206 lines
11 KiB
Groovy
206 lines
11 KiB
Groovy
// run this file inside the Vagrant environment with bash /vagrant/provision/execute-provision.groovy-script.sh
|
|
// see https://help.sonatype.com/display/NXRM3/REST+and+Integration+API
|
|
// see https://github.com/sonatype/nexus-book-examples/tree/nexus-3.x/scripting/nexus-script-example
|
|
|
|
import groovy.json.JsonOutput
|
|
import org.sonatype.nexus.capability.CapabilityRegistry
|
|
import org.sonatype.nexus.repository.storage.WritePolicy
|
|
import org.sonatype.nexus.security.user.UserSearchCriteria
|
|
import org.sonatype.nexus.security.authc.apikey.ApiKeyStore
|
|
import org.sonatype.nexus.security.realm.RealmManager
|
|
import org.apache.shiro.subject.SimplePrincipalCollection
|
|
import org.sonatype.nexus.scheduling.TaskScheduler
|
|
import org.sonatype.nexus.scheduling.schedule.Daily
|
|
|
|
// disable all the outreach capabilities.
|
|
capabilityRegistry = container.lookup(CapabilityRegistry.class)
|
|
capabilityRegistry.all.findAll {it.context().type().toString().startsWith("Outreach")}.each {
|
|
capabilityRegistry.disable(it.context().id())
|
|
}
|
|
// you can retrieve all capabilities with:
|
|
//return JsonOutput.toJson([
|
|
// capabilities: capabilityRegistry.all.collect {[
|
|
// id: it.context().id().toString(),
|
|
// type: it.context().type().toString(),
|
|
// enabled: it.context().enabled,
|
|
// ]}
|
|
//])
|
|
|
|
// create a raw repository backed by the default blob store.
|
|
// NB this repository can host any type of artifact, so we disable strictContentTypeValidation.
|
|
// see https://github.com/sonatype/nexus-book-examples/blob/nexus-3.x/scripting/complex-script/rawRepositories.groovy
|
|
// see https://help.sonatype.com/display/NXRM3/Raw+Repositories+and+Maven+Sites#RawRepositoriesandMavenSites-UploadingFilestoHostedRawRepositories
|
|
repository.createRawHosted("adhoc-package", "default", false, WritePolicy.ALLOW_ONCE)
|
|
|
|
|
|
// create a apt repository backed by the default blob store.
|
|
// see https://help.sonatype.com/repomanager3/formats/apt-repositories
|
|
pgpPrivateKey = new File('/vagrant/shared/apt-hosted-private.key').getText('UTF-8')
|
|
repository.createAptHosted("apt-hosted", "focal", pgpPrivateKey, "abracadabra", "default", WritePolicy.ALLOW_ONCE, true)
|
|
|
|
|
|
// create a npm repository backed by the default blob store.
|
|
repository.createNpmHosted("npm-hosted", "default", true, WritePolicy.ALLOW_ONCE)
|
|
// create a npm proxy repository backed by the default blob store.
|
|
// see https://help.sonatype.com/display/NXRM3/Node+Packaged+Modules+and+npm+Registries
|
|
repository.createNpmProxy("npmjs.org-proxy", "https://registry.npmjs.org", "default")
|
|
// create a npm group repository that merges the npm-host and npmjs.org-proxy together.
|
|
repository.createNpmGroup("npm-group", ["npm-hosted", "npmjs.org-proxy"], "default")
|
|
|
|
|
|
// modify the default nuget-hosted repository for not allowing re-deployments.
|
|
config = repository.repositoryManager.get("nuget-hosted").configuration.copy()
|
|
config.attributes.storage.writePolicy = WritePolicy.ALLOW_ONCE
|
|
repository.repositoryManager.update(config)
|
|
|
|
|
|
// create a powershell repository backed by the default blob store.
|
|
repository.createNugetHosted("powershell-hosted", "default", true, WritePolicy.ALLOW_ONCE)
|
|
// create a powershell proxy repository backed by the default blob store.
|
|
// see https://help.sonatype.com/display/NXRM3/.NET+Package+Repositories+with+NuGet
|
|
repository.createNugetProxy("powershellgallery.com-proxy", "https://www.powershellgallery.com/api/v2/", "default")
|
|
// create a powershell group repository that merges the powershell-host and powershellgallery.com-proxy together.
