The convergence of infrastructure as code (IaC) and network orchestration has fundamentally altered how enterprise environments are deployed and maintained. At the center of this evolution is the synergy between Ansible, an agentless automation engine, and Nexus ecosystems—which encompass both the Cisco Nexus NX-OS networking platforms and the Nexus Repository Manager (NRM) OSS. By leveraging Ansible's declarative nature via YAML-based playbooks, engineers can transition from manual, error-prone CLI configurations to a scalable, version-controlled architecture. This integration allows for the precise management of hardware switching fabrics and the programmatic deployment of artifact repositories, ensuring that both the physical network layer and the software delivery pipeline are synchronized and reproducible.
The Fundamental Architecture of Ansible Automation
Ansible operates as an open-source, agentless software suite designed for configuration management, deployment, and orchestration. Its agentless architecture is a critical technical advantage, as it does not require the installation of proprietary software on the target nodes; instead, it communicates via standard protocols such as SSH or APIs.
The operational logic of Ansible is structured around several core components:
- Playbooks: These are the primary orchestration files written in YAML (YAML Ain't Markup Language), designed for high human readability and ease of authorship.
- Plays: A playbook consists of one or more plays, which map a specific set of hosts to a set of tasks.
- Tasks: Each play contains one or more tasks, which are the smallest units of execution.
- Modules: Every task is associated with a module. Modules are essentially Python scripts that ship with the Ansible installation. They act as the "worker bees" that execute the actual change on the target system.
For the technical practitioner, this means that automating a Cisco Nexus switch or installing a Nexus Repository Manager involves calling a specific module (such as an NX-OS module or a URI module) and providing the necessary parameters to achieve a desired state.
Deploying and Configuring Cisco Nexus NX-OS with Ansible
Automating the Cisco Nexus 9000 series requires a structured approach to environment setup and variable management to ensure the network fabric remains stable.
Initial Environment Setup
Before executing network playbooks, the control node must be properly configured with the Python ecosystem.
- PIP Installation: The first requirement is the installation of PIP, the package manager for Python. PIP is essential because it manages libraries and dependencies that are not included in the Python standard library, allowing the user to install the
ansiblepackage and required network collections. - Ansible Installation: Once PIP is operational, Ansible is installed via the terminal using the command
sudo pip install ansible. - Version Verification: Following installation, it is mandatory to verify the installation by checking the Ansible version to ensure compatibility with the NX-OS modules being utilized.
Network Connectivity and API Configuration
To communicate with Nexus devices, Ansible typically utilizes the httpapi connection plugin, which leverages the NX-API of the Cisco switches. This allows Ansible to send requests as HTTP calls rather than relying solely on SSH.
The configuration of these connections is handled in the group_vars/all file. This file uses key/value pairs to define universal variables applied to all devices in the inventory.
The required configuration for a standard NX-OS deployment is as follows:
```yaml
ansibleconnection: httpapi
ansiblehttpapiusessl: yes
ansiblehttpapivalidatecerts: no
ansiblenetworkos: nxos
ansibleuser: admin
ansiblehttpapipass: your_password
```
The technical implication of these settings is significant: by setting ansible_httpapi_use_ssl: yes, the communication is encrypted, while ansible_httpapi_validate_certs: no allows the connection to proceed even if the switch uses self-signed certificates, which is common in internal lab environments.
Variable Hierarchy and Role Management
A robust Nexus deployment utilizes a tiered variable structure to separate global settings from device-specific configurations.
- Group Variables: Defined in
group_vars/all, these apply to every single device in the network. - Role Variables: Common variables for specific device types (e.g., spines or leaves) are stored in
roles/spine/vars/main.ymlandroles/leaf/vars/main.yml. This allows the administrator to define "Spine-specific" behavior separately from "Leaf-specific" behavior. - Host Variables: Device-specific variables (such as unique IP addresses or hostnames) are stored in the
host_varsdirectory, creating a unique profile for every individual piece of hardware in the fabric.
Automating Nexus Repository Manager OSS (NRM)
Beyond networking, Ansible is used to deploy and manage the Nexus Repository Manager OSS version 3.x. This process involves the installation of the Java-based application and the configuration of the underlying Linux OS.
Core Installation and System Requirements
The installation of Nexus 3 OSS is managed via an Ansible role that handles the binary deployment and service configuration.
- Dependency Management: The role can fulfill Java and HTTPD (Apache) requirements through the use of Ansible Galaxy roles.
- User and Group Management: To ensure security and proper file ownership, the role creates a specific system user and group. The default values are:
nexus_os_user: nexusnexus_os_uid: 1000nexus_os_group: nexusnexus_os_gid: 1000
If an administrator needs to ensure that all files within the blobstore directories are owned by the nexus user, they can force a recursive ownership check by running the playbook with a specific extra variable:
bash
ansible-playbook -i your/inventory.ini your_playbook.yml -e nexus_blobstores_recurse_owner=true
Network and Process Configuration
The Nexus application requires precise binding to network interfaces and ports to ensure accessibility and security.
- Default Port: The application defaults to
nexus_default_port: 8081. - Context Path: The
nexus_default_context_pathmust be set with a trailing slash, for example,/nexus/. - Application Host: The
nexus_application_hostvariable determines the binding IP. This is often dependent on whether a reverse proxy is used. Ifhttpd_setup_enableis true, Nexus binds to127.0.0.1to prevent external access to the raw port, forcing traffic through the proxy. If no proxy is used, it binds to0.0.0.0to listen on all interfaces.
Reverse Proxy and SSL Integration
To provide a professional and secure external interface, an SSL Reverse Proxy via HTTPD is frequently implemented.
