Sonatype Nexus Repository OSS on Ubuntu 24.04 on Azure User Guide
Overview
Sonatype Nexus Repository OSS is a universal artifact repository manager. It stores and serves the binary artifacts your builds produce and consume and can proxy and cache remote registries so your CI fleet pulls dependencies from a single fast local mirror. It handles many formats out of the box, including Maven, npm, Docker, NuGet, PyPI, RubyGems and raw files. The cloudimg image installs the free, open-source edition (Eclipse Public License 1.0) of Nexus Repository 3.70.4-02 on OpenJDK 17, running behind an nginx reverse proxy on port 80 as a dedicated nexus service account bound to the loopback interface. All repository storage, the embedded database and the search index live on a dedicated Azure data disk, and a unique admin password is generated on the first boot of every VM. Backed by 24/7 cloudimg support.
What is included:
- Sonatype Nexus Repository OSS 3.70.4-02 (Eclipse Public License 1.0) on OpenJDK 17
- The Nexus web console for browsing, searching, uploading and administering repositories
- Default Maven and NuGet hosted, proxy and group repositories, ready to extend to npm, Docker, PyPI and more
- nginx on
:80as a reverse proxy to the loopback Nexus connector on127.0.0.1:8081 - A per-VM
adminaccount generated on first boot and recorded in a root-only file - A dedicated Azure data disk at
/var/lib/nexusfor blob stores, the embedded database and the search index nexus.service(running as the unprivilegednexususer) andnginx.serviceas systemd units, enabled and active- An unauthenticated
/healthendpoint for Azure Load Balancer health probes - 24/7 cloudimg support

Prerequisites
An active Azure subscription, an SSH key pair, and a VNet plus subnet in the target region. Standard_B4ms (4 vCPU / 16 GiB RAM) is a sensible starting point because Nexus is a JVM application with a 2.7 GiB default heap; size up for larger repositories or busier proxy traffic. NSG inbound: allow 22/tcp from your management network and 80/tcp. Nexus serves plain HTTP on port 80; for production, terminate TLS in front of it with your own domain.
Step 1 - Deploy from the Azure Marketplace
Sign in to the Azure Portal, choose Create a resource, search the Marketplace for Sonatype Nexus Repository by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size; under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22) and HTTP (80). Review the dedicated data disk on the Disks tab, then Review + create then Create.
Step 2 - Deploy from the Azure CLI
az vm create \
--resource-group <your-rg> \
--name nexus \
--image <marketplace-image-urn> \
--size Standard_B4ms \
--admin-username azureuser \
--ssh-key-values ~/.ssh/id_ed25519.pub \
--vnet-name <your-vnet> --subnet <your-subnet> \
--public-ip-sku Standard
az vm open-port --resource-group <your-rg> --name nexus --port 80 --priority 1010
Step 3 - Connect to your VM
ssh azureuser@<vm-public-ip>
Step 4 - Confirm the services are running
systemctl is-active nexus.service nginx.service
Both units report active. On a fresh VM the Nexus first-boot service does a one-time clean initialisation of the embedded database and default repositories and then rotates the admin password; this takes a couple of minutes on the very first boot before the console is reachable.
Step 5 - Retrieve the per-VM admin password
A unique administrator password is generated on the first boot of each VM and written to a root-only file. Read it over SSH:
sudo cat /root/nexus-credentials.txt
The file contains NEXUS_URL, NEXUS_ADMIN_USER (which is admin) and NEXUS_ADMIN_PASSWORD. Keep this password safe; it is the initial administrator credential for this VM.

Step 6 - Sign in to the Nexus web console
Browse to http://<vm-public-ip>/ and click Sign in in the top-right corner. Sign in as admin with the password from Step 5.

Once signed in, the Browse view lists the repositories that ship ready to use, including maven-central (a proxy of Maven Central), maven-releases and maven-snapshots (hosted), maven-public (a group), and the equivalent NuGet repositories.

Step 7 - Administer and create repositories
Open the Server administration and configuration (gear) menu, then Repository > Repositories, to manage existing repositories or create new ones. Click Create repository and choose a recipe such as npm (hosted), docker (hosted), pypi (proxy) or raw (hosted) to add a new format.

The Support > Status view under administration shows a live health summary of the node, including available CPUs, blob-store quotas and file-descriptor limits.

Step 8 - Point a Maven build at your repository
Configure Maven to resolve dependencies through the maven-public group on your VM by adding a mirror to ~/.m2/settings.xml on your build machine (replace <vm-public-ip> with your VM address):
<settings>
<mirrors>
<mirror>
<id>cloudimg-nexus</id>
<name>cloudimg Nexus</name>
<url>http://<vm-public-ip>/repository/maven-public/</url>
<mirrorOf>*</mirrorOf>
</mirror>
</mirrors>
</settings>
To publish build outputs, deploy to the maven-releases or maven-snapshots hosted repositories at http://<vm-public-ip>/repository/maven-releases/ using your admin credentials (or a dedicated deployment user you create under Security > Users).
Step 9 - Verify the REST API and health endpoint
nginx serves an unauthenticated health endpoint that Azure Load Balancer probes can target, and Nexus exposes a status endpoint:
curl -s http://127.0.0.1/health
curl -s http://127.0.0.1/service/rest/v1/status -o /dev/null -w 'status endpoint HTTP %{http_code}\n'
The write-availability endpoint requires authentication. The following reads the per-VM password from the credentials file (so no password appears on your command line) and confirms the instance is authenticated and writable, returning 200:
PW=$(sudo grep '^NEXUS_ADMIN_PASSWORD=' /root/nexus-credentials.txt | cut -d= -f2-)
curl -s -u "admin:$PW" http://127.0.0.1/service/rest/v1/status/writable -o /dev/null -w 'writable HTTP %{http_code}\n'
For reference, the equivalent authenticated call from a remote machine is curl -u admin:<NEXUS_ADMIN_PASSWORD> http://<vm-public-ip>/service/rest/v1/status/writable, substituting the password from Step 5. A wrong password returns 401.

Step 10 - Maintenance
Nexus and its reverse proxy are managed by systemd. Restart or inspect them with:
systemctl restart nexus.service
journalctl -u nexus.service --no-pager | tail -n 20
All repository data, the embedded database and the search index live under /var/lib/nexus on the dedicated data disk, so they survive OS patching and are independently resizable. The application log is at /var/lib/nexus/log/nexus.log. Anonymous access is disabled by default; enable it under Security > Anonymous Access if you want unauthenticated read of public repositories. Because Nexus serves plain HTTP on port 80, place it behind TLS with your own domain before production use.
Support
This image is maintained by cloudimg with 24/7 support. For help, contact support@cloudimg.co.uk.