refactor(mirror): replace 3 services with single Nexus Repository Manager

Consolidates BaGet + Verdaccio + registry:2 into one Sonatype Nexus OSS
instance with a REST API provisioning script.

docker-compose.mirror.yml: single nexus service, ports 8081 (UI/NuGet/npm)
  and 8083 (Docker Hub pull-through proxy)
mirrors/nexus/provision.sh: idempotent setup — changes admin password,
  enables anonymous access, creates nuget-proxy / npm-proxy / docker-hub-proxy
nuget.mirror.config: updated source URL to Nexus NuGet proxy endpoint
ci-cd.yml: updated npm --registry to Nexus npm proxy endpoint

Run once on server: docker compose -f docker-compose.mirror.yml up -d
  then: ./mirrors/nexus/provision.sh

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

docker-compose.mirror.yml

@@ -1,90 +1,43 @@
 # ─────────────────────────────────────────────────────────────────────────────
-# Local pull-through mirrors
+# Nexus Repository Manager OSS — single pull-through mirror for everything
 # ─────────────────────────────────────────────────────────────────────────────
-# Start:   docker compose -f docker-compose.mirror.yml up -d
-# Stop:    docker compose -f docker-compose.mirror.yml down
+# FIRST-TIME SETUP (run once after starting):
+#   docker compose -f docker-compose.mirror.yml up -d
+#   ./mirrors/nexus/provision.sh          # creates all proxy repos + enables anon access
 #
-# Endpoints (reachable from CI containers via host-gateway as "mirror"):
-#   NuGet  →  http://SERVER_IP:5101/v3/index.json
-#   npm    →  http://SERVER_IP:4873
-#   Docker →  http://SERVER_IP:5100   (add to /etc/docker/daemon.json)
+# Endpoints (after provisioning):
+#   UI     →  http://SERVER_IP:8081       (admin / see provision.sh output)
+#   NuGet  →  http://SERVER_IP:8081/repository/nuget-proxy/index.json
+#   npm    →  http://SERVER_IP:8081/repository/npm-proxy/
+#   Docker →  http://SERVER_IP:8083       (add to /etc/docker/daemon.json)
 #
-# First request for any package fetches from upstream and caches locally.
-# Subsequent requests are served from disk — no upstream needed.
+# Memory: needs ~2 GB JVM heap — recommended on a server with 4 GB+ total RAM.
+# Adjust INSTALL4J_ADD_VM_PARAMS below if your server has more/less RAM.
 # ─────────────────────────────────────────────────────────────────────────────
 
 services:
-
-  # ── NuGet mirror (BaGet) ────────────────────────────────────────────────────
-  # Proxies → https://api.nuget.org/v3/index.json
-  # CI usage: dotnet restore --configfile nuget.mirror.config
-  baget:
-    image: loicsharma/baget:latest
+  nexus:
+    image: sonatype/nexus3:latest
+    container_name: meezi-mirror-nexus
     restart: unless-stopped
     environment:
-      ApiKey: "ci-mirror-key"          # only needed for package *publish*; reads are open
-      Storage__Type: FileSystem
-      Storage__Path: /var/baget/packages
-      Database__Type: Sqlite
-      Database__ConnectionString: "Data Source=/var/baget/db/baget.db"
-      Mirror__Enabled: "true"
-      Mirror__PackageSource: "https://api.nuget.org/v3/index.json"
+      # Heap: Xmx = max Java heap. MaxDirectMemorySize = off-heap (blob cache).
+      # Total Nexus RAM ≈ Xmx + MaxDirectMemorySize + ~512 MB OS/JVM overhead.
+      # 4 GB server: values below  (2 GB heap + 1 GB off-heap + 512 MB overhead ≈ 3.5 GB)
+      # 8 GB server: -Xms1g -Xmx4g -XX:MaxDirectMemorySize=2g
+      INSTALL4J_ADD_VM_PARAMS: "-Xms512m -Xmx2g -XX:MaxDirectMemorySize=1g -Djava.util.prefs.userRoot=/nexus-data/javaprefs"
     volumes:
-      - baget-packages:/var/baget/packages
-      - baget-db:/var/baget/db
+      - nexus-data:/nexus-data
     ports:
-      - "5101:80"
+      - "8081:8081"   # Web UI + NuGet + npm REST API
+      - "8083:8083"   # Docker Hub pull-through proxy (dedicated port required by Docker protocol)
     healthcheck:
-      test: ["CMD", "wget", "-qO-", "http://localhost/health"]
+      test: ["CMD", "curl", "-sf", "http://localhost:8081/service/rest/v1/status"]
       interval: 30s
-      timeout: 10s
-      retries: 3
-
-  # ── npm mirror (Verdaccio) ──────────────────────────────────────────────────
-  # Proxies → https://registry.npmjs.org
-  # CI usage: npm install --registry http://mirror:4873
-  verdaccio:
-    image: verdaccio/verdaccio:latest
-    restart: unless-stopped
-    volumes:
-      - verdaccio-storage:/verdaccio/storage
-      - ./mirrors/verdaccio/config.yaml:/verdaccio/conf/config.yaml:ro
-    ports:
-      - "4873:4873"
-    healthcheck:
-      test: ["CMD", "wget", "-qO-", "http://localhost:4873/-/ping"]
-      interval: 30s
-      timeout: 10s
-      retries: 3
-
-  # ── Docker Hub pull-through cache ───────────────────────────────────────────
-  # Proxies → https://registry-1.docker.io  (Docker Hub only)
-  # Activate by adding to /etc/docker/daemon.json on the server:
-  #   { "registry-mirrors": ["http://localhost:5100"] }
-  # then: systemctl restart docker
-  registry:
-    image: registry:2
-    restart: unless-stopped
-    environment:
-      REGISTRY_PROXY_REMOTEURL: "https://registry-1.docker.io"
-      REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /data
-      REGISTRY_PROXY_TTL: "168h"       # cache pulled layers for 7 days
-    volumes:
-      - registry-data:/data
-    ports:
-      - "5100:5000"
-    healthcheck:
-      test: ["CMD", "wget", "-qO-", "http://localhost:5000/v2/"]
-      interval: 30s
-      timeout: 10s
-      retries: 3
+      timeout: 15s
+      retries: 10
+      start_period: 120s   # Nexus JVM startup takes ~2 min on first boot
 
 volumes:
-  baget-packages:
-    name: meezi-mirror-baget-packages
-  baget-db:
-    name: meezi-mirror-baget-db
-  verdaccio-storage:
-    name: meezi-mirror-verdaccio
-  registry-data:
-    name: meezi-mirror-registry
+  nexus-data:
+    name: meezi-mirror-nexus-data