Intial check in

README.md

@@ -0,0 +1,51 @@
+# Nexus Platform with Docker Support, behind Nginx
+
+This is a template for deploying Nexus Repository Manager and IQ Server behind an NGINX proxy to offload SSL
+
+I also add two aliases to my /etc/hosts file to match the names of the containers and simulate DNS from outside of docker host but this will setup and be accessible over http wtihout them:
+
+```
+127.0.0.1      localhost iq-server nexus iq-server.mycompany.com repo.mycompany.com registry.mycompany.com
+```
+
+## Features - 
+*Will transition in the new name soon to clean up some of the ports and make this work with docker commands. As is there is no cert in path*
+
+- Nexus Web UI with SSL accessible via https://nexus
+- Nexus Web UI over http via http://nexus:8081 or http://localhost:8081
+- Docker proxy group registry accessible via https://nexus:18443 (pull)
+- Docker Private Registry accessible via https://nexus:5000  (push)
+- IQ Server accessible via https://iq-server or http://localhost:8070
+
+## Operations
+
+To create and run the Nginx proxy, Nexus Repository Manager and IQ Servver, run:
+
+```
+./demo-setup.sh
+```
+
+To stop, use docker-compose:
+
+```
+docker-compose down
+```
+
+Subsequent runs can use docker-compose without the build for nginx or the need to create the persistent folders:
+
+```
+docker-compose up -d
+```
+
+## Ports
+
+The ports are based on my own configuration but can easily be re-aligned via the nginx conf file. If you were previously using my setup with SSL built into Nexus then the big change is to remap 18443 and 5000 to http instead of https within Nexus. I've added some provisioning scripts to remove the need for manual configuration within Nexus. 18443 maps to my Docker-proxy group and 5000 maps to my docker-hosted repo. I run nexus on 8081 (to avoid a conflict with Jenkins) which can still be hot directly for non-https connections. For now the provisioning only does Docker config items but additional examples are in place.
+
+## SSL Certificates
+
+The Ngnix docker image build process generates insecure SSL certificates with fake location information and CNAME of localhost. Understand the risks of using these SSL certificates before proceeding. A deployed solution should use a valid CA certificate.
+
+
+## Dynamic Configuration
+
+Working examples of how to provision a new blobstore and create docker repos using it are in here and part of the setup. There are also placeholders for other formats like Maven, nnpm, etc...

demo-setup.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+# Creates directories to be mounted to containers as volumes
+mkdir ~/iq-data ~/nexus-data
+
+# Stands up test environment and builds nginix container to put our config in
+docker-compose up -d
+
+until curl --fail --insecure http://localhost:8070; do 
+  sleep 5
+done
+
+#import license and policies to IQ server
+./iq-server/config-iq.sh
+
+#Create Docker repos and group
+cd nexus-repository
+./create.sh blobs.json
+./run.sh myBlobs
+
+./create.sh docker.json
+./run.sh Docker
+
+ ./create.sh npm.json
+ ./run.sh npm

docker-compose.yml

@@ -0,0 +1,49 @@
+# Copyright (c) 2017-present Sonatype, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+version: '3'
+
+services:
+  nginx-proxy:
+    build: ./nginx
+    image: sonatype_nginx-proxy:2.0
+    ports:
+      - '443:443'
+      - '5000:5000'
+      - '18443:18443'
+    links:
+      - nexus
+      - iq-server
+    command: [ nginx, '-g', 'daemon off;' ]
+
+  nexus:
+    #build: nexus
+    volumes:
+      - ~/nexus-data:/nexus-data
+    ports:
+      - "8081:8081"
+    image: sonatype/nexus3:3.11.0
+    links:
+      - iq-server
+    container_name: nexus
+
+  iq-server:
+    build: ./iq-server
+    volumes:
+      - ~/iq-data:/sonatype-work
+    ports:
+      - "8070:8070"
+      - "8071:8071"
+    image: my-iq-server:1.47.0
+    container_name: iq-server

iq-server/Dockerfile

@@ -0,0 +1,4 @@
+FROM sonatype/nexus-iq-server:1.47.0
+COPY config.yml /etc/nexus-iq-server/
+
+HEALTHCHECK CMD curl http://localhost:8071/ping

iq-server/README.md

@@ -0,0 +1,41 @@
+# Custom IQ Server Image
+
+A Dockerfile for creating a custom image based on the Official Image
+
+```
+FROM sonatype/nexus-iq-server
+COPY config.yml /opt/sonatype/iq-server/
+
+HEALTHCHECK CMD curl http://localhost:8071/ping
+```
+
+The key is make a copy of this folder so you can customize the config.yml with settings for your Demo, PoC or Test environment.
+
+I provide this build script (excuse my weak unix foo) as a portable example of the process. It is expected to be invoked with one paramer, a version number. To make it 'potable' I am using the $USER to grap your username on the computer but this can be hardcoded easily enough for non-unix system or if you simply want a different name.
+
+```
+SCRIPTNAME=${0##*/}
+
+#Update this with your dockerhub username or user with push pernmission to your private repo
+DOCKERNAME=$USER
+
+function print_usage() {
+    echo "Please provide a version number for tagging"
+    echo "$SCRIPTNAME <version>  e.g. build-iq.sh 1.41"
+}
+
+#a lot can still go wrong here but it's a start...
+if [ "$1" != "" ]; then
+    docker build -t $DOCKERNAME/demo-iq-server:$1 .
+    docker tag $DOCKERNAME/demo-iq-server:$1 $DOCKERNAME/demo-iq-server:latest
+    docker tag $DOCKERNAME/demo-iq-server:latest mycompany.com:5000/$DOCKERNAME/demo-iq-server:$1
+    docker tag $DOCKERNAME/demo-iq-server:latest mycompany.com:5000/$DOCKERNAME/demo-iq-server:latest
+else
+    print_usage 
+    exit 1
+fi
+```
+
+Seperately, I've added a push-iq script that uses the same idiom but to push your custom image to a private registry, in my casea local Nexus with a private repo listening on port 5000. The idea here is the build and publish are often seperate steps in a pipeline to allow for testing to occur. Should the image fail any testing, it wouldn't get published.
+
+Lastly, there is a docker-compose file that looks just like the one up a level but now wants to deploy your custom image.

iq-server/config-iq.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+
+#Note: defaults creds are baked in so this will work on a fresh instance
+nexus() {
+java -jar nexus-cli-0.2.0-SNAPSHOT-shaded.jar \
+  -s http://localhost:8070 $@
+}
+
+
+cd iq-server
+
+echo "Importing license"
+# Update this to point to your license placed in this folder
+#nexus license install <your license file>
+nexus license install -f sonatype-nexus-firewall-lifecycle-2017.lic
+
+#these policies are based on the sample set with some changes I've made and exported.
+echo "Applying policies"
+nexus policy importPolicies -f myPolicies.json
+
+#need to pop back up so we end where we started
+cd ..
+pwd