Self-hosted Nexus deployment

How to locally host your own Docker images and Python modules.

Posted on: 2025-12-24

Lately, I had a use case come up where I needed to self-host a repository for both Docker images and Python modules. There are many reasons one may want to do something like that, whether it's caching artifacts from upstream repositories to increase speed and security, host local images that you produce in-house, or help keep track what you have deployed in your network to increase visibility. The software I decided on is called Sonatype Nexus, an open source software solution available for free that I could host locally. The installation is very simple, but I did run into some configuration issues, so I decided I would write a quick post about it

Installation

The easiest way to run Nexus is through Docker, and you can do so with these commands:

docker volume create --name nexus-data
docker run -d --restart always -p 8081:8081 --name nexus -v nexus-data:/nexus-data sonatype/nexus3
cat /var/lib/docker/volumes/nexus-data/_data/admin.password

Nexus creates a random admin password so this is what the third line does. Get the password, then go to http://localhost:8181/ and login with the admin username and that password. I also installed an Nginx reverse proxy on the host so that I could actually access it over HTTPS, which is very important for security. You can simply install Nginx and add this configuration file under /etc/nginx/sites-enabled/reverse-proxy.conf with whichever SSL certificate you use in your environment:

server {
    listen 443 ssl;
    server_name _;

    ssl_certificate /etc/certs/YOUR_CERT.crt;
    ssl_certificate_key /etc/certs/YOUR_CERT.key;

    location / {
        proxy_pass http://127.0.0.1:8081;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Other options for SSL termination include using Traefik, Let's Encrypt, or Nexus's own self-signed certificate option. The following commands will assume your repositories are available on port 443.

Configuring the repositories

Once you're able to log into the web UI, you can create repositories. One thing to understand is that there are typically 3 types of repositories inside of Nexus:

• Proxy: This repo will cache an upstream source, such as PyPi or Docker Hub.
• Hosted: This is a local repo used to store your own private artifacts.
• Group: This is the endpoint where users will connect, and groups the previous two types.

Nexus supports many artifact types, but I only needed Docker and Python, so I created the following repositories:

Configuring clients

Python is very easy to get to work with Nexus. Simply add this code to /etc/pip.conf so pip will pull all packages from your Nexus server when you do pip install package from now on:

[global]
index-url = https://YOUR.NEXUS.HOST/repository/pypi/simple
trusted-host = YOUR.NEXUS.HOST

Docker on the other hand took a bit more work. The first thing to do is go in the Nexus settings, under Security, Realms, and enable the Docker Bearer Token option. Then, make sure you have the following settings checked in all 3 Docker repos:

• Allow clients to use the V1 API to interact with this repository
• Allow anonymous Docker pulls for this repository

Once those things are done, you should be able to pull images directly from your repo:

docker pull YOUR.NEXUS.HOST/docker/dendory02/webcrawler:latest

Some additional notes

Once you're able to pull images and modules from Nexus, there are a few additional things you may want to do. You should be able to see all the artifacts that you've installed so far through Nexus on the web UI. But those artifacts will stay there until you clean them manually. You may want to create a cleanup policy in the settings to automatically delete artifacts that haven't been used in 30 days, so your disk doesn't fill up. You can also configure the object store with quotas, create more than one for different repositories, and so on.

If you're going to use Nexus to host locally produced items, you may also want to integrate malware scanning. One good option I've played with is called Trivy, an all-in-one open source malware scanner that can easily integrate in CI/CD pipelines.

Finally, make sure you backup the database and configuration from /var/lib/docker/volumes/nexus-data although you don't have to backup the object store. For my part, this was the extent of my needs, but an artifact repository can be expanded to do many things, and can be the backbone of any good enterprise network to enhance security and efficiency.