feat: Configure Nexus Docker registry for image hosting

Updated all configurations to use ACN Nexus Docker registry:
- Push registry: docker-push.acn.fr (requires authentication)
- Public registry: docker.acn.fr (anonymous pull access)

Changes:
- Updated Woodpecker CI pipeline to use Nexus registries
- Modified Makefile with separate push/pull registry variables
- Added 'make login' command for Nexus authentication
- Updated docker-compose.prod.yml to use Nexus registry
- Enhanced documentation with Nexus-specific instructions
- Updated CI_SETUP.md with Nexus authentication details

Secrets required:
- nexus_username (e.g., admin)
- nexus_password (Nexus password)

Author: jeremi

.woodpecker.yml

@@ -26,8 +26,8 @@ steps:
     when:
       event: [push, tag]
     settings:
-      registry: ${CI_REGISTRY:-docker.io}
-      repo: ${CI_REGISTRY:-docker.io}/${CI_REPO_OWNER}/openspp
+      registry: ${CI_REGISTRY:-docker-push.acn.fr}
+      repo: ${CI_REGISTRY:-docker-push.acn.fr}/openspp/openspp
       dockerfile: Dockerfile
       platforms: linux/amd64,linux/arm64
       build_args:
@@ -38,13 +38,13 @@ steps:
         - ${CI_COMMIT_BRANCH}
         - ${CI_COMMIT_SHA:0:8}
       username:
-        from_secret: docker_username
+        from_secret: nexus_username
       password:
-        from_secret: docker_password
+        from_secret: nexus_password
       cache_from:
-        - ${CI_REGISTRY:-docker.io}/${CI_REPO_OWNER}/openspp:buildcache
+        - ${CI_REGISTRY:-docker-push.acn.fr}/openspp/openspp:buildcache
       cache_to:
-        - type=registry,ref=${CI_REGISTRY:-docker.io}/${CI_REPO_OWNER}/openspp:buildcache,mode=max
+        - type=registry,ref=${CI_REGISTRY:-docker-push.acn.fr}/openspp/openspp:buildcache,mode=max
 
   # Step 3: Build multi-arch Docker images (slim Debian)
   build-docker-slim:
@@ -53,8 +53,8 @@ steps:
     when:
       event: [push, tag]
     settings:
-      registry: ${CI_REGISTRY:-docker.io}
-      repo: ${CI_REGISTRY:-docker.io}/${CI_REPO_OWNER}/openspp
+      registry: ${CI_REGISTRY:-docker-push.acn.fr}
+      repo: ${CI_REGISTRY:-docker-push.acn.fr}/openspp/openspp
       dockerfile: Dockerfile.slim
       platforms: linux/amd64,linux/arm64
       build_args:
@@ -65,53 +65,53 @@ steps:
         - ${CI_COMMIT_BRANCH}-slim
         - ${CI_COMMIT_SHA:0:8}-slim
       username:
-        from_secret: docker_username
+        from_secret: nexus_username
       password:
-        from_secret: docker_password
+        from_secret: nexus_password
       cache_from:
-        - ${CI_REGISTRY:-docker.io}/${CI_REPO_OWNER}/openspp:buildcache-slim
+        - ${CI_REGISTRY:-docker-push.acn.fr}/openspp/openspp:buildcache-slim
       cache_to:
-        - type=registry,ref=${CI_REGISTRY:-docker.io}/${CI_REPO_OWNER}/openspp:buildcache-slim,mode=max
+        - type=registry,ref=${CI_REGISTRY:-docker-push.acn.fr}/openspp/openspp:buildcache-slim,mode=max
 
   # Step 4: Security scan of Docker images
   scan-docker:
     image: aquasec/trivy:latest
     when:
       event: [push, tag]
     commands:
-      # Scan Ubuntu image
+      # Scan Ubuntu image (using public registry URL)
       - trivy image --severity HIGH,CRITICAL --exit-code 0 
-          ${CI_REGISTRY:-docker.io}/${CI_REPO_OWNER}/openspp:${CI_COMMIT_SHA:0:8}
+          docker.acn.fr/openspp/openspp:${CI_COMMIT_SHA:0:8}
 
