- name: Change the admin user password
+  uri:
+    url: "http://localhost:{{ nexus_default_port }}{{ nexus_default_context_path }}service/rest/beta/security/users/admin/change-password"
+    user: 'admin'
+    password: "{{ lookup('file', nexus_data_dir + '/admin.password') }}"
+    body: "{{ current_nexus_admin_password }}"
+    method: PUT
+    force_basic_auth: yes
+    status_code: 204,404,401
+    headers:
+      Content-Type: "text/plain"
+  when: password_file.stat is defined and password_file.stat.exists
+
+- name: Check the password
+  uri:
+    url: "http://localhost:{{ nexus_default_port }}{{ nexus_default_context_path }}service/rest/v1/script"
+    user: 'admin'
+    password: "{{ current_nexus_admin_password }}"
+    method: GET
+    force_basic_auth: yes
+    status_code: 200
+
+#If we get this far then password file no longer required, delete it
+- name: Delete admin password file
+  file:
+    path: "{{ nexus_data_dir }}/admin.password"
+    state: absent
+  when: password_file.stat is defined and password_file.stat.exists
+

tasks/create_blobstore_gcp_each.yml

@@ -0,0 +1,6 @@
+---
+
+- include: call_script.yml
+  vars:
+    script_name: create_blobstore_gcp
+    args: "{{ item }}"

tasks/create_repo_apt_proxy_each.yml

@@ -0,0 +1,5 @@
+---
+- include: call_script.yml
+  vars:
+    script_name: create_repo_apt_proxy
+    args: "{{ _nexus_repos_apt_defaults|combine(item) }}"

tasks/create_repo_yum_group_each.yml

@@ -0,0 +1,5 @@
+---
+- include: call_script.yml
+  vars:
+    script_name: create_repo_yum_group
+    args: "{{ _nexus_repos_yum_defaults|combine(item) }}"