|
|
repository.createNugetGroup("powershell-group", ["powershell-hosted", "powershellgallery.com-proxy"], "default")
|
|
|
|
|
|
// create a chocolatey repository backed by the default blob store.
|
|
repository.createNugetHosted("chocolatey-hosted", "default", true, WritePolicy.ALLOW_ONCE)
|
|
// create a chocolatey proxy repository backed by the default blob store.
|
|
// see https://help.sonatype.com/display/NXRM3/.NET+Package+Repositories+with+NuGet
|
|
repository.createNugetProxy("chocolatey.org-proxy", "https://chocolatey.org/api/v2/", "default")
|
|
// create a chocolatey group repository that merges the chocolatey-host and chocolatey.org-proxy together.
|
|
repository.createNugetGroup("chocolatey-group", ["chocolatey-hosted", "chocolatey.org-proxy"], "default")
|
|
|
|
|
|
// create a docker registry repository backed by the default blob store.
|
|
repository.createDockerHosted("docker-hosted", 6003, null, "default", true, true, WritePolicy.ALLOW, true)
|
|
// create a docker proxy repository backed by the default blob store.
|
|
// see https://help.sonatype.com/repomanager3/formats/docker-registry
|
|
// TODO set Allow Nexus Repository Manager to download and cache foreign layers.
|
|
// NB as-of docker 19.03.5, there is still no way to specify a registry mirror credentials...
|
|
// as such, we cannot use our docker-group registry, instead we must use the docker-proxy
|
|
// registry, enable the Docker Bearer Token Realm and allow anonymous access to it.
|
|
// see https://github.com/moby/moby/issues/30880
|
|
// NB this will make https://nexus.example.com:5002/v2/library/debian/manifests/buster-slim proxy
|
|
// to https://registry-1.docker.io/v2/library/debian/manifests/buster-slim
|
|
// https://registry-1.docker.io/v2/library/golang/tags/list
|
|
repository.createDockerProxy("docker-hub-proxy", "https://registry-1.docker.io", "HUB", null, 6002, null, "default", true, true, false)
|
|
// create a docker group repository that merges the docker-hosted and docker-hub-proxy together.
|
|
repository.createDockerGroup("docker-group", 6001, null, ["docker-hosted", "docker-hub-proxy"], true, "default", true)
|
|
|
|
|
|
// see http://stackoverflow.com/questions/8138164/groovy-generate-random-string-from-given-character-set
|
|
def random(String alphabet, int n) {
|
|
new Random().with {
|
|
(1..n).collect { alphabet[nextInt(alphabet.length())] }.join()
|
|
}
|
|
}
|
|
jenkinsPassword = random((('A'..'Z')+('a'..'z')+('0'..'9')).join(), 16)
|
|
|
|
|
|
// set the base url. this is used when sending emails.
|
|
// see https://help.sonatype.com/display/NXRM3/Configuration#Configuration-BaseURLCreation
|
|
core.baseUrl("https://" + java.net.InetAddress.localHost.canonicalHostName)
|
|
|
|
|
|
// schedule a task to remove old snapshots from the maven-snapshots repository.
|
|
// see https://github.com/sonatype/nexus-public/blob/555cc59e7fa659c0a1a4fbc881bf3fcef0e9a5b6/components/nexus-scheduling/src/main/java/org/sonatype/nexus/scheduling/TaskScheduler.java
|
|
// see https://github.com/sonatype/nexus-public/blob/555cc59e7fa659c0a1a4fbc881bf3fcef0e9a5b6/plugins/nexus-coreui-plugin/src/main/java/org/sonatype/nexus/coreui/TaskComponent.groovy
|
|
taskScheduler = (TaskScheduler)container.lookup(TaskScheduler.class.name)
|
|
taskConfiguration = taskScheduler.createTaskConfigurationInstance("repository.maven.remove-snapshots")
|
|
taskConfiguration.name = "remove old snapshots from the maven-snapshots repository"
|
|
// NB to see the available properties uncomment the tasksDescriptors property from JsonOutput.toJson at the end of this script.
|
|
taskConfiguration.setString("repositoryName", "maven-snapshots")
|
|
taskConfiguration.setString("minimumRetained", "1")
|
|
taskConfiguration.setString("snapshotRetentionDays", "30")
|
|
// TODO taskConfiguration.setAlertEmail("TODO")
|
|
taskScheduler.scheduleTask(taskConfiguration, new Daily(new Date().clearTime().next()))
|
|
|
|
|
|
// NB you can list the available realms with realmManager.availableRealms.