       # Scan slim image
       - trivy image --severity HIGH,CRITICAL --exit-code 0 
-          ${CI_REGISTRY:-docker.io}/${CI_REPO_OWNER}/openspp:${CI_COMMIT_SHA:0:8}-slim
+          docker.acn.fr/openspp/openspp:${CI_COMMIT_SHA:0:8}-slim
 
       # Generate reports
       - trivy image --format json --output trivy-ubuntu.json 
-          ${CI_REGISTRY:-docker.io}/${CI_REPO_OWNER}/openspp:${CI_COMMIT_SHA:0:8}
+          docker.acn.fr/openspp/openspp:${CI_COMMIT_SHA:0:8}
       - trivy image --format json --output trivy-slim.json 
-          ${CI_REGISTRY:-docker.io}/${CI_REPO_OWNER}/openspp:${CI_COMMIT_SHA:0:8}-slim
+          docker.acn.fr/openspp/openspp:${CI_COMMIT_SHA:0:8}-slim
 
   # Step 5: Test Docker images
   test-docker:
     image: docker:latest
     when:
       event: [push, tag]
     commands:
-      # Test Ubuntu image
-      - docker run --rm ${CI_REGISTRY:-docker.io}/${CI_REPO_OWNER}/openspp:${CI_COMMIT_SHA:0:8} 
+      # Test Ubuntu image (using public registry URL)
+      - docker run --rm docker.acn.fr/openspp/openspp:${CI_COMMIT_SHA:0:8} 
           openspp-server --version
 
       # Test slim image
-      - docker run --rm ${CI_REGISTRY:-docker.io}/${CI_REPO_OWNER}/openspp:${CI_COMMIT_SHA:0:8}-slim 
+      - docker run --rm docker.acn.fr/openspp/openspp:${CI_COMMIT_SHA:0:8}-slim 
           openspp-server --version
 
       # Test health check endpoint
       - |
         docker run -d --name test-openspp -p 8069:8069 \
           -e SKIP_DB_WAIT=true \
-          ${CI_REGISTRY:-docker.io}/${CI_REPO_OWNER}/openspp:${CI_COMMIT_SHA:0:8}
+          docker.acn.fr/openspp/openspp:${CI_COMMIT_SHA:0:8}
         sleep 30
         curl -f http://localhost:8069/web/health || exit 1
         docker stop test-openspp
@@ -124,16 +124,16 @@ steps:
     when:
       event: tag
     settings:
-      registry: ${PROD_REGISTRY}
-      repo: ${PROD_REGISTRY}/${PROD_REPO}/openspp
+      registry: ${PROD_REGISTRY:-docker-push.acn.fr}
+      repo: ${PROD_REGISTRY:-docker-push.acn.fr}/openspp/openspp
       tags:
         - ${CI_COMMIT_TAG}
         - latest
         - stable
       username:
-        from_secret: prod_docker_username
+        from_secret: nexus_username
       password:
-        from_secret: prod_docker_password
+        from_secret: nexus_password
       dry_run: false
 
   # Step 7: Update deployment manifests
@@ -145,7 +145,7 @@ steps:
       - |
         git clone https://github.com/${CI_REPO_OWNER}/openspp-k8s-manifests.git
         cd openspp-k8s-manifests
-        find deployments -name "*.yaml" -exec sed -i "s|image:.*openspp:.*|image: ${CI_REGISTRY:-docker.io}/${CI_REPO_OWNER}/openspp:${CI_COMMIT_TAG}|g" {} \;
+        find deployments -name "*.yaml" -exec sed -i "s|image:.*openspp:.*|image: docker.acn.fr/openspp/openspp:${CI_COMMIT_TAG}|g" {} \;
         git add .
         git commit -m "Update OpenSPP image to ${CI_COMMIT_TAG}"
         git push