- SSL Setup: When
httpd_setup_enableis set to true, the role configures the Apache server usinghttpd_ssl_certificate_fileandhttpd_ssl_certificate_key_file. - Proxy Logic: This architecture ensures that the Nexus instance is not directly accessible on port 8081 from an external IP, enhancing the security posture of the artifact repository.
Advanced Functional Configuration
The Nexus 3 OSS role provides granular control over the application's features through several variables.
- Auditing: The
nexus_audit_enabledvariable controls the auditing capability. When set to true, audit data is stored in the Nexus database and persists across reboots, though it is not automatically rotated. - Branding: Administrators can customize the user interface using
nexus_branding_headerandnexus_branding_footer, which support HTML. A common implementation is to use theansible_date_time.iso8601variable to display the last provisioning date in the footer. - Log4j Visualizer: The
nexus_log4j_visualizer_enabledvariable can be switched to true to add the Log4j visualizer capability to the instance. - Timeout Management: The
nexus_api_timeoutvariable (introduced in v2.4.19) overrides the defaulturimodule timeout of 30 seconds for all API calls, which is critical for long-running operations.
Managing Nexus Artifacts via Ansible Modules
For DevOps pipelines, the ability to upload and download artifacts programmatically is essential. This is achieved through specific Nexus modules that interface with the Nexus REST API.
Technical Requirements for Artifact Management
To use the Nexus upload/download modules, the following environment is required:
- Python 3
python-requestslibrary- Ansible version 3 or higher
Artifact Upload and Download Operations
The following table describes the parameters required for artifact operations:
| Parameter | Description | Example Value |
|---|---|---|
nexus_endpoint |
The URL of the Nexus server | http://nexus.apps.kubernetes.local |
username |
API authentication user | jenkins-nexus |
password |
API authentication password | jenkins |
artifact_id |
The unique identifier of the artifact | org.redhat:new-application-artifact:1.0.0-RELEASE |
artifact_format |
The file type of the artifact | jar |
repository |
The target repository name | maven-releases or maven-snapshots |
source / target |
File path for upload or download | /tmp/artifact.jar |
operation |
The HTTP method for the API call | PUT |
An example of an upload task is structured as follows:
yaml
- name: Upload an artifact to nexus
nexus:
nexus_endpoint: "http://nexus.apps.kubernetes.local"
username: "jenkins-nexus"
password: "jenkins"
artifact_id: "org.redhat:new-application-artifact:1.0.0-RELEASE"
artifact_format: "jar"
source: "/tmp/artifact.jar"
operation: "PUT"
repository: "maven-releases"
Comprehensive Variable and Configuration Mapping
The deployment of Nexus 3 OSS involves a wide array of variables that define the state of the application.
LDAP and User Management
Integration with corporate identity providers is handled via LDAP configuration. This allows the Nexus instance to authenticate users based on existing corporate directories.
- LDAP Connection Details: This includes
ldap_hostname,ldap_port(e.g., 636 for LDAPS), andldap_search_base. - User Mapping: Attributes such as
ldap_user_id_attribute(uid) andldap_user_email_attribute(mail) ensure that the correct user data is pulled from the LDAP server. - Group Mapping:
ldap_group_object_class(posixGroup) andldap_group_member_attribute(memberUid) are used to manage access control via LDAP groups.
Privileges and Access Control
Ansible can be used to define specific privileges and roles within Nexus.
- Privilege Definition: A privilege can be defined by its name, description, and the repositories it applies to. For example, a "read-only" privilege might be assigned to the
*(all) repository with thereadandbrowseactions. - Deployment Privileges: Specific project-based privileges, such as
company-project-deploy, can be created to limit deployment capabilities to specific repositories.
Maintenance and Storage
Storage management is a critical aspect of Nexus administration.
- Blobstores: Settings related to blobstores are immutable in Nexus. Once set, they cannot be changed by simply re-running the Ansible role.
- Temporary Directories: The
nexus_local_tmp_diris used for creating local archives of Groovy scripts. On RHEL/CentOS systems, it is recommended to change this from/tmpto a persistent location (e.g.,/home/<user>/tmp) to prevent the system from automatically cleaning up the directory, which could trigger unnecessary Nexus restarts.
Summary of Configuration Variables for Nexus 3 OSS
The following table provides a consolidated view of the key variables used in the Nexus 3 OSS Ansible role.
| Variable | Default/Example | Purpose |
|---|---|---|
nexus_timezone |
Canada/Eastern |
Sets the system timezone for the Nexus instance |
nexus_public_hostname |
nexus.vm |
Defines the public DNS name for the instance |
nexus_admin_password |
{{ vault_nexus_admin_password }} |
Sets the initial administrator password |
nexus_os_user |
nexus |
The Linux user running the Nexus process |
nexus_default_port |
8081 |
The internal listening port for the Java process |
httpd_setup_enable |
false |
Toggles the installation of the Apache reverse proxy |
nexus_audit_enabled |
false |
Toggles the database-backed auditing feature |
Conclusion
The integration of Ansible with both Cisco NX-OS and the Nexus Repository Manager OSS represents a sophisticated approach to infrastructure management. By abstracting complex CLI and API interactions into YAML playbooks, organizations can achieve a high degree of consistency across their network and software artifact layers. The use of a hierarchical variable structure—splitting configurations into group, role, and host levels—ensures that the automation is both flexible and scalable. Furthermore, the implementation of secure communication through SSL reverse proxies and the programmatic management of artifacts via specialized modules allow for a fully integrated CI/CD pipeline. The transition from manual configuration to this "as-code" model significantly reduces the risk of configuration drift and operational downtime, providing a stable foundation for emerging technology stacks.