Nexus Installation and Configuration Tutorial on Ubuntu with PostgreSQL

This tutorial guides through installing Sonatype Nexus Community Edition on Ubuntu with PostgreSQL, configuring permissions, setting up reverse proxy with Nginx, and optimizing Nexus settings.

Download and Extract Nexus#

Install prerequisites and download Nexus:

sudo apt update
sudo apt install -y openjdk-21-jdk wget unzip nginx
cd /opt
sudo wget https://sonatype-download.global.ssl.fastly.net/repository/downloads-prod-group/3/nexus-3.84.0-03-linux-x86_64.tar.gz
sudo tar -xvzf nexus-3.84.0-03-linux-x86_64.tar.gz
sudo mv nexus-3.* nexus

Create Nexus User and Directories#

Create a system user for running Nexus (no password needed):

sudo useradd -r -d /opt/nexus -s /bin/bash nexus

Create the sonatype-work directory manually as it is required before startup:

sudo mkdir -p /opt/sonatype-work/nexus
sudo chown -R nexus:nexus /opt/sonatype-work /opt/nexus

The /opt/sonatype-work/nexus directory is where Nexus will store data, logs, artifacts, and blob storage.

Install and Initialize PostgreSQL for Nexus#

Install PostgreSQL and switch to the postgres user:

sudo apt install -y postgresql
sudo -u postgres psql

In the PostgreSQL shell, run these commands:

CREATE DATABASE nexus ENCODING 'UTF8' LC_COLLATE='en_US.UTF-8' LC_CTYPE='en_US.UTF-8' TEMPLATE template0;
\c nexus
CREATE SCHEMA nexus;
CREATE USER nexus WITH PASSWORD 'nexuspw123';
GRANT ALL PRIVILEGES ON DATABASE nexus TO nexus;
GRANT ALL PRIVILEGES ON SCHEMA nexus TO nexus;
CREATE EXTENSION IF NOT EXISTS pg_trgm SCHEMA nexus;

This prepares the database and schema for Nexus.

Configure Nexus for PostgreSQL using VM Options#

Modify the VM options to point Nexus to PostgreSQL by editing /opt/nexus/bin/nexus.vmoptions. Add these lines at the end:

-Dnexus.datastore.nexus.type=postgresql
-Dnexus.datastore.nexus.jdbcUrl=jdbc:postgresql://localhost:5432/nexus
-Dnexus.datastore.nexus.username=nexus
-Dnexus.datastore.nexus.password=nexuspw123
-Dnexus.datastore.nexus.maximumPoolSize=200

Note: Nexus does not support placing DB settings in properties files reliably; they must be in VM options.

Setup Nexus as a Systemd Service#

Create a systemd unit file /etc/systemd/system/nexus.service:

[Unit]
Description=Nexus Repository Manager
After=network.target

[Service]
Type=forking
LimitNOFILE=65536
User=nexus
ExecStart=/opt/nexus/bin/nexus start
ExecStop=/opt/nexus/bin/nexus stop
Restart=on-failure

[Install]
WantedBy=multi-user.target

Reload systemd daemon, enable, and start Nexus:

sudo systemctl daemon-reload
sudo systemctl enable nexus
sudo systemctl start nexus

Check service status:

sudo systemctl status nexus

Configure Nexus to Bind to Localhost#

Edit /opt/nexus/etc/nexus-default.properties or your custom properties file and set:

application-port=8081
application-host=127.0.0.1

This restricts Nexus to localhost access, ideal when using a reverse proxy.

Step Generate Your Own Root CA and SSL Certificate for Nexus Domain#

Run the following commands to create a Root CA and sign Nexus server certificates.

# Create directories for CA
sudo mkdir -p /etc/ssl/ca
cd /etc/ssl/ca

# Generate Root CA private key
sudo openssl genrsa -out rootCA.key 4096

# Generate Root CA certificate (valid 10 years)
sudo openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.crt -subj "/C=US/ST=State/L=City/O=Organization/OU=OrgUnit/CN=nexus.home"

Now create an OpenSSL config /tmp/openssl_nexus.home.cnf with SAN:

cat > /tmp/openssl_nexus.home.cnf <<EOF
[ req ]
default_bits       = 2048
prompt             = no
default_md         = sha256
req_extensions     = req_ext
distinguished_name = dn
[ dn ]
CN = nexus.home
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = nexus.home
EOF

