nexus: securize, futur proof

nexus-oss/PKGBUILD

@@ -1,22 +1,21 @@
-_version=3.37.0
+_version=3.37.3
-_patch=01
+_patch=02
 
 pkgname=nexus-oss
 pkgver=${_version}.${_patch}
-pkgrel=1
+pkgrel=2
 pkgdesc='Nexus 3 Repository OSS'
 arch=('any')
 url='http://nexus.sonatype.org'
 license=("custom:$pkgname")
 depends=('java-runtime=11')
 replaces=('nexus3')
-provides=($pkgname)
+provides=('nexus3')
 backup=("var/lib/$pkgname/etc/nexus.properties"
 	"usr/lib/$pkgname/bin/nexus.vmoptions"
 )
 source=("https://download.sonatype.com/nexus/3/nexus-$_version-$_patch-unix.tar.gz"
 	"$pkgname"
-	"$pkgname.install"
 	"$pkgname.properties"
 	"$pkgname.service"
 	"$pkgname.sysusers"
@@ -24,26 +23,19 @@ source=("https://download.sonatype.com/nexus/3/nexus-$_version-$_patch-unix.tar.
 	"$pkgname.vmoptions"
 	"pref_jre.cfg"
 )
-sha256sums=('3a928576502b53cd77eaa4f41564eb848d13707c106d45540116fc54dcee519b'
+sha256sums=('c1db431908c5a76b44015c555d6ef4517abf0a86844faffee0f5d6c62359312d'
-            '3d2ebc2a796dbdc7e7e3b97e4c3272292169c898776e111f503f0517e434caff'
+            'b33fbb8769ac73fe339ea2875a240f308fbd584519f533fba25cf6136eac2dd0'
-            'f03a4a2a454ab15bbe7b6d479ec4b6a86055a4ffb77704dc44fe11a19382278b'
             'dcdef5614db12f38b3da0b9de1b52fb7fa402af6621a825981c6168a34a6ad9b'
-            '3670748854d3f05623c9a8826605c3e2a97c7b3955104e74b5eed00ed17299c1'
+            'bb6d16579712ebb15df948ac395b9095955c12fec9160dd871254836a82c4062'
-            '77d699b5ccf6387fa2f69df2cd71cdb75b4ffbf46a10110dd6c0e2802783dbef'
+            '29567e274ffacb06e03580d94685b04aeb7197cd84a14108a347ad5307931be6'
             '939994095f0c5de005a1e36a295bea791a70dadfa32af23b400cbd87be57af9c'
-            '98e1405dc1c79373975463b7780ccb5eb89ba388988d35208ba285a4cf05be2a'
+            '176c02ba4299ad818eed75cdaeb42a2d9ffa7332fc74ff30b7c37965e7095df4'
             'd713e29b72522fe4395b6959d27e2a98a24961393e08df7a6b022b1fd77c650d')
 
-install=$pkgname.install
-
 package() {
 	install -dm755 $pkgdir/usr/lib
 	install -dm750 $pkgdir/var/lib/$pkgname
 
-	sed -i '448iadd_class_path "$app_home/lib/boot/activation-1.1.jar"' $srcdir/nexus-$_version-$_patch/bin/nexus
-	sed -i '459iadd_class_path "$app_home/lib/endorsed/org.apache.karaf.specs.locator-4.2.9.jar"' $srcdir/nexus-$_version-$_patch/bin/nexus
-	sed -i '146,166d' $srcdir/nexus-$_version-$_patch/bin/nexus
-
 	cp -a $srcdir/nexus-$_version-$_patch $pkgdir/usr/lib/$pkgname
 	cp -a $srcdir/sonatype-work/nexus3/orient $pkgdir/var/lib/$pkgname
 

nexus-oss/nexus-oss

@@ -1,4 +1,8 @@
-#!/bin/bash
+#!/bin/sh
 
-exec /usr/lib/nexus-oss/bin/nexus "$@"
+java=$(</usr/lib/nexus-oss/.install4j/pref_jre.cfg)
+java_opts=$(</usr/lib/nexus-oss/bin/nexus.vmoptions)
+exec ${java}/bin/java -Dinstall4j.jvmDir=${java} -Dexe4j.moduleName=/usr/lib/nexus-oss/bin/nexus -Dinstall4j.launcherId=245 -Dinstall4j.swt=false -Di4jv=0 -Di4j.vpt=true \
+${java_opts} -classpath '/usr/lib/nexus-oss/.install4j/i4jruntime.jar:/usr/lib/nexus-oss/lib/boot/*:/usr/lib/nexus-oss/lib/endorsed/*' \
+com.install4j.runtime.launcher.UnixLauncher $1 9d17dc87 0 0 org.sonatype.nexus.karaf.NexusMain
 

nexus-oss/nexus-oss.install

@@ -1,45 +0,0 @@
-post_install()
-{
-	systemd-sysusers nexus-oss.conf
-	systemd-tmpfiles --create nexus-oss.conf
-
-	cat <<EOF
-
-The default URL for this installation is
-
-	http://127.0.0.1:8081/
-
-To change these settings edit the file
-
-	/var/lib/nexus-oss/etc/nexus.properties
-
-Sonatype strongly suggests using the latest Java 8 release version of Java
-available from Oracle. Support for Java 9 has not been verified - DO NOT USE IT.
-
-See https://help.sonatype.com/display/NXRM3/System+Requirements#SystemRequirements-Java
-
-EOF
-}
-
-post_upgrade()
-{
-	systemctl daemon-reload
-
-	cat <<EOF
-
-See Release Notes at
-	https://help.sonatype.com/display/NXRM3/2018+Release+Notes
-
-EOF
-}
-
-pre_remove()
-{
-	systemctl disable --now nexus-oss
-}
-
-post_remove()
-{
-	systemctl daemon-reload
-}
-

nexus-oss/nexus-oss.service

@@ -3,14 +3,41 @@ Description=Nexus 3 Repository OSS
 After=network.target
 
 [Service]
-Type=forking
+Type=simple
 LimitNOFILE=65536
 User=nexus
 Group=nexus
+RuntimeDirectory=nexus-oss
+LogsDirectory=nexus-oss
+StateDirectory=nexus-oss
+WorkingDirectory=/usr/lib/nexus-oss
 ExecStart=/usr/bin/nexus-oss start
-ExecStop=/usr/bin/nexus-oss stop
+Restart=always
-Restart=on-abort
+RestartSec=5s
+AmbientCapabilities=
+CapabilityBoundingSet=
+LockPersonality=true
+NoNewPrivileges=True
+SecureBits=noroot-locked
+PrivateDevices=true
+PrivateTmp=true
+PrivateUsers=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=strict
+RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
 
 [Install]
 WantedBy=multi-user.target
-

nexus-oss/nexus-oss.sysusers

@@ -1,2 +1 @@
 u nexus - "Nexus OSS" /var/lib/nexus-oss
-g nexus -

nexus-oss/nexus-oss.vmoptions

@@ -1,12 +1,6 @@
 -Xms1G
--Xmx2G
+-Xmx1G
--XX:MaxDirectMemorySize=768M
+-XX:MaxDirectMemorySize=1G
--XX:+UnlockDiagnosticVMOptions
--XX:+UnsyncloadClass
--XX:+LogVMOutput 
--XX:LogFile=/var/lib/nexus-oss/log/jvm.log
--XX:-OmitStackTraceInFastThrow
--Djava.net.preferIPv4Stack=true
 -Dkaraf.home=.
 -Dkaraf.base=.
 -Dkaraf.etc=etc/karaf