|
|
realmManager = container.lookup(RealmManager.class.name)
|
|
// enable the NuGet API-Key Realm.
|
|
realmManager.enableRealm("NuGetApiKey")
|
|
// enable the npm Bearer Token Realm.
|
|
realmManager.enableRealm("NpmToken")
|
|
// enable the Docker Bearer Token Realm.
|
|
realmManager.enableRealm("DockerToken")
|
|
// allow Anonymous access to nexus to be able to use the docker-hub-proxy repository.
|
|
// NB this might be worked around by creating an docker-anonymous user and force its
|
|
// credentials in the nginx reverse-proxy configuration.
|
|
// see https://github.com/moby/moby/issues/30880#issuecomment-601513505
|
|
security.anonymousAccess = true
|
|
|
|
// set the admin password.
|
|
// NB we set it to something different than the default (admin123) to get
|
|
// rid of the "Default Admin Credentials" warning... and because this
|
|
// password is easier to remember.
|
|
security.securitySystem.changePassword('admin', 'admin')
|
|
|
|
// the intent is to get or create an NuGet API Key like the one we can see on the user page:
|
|
// http://nexus.example.com:8081/#user/nugetapitoken.
|
|
def getOrCreateNuGetApiKey(String userName) {
|
|
realmName = "NexusAuthenticatingRealm"
|
|
apiKeyDomain = "NuGetApiKey"
|
|
principal = new SimplePrincipalCollection(userName, realmName)
|
|
keyStore = container.lookup(ApiKeyStore.class.name)
|
|
apiKey = keyStore.getApiKey(apiKeyDomain, principal)
|
|
if (apiKey == null) {
|
|
apiKey = keyStore.createApiKey(apiKeyDomain, principal)
|
|
}
|
|
return apiKey.toString()
|
|
}
|
|
|
|
|
|
// create users in the deployer role.
|
|
// see https://github.com/sonatype/nexus-book-examples/blob/nexus-3.x/scripting/complex-script/security.groovy#L38
|
|
def addDeployerUser(firstName, lastName, email, userName, password) {
|
|
if (!security.securitySystem.listRoles().any { it.roleId == "deployer" }) {
|
|
privileges = [
|
|
"nx-search-read",
|
|
"nx-repository-view-*-*-read",
|
|
"nx-repository-view-*-*-browse",
|
|
"nx-repository-view-*-*-add",
|
|
"nx-repository-view-*-*-edit",
|
|
"nx-apikey-all"]
|
|
security.addRole("deployer", "deployer", "deployment on all repositories", privileges, [])
|
|
}
|
|
try {
|
|
user = security.securitySystem.getUser(userName);
|
|
} catch (org.sonatype.nexus.security.user.UserNotFoundException e) {
|
|
user = security.addUser(userName, firstName, lastName, email, true, password, ["deployer"])
|
|
}
|
|
nuGetApiKey = getOrCreateNuGetApiKey(userName)
|
|
}
|
|
addDeployerUser("Jenkins", "Doe", "jenkins@example.com", "jenkins", jenkinsPassword)
|
|
addDeployerUser("Alice", "Doe", "alice.doe@example.com", "alice.doe", "password")
|
|
addDeployerUser("Bob", "Doe", "bob.doe@example.com", "bob.doe", "password")
|
|
|
|
|
|
// get the jenkins NuGet API Key.
|
|
jenkinsNuGetApiKey = getOrCreateNuGetApiKey("jenkins")
|
|
|
|
realms = realmManager.configuration.realmNames
|
|
users = security.securitySystem.searchUsers(new UserSearchCriteria())
|
|
repositories = repository.repositoryManager.browse().collect { [name:it.name,type:it.type.value] }
|
|
|
|
return JsonOutput.toJson([
|
|
/*tasksDescriptors: taskScheduler.taskFactory.descriptors.collect { [
|
|
id: it.id,
|
|
name: it.name,
|
|
exposed: it.exposed,
|
|
formFields: it.formFields?.collect { [
|
|
id: it.id,
|
|
type: it.type,
|
|
label: it.label,
|
|
helpText: it.helpText,
|
|
required: it.required,
|
|
regexValidation: it.regexValidation,
|
|
initialValue: it.initialValue,
|
|
] }
|
|
] },*/
|
|
realms: realms.sort { it },
|
|
users: users.sort { it.userId },
|
|
repositories: repositories.sort { it.name },
|
|
])
|