Generate private key and CSR for Nexus:

sudo openssl genrsa -out /etc/ssl/certs/nexus.home.key 2048
sudo openssl req -new -key /etc/ssl/certs/nexus.home.key -out /etc/ssl/certs/nexus.home.csr -config /tmp/openssl_nexus.home.cnf

Sign CSR with Root CA including SAN:

sudo openssl x509 -req -in /etc/ssl/certs/nexus.home.csr -CA /etc/ssl/ca/rootCA.crt -CAkey /etc/ssl/ca/rootCA.key -CAcreateserial -out /etc/ssl/certs/nexus.home.crt -days 365 -sha256 -extfile /tmp/openssl_nexus.home.cnf -extensions req_ext

Clean up:

rm /tmp/openssl_nexus.home.cnf
sudo rm /etc/ssl/certs/nexus.home.csr

Install and Configure Nginx with SSL#

Install Nginx:

sudo apt update
sudo apt install -y nginx

Create Nginx config /etc/nginx/sites-available/nexus:

server {
    listen 80;
    server_name nexus.home;

    # Redirect all HTTP to HTTPS
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name nexus.home;

    ssl_certificate /etc/ssl/certs/nexus.home.crt;
    ssl_certificate_key /etc/ssl/certs/nexus.home.key;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers HIGH:!aNULL:!MD5;

    client_max_body_size 1G;

    location / {
        proxy_pass http://127.0.0.1:8081/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Enable the site and reload Nginx:

sudo ln -s /etc/nginx/sites-available/nexus /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx

PyPI Repository Configuration Example#

To configure PyPI repository access via Nexus, add this to pip.conf:

[global]
index-url = https://nexus.home/repository/pypi/simple/
trusted-host = nexus.home
timeout = 15

Basepath Capability#

After you login to nexus, under Settings->System->Capabilities->Create capability->Base URL set hostname in reverse proxy, e.g. https://nexus.home.

Blob Storage Location#

Nexus stores artifacts as blobs in the sonatype-work directory:

/opt/sonatype-work/nexus/blobs

Nexus manages the blob storage internally but can be configured for external storage in the UI or configuration files.

Logs Location#

Nexus logs are found in:

/opt/sonatype-work/nexus/log

Files like nexus.log, jvm.log, and audit.log help diagnose issues.

Certificate generation#

Certificate generation script from CA

#!/bin/bash
set -e
DOMAIN="nexus.home"
CERT_DIR="/etc/ssl/certs"
CA_DIR="/etc/ssl/ca"
CA_CERT="$CA_DIR/rootCA.crt"
CA_KEY="$CA_DIR/rootCA.key"
CA_SERIAL="$CA_DIR/rootCA.srl"
OPENSSL_CONFIG="/tmp/openssl_${DOMAIN}.cnf"
mkdir -p "$CERT_DIR"
echo "Creating OpenSSL configuration file for SAN..."
cat > "$OPENSSL_CONFIG" <<EOF
[ req ]
default_bits       = 2048
prompt             = no
default_md         = sha256
req_extensions     = req_ext
distinguished_name = dn
[ dn ]
CN = $DOMAIN
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = $DOMAIN
EOF
echo "Generating private key..."
openssl genrsa -out "$CERT_DIR/$DOMAIN.key" 2048
echo "Creating CSR..."
openssl req -new -key "$CERT_DIR/$DOMAIN.key" -out "$CERT_DIR/$DOMAIN.csr" -config "$OPENSSL_CONFIG"
echo "Signing CSR with CA certificate including SAN..."
openssl x509 -req -in "$CERT_DIR/$DOMAIN.csr" -CA "$CA_CERT" -CAkey "$CA_KEY" -CAcreateserial -out "$CERT_DIR/$DOMAIN.crt" -days 365 -sha256 -extfile "$OPENSSL_CONFIG" -extensions req_ext
echo "Certificate and key have been generated: $CERT_DIR/$DOMAIN.crt and $CERT_DIR/$DOMAIN.key"
rm -f "$OPENSSL_CONFIG"

This completes the installation and PostgreSQL backend configuration of Nexus on Ubuntu, including secure user setup and recommended reverse proxy configuration. Use the Nexus UI for further repository and capability management.