A package for configuring Sonatype Nexus Repository Manager OSS to only allow selected packages to be installed from proxy repositories.
Supports creating CRAN and PyPI proxies which allow either all, or only named packages.
A Dockerfile and example docker compose configuration demonstrate how to use the script in conjunction with a Nexus OSS container.
Check and, if you would like, change the following environment variables for the Nexus Allowlist container in docker-compose.yaml
.
Environment variable | meaning |
---|---|
NEXUS_ADMIN_PASSWORD | Password for the Nexus OSS admin user (changes from the default on first rune then used for authentication) |
NEXUS_PACKAGES | Whether to allow all packages or only selected packages [all , selected ] |
NEXUS_HOST | Hostname of Nexus OSS host |
NEXUS_PORT | Port of Nexus OSS |
NEXUS_PATH | Context path of Nexus OSS. Only used if the Nexus is hosted behind a reverse proxy with a URL like https://your_url.domain/nexus/ . If not defined, the base URI remains / . |
ENTR_FALLBACK | If defined, don't use entr to check for allowlist updates (this will be less reactive but we have found entr to not work in some situations) |
Example allowlist files are included in the repository for PyPI, CRAN and APT. The PyPI allowlist includes numpy, pandas, matplotlib and their dependencies. The CRAN allowlist includes cli and data.table You can add more packages by writing the package names, one per line, in the allowlist files.
Start the Nexus and Nexus Allowlist containers using docker compose
docker compose up -d
You can monitor the Nexus Allowlist container instance
docker compose logs -f allowlist
The container command
- Ensures that allowlist files
/allowlists/pypi.allowlist
and/allowlists/cran.allowlist
exist - Waits for Nexus OSS to be available at
NEXUS_HOST:NEXUS_PORT
- If the Nexus OSS initial password file is present (at
/nexus-data/admin.password
) - Changes the admin password to
NEXUS_ADMIN_PASSWORD
- Runs initial configuration (creates a role, repositories, content selectors, etc.)
- Reruns the content selector configuration (which enforces the allowlists) every time either of the allowlist files are modified
Caddy acts as a reverse proxy, passing requests to the Nexus OSS server. The configuration file replaces 401 responses from Nexus OSS with 403 so that pip does not prompt a user for authentication when attempting to install a blocked package.
You can edit ~/.config/pip/pip.conf
to use the Nexus PyPI proxy.
To apply globally edit /etc/pip.conf
.
For example
[global]
index = http://localhost:8080/repository/pypi-proxy/pypi
index-url = http://localhost:8080/repository/pypi-proxy/simple
You should now only be able to install packages from the allowlist. For example,
pip install numpy
should succeedpip install mkdocs
should fail
You can edit ~/.Rprofile
to use the Nexus CRAN proxy.
To apply globally edit /etc/R/Rprofile.site
.
For example
local({
r <- getOption("repos")
r["CRAN"] <- "http://localhost:8080/repository/cran-proxy"
options(repos=r)
})
You should now only be able to install packages from the allowlist. For example,
install.packages("data.table")
should succeedinstall.packages("ggplot2")
should fail
You can edit '/etc/apt/sources.list' to use the Nexus APT proxy.
For example
deb http://localhost:8080/repository/apt-proxy bookworm main
You should now only be able to install packages from the allowlist. For example,
sudo apt install libcurl4-openssl-dev
should succeedsudo apt install tcpdump
should fail
Thanks goes to these wonderful people (emoji key):
Jim Madge 🐛 💻 📖 🤔 🚇 👀 |
Matt Craddock 🐛 💻 🚇 |
James Robinson 🐛 💻 👀 |
Jbaudon 💻 📖 🤔 |
This project follows the all-contributors specification. Contributions of any kind welcome!