CI_SETUP.md

@@ -1,5 +1,11 @@
 # CI/CD Setup Guide for Woodpecker
 
+## Docker Registry Configuration
+
+This project uses ACN Nexus Docker Registry:
+- **Push Registry:** `docker-push.acn.fr` (requires authentication)
+- **Public Registry:** `docker.acn.fr` (anonymous pull access)
+
 ## Prerequisites
 
 ### Server Configuration
@@ -24,28 +30,24 @@ This can be set in:
 
 The pipeline requires the following secrets to be configured in Woodpecker:
 
-1. **Docker Registry Credentials** (for pushing images):
-   - `docker_username`: Docker Hub or registry username
-   - `docker_password`: Docker Hub or registry password/token
-
-2. **Production Registry Credentials** (optional, for production deployments):
-   - `prod_docker_username`: Production registry username
-   - `prod_docker_password`: Production registry password/token
+1. **Nexus Registry Credentials** (for pushing images):
+   - `nexus_username`: Nexus username (e.g., `admin`)
+   - `nexus_password`: Nexus password
 
-3. **Slack Webhook** (optional, for notifications):
+2. **Slack Webhook** (optional, for notifications):
    - `slack_webhook`: Slack webhook URL for build notifications
 
 ### Setting Secrets in Woodpecker
 
 Using the Woodpecker CLI:
 ```bash
 woodpecker secret add -repository openspp/openspp-packaging-docker \
-  -name docker_username \
-  -value "your-docker-username"
+  -name nexus_username \
+  -value "admin"
 
 woodpecker secret add -repository openspp/openspp-packaging-docker \
-  -name docker_password \
-  -value "your-docker-password"
+  -name nexus_password \
+  -value "your-nexus-password"
 ```
 
 Or via the Woodpecker UI:
@@ -80,9 +82,15 @@ If you cannot enable privileged mode on your Woodpecker server, you can use the
 ### Build fails with "unauthorized"
 
 **Solution**: Check that:
-1. Docker credentials secrets are properly configured
+1. Nexus credentials secrets are properly configured
 2. The credentials have push access to the target repository
-3. The registry URL is correct in the pipeline configuration
+3. The registry URLs are correct:
+   - Push: `docker-push.acn.fr`
+   - Pull: `docker.acn.fr`
+4. Test authentication locally:
+   ```bash
+   docker login docker-push.acn.fr -u admin
+   ```
 
 ## Pipeline Workflow
 
@@ -107,10 +115,17 @@ The pipeline triggers on:
 ## Environment Variables
 
 The pipeline uses these CI variables (automatically provided by Woodpecker):
-- `CI_REGISTRY`: Docker registry URL
+- `CI_REGISTRY`: Docker registry URL (defaults to `docker-push.acn.fr`)
 - `CI_REPO_OWNER`: Repository owner/organization
 - `CI_COMMIT_TAG`: Git tag (for releases)
 - `CI_COMMIT_BRANCH`: Git branch name
 - `CI_COMMIT_SHA`: Git commit hash
 - `CI_BUILD_CREATED`: Build timestamp
-- `PROD_REGISTRY`: Production registry URL (optional)
+- `PROD_REGISTRY`: Production registry URL (defaults to `docker-push.acn.fr`)
+
+## Registry URLs
+
+- **Push Operations:** `docker-push.acn.fr/openspp/openspp`
+- **Public Access:** `docker.acn.fr/openspp/openspp`
+
+Images are automatically available at the public URL after being pushed to the private registry.

Makefile

@@ -5,9 +5,11 @@
 
 # Variables
 IMAGE_TAG ?= daily
-REGISTRY ?= docker.io
+REGISTRY ?= docker.acn.fr
+PUSH_REGISTRY ?= docker-push.acn.fr
 REPO ?= openspp/openspp
 IMAGE_NAME = $(REGISTRY)/$(REPO)
+PUSH_IMAGE_NAME = $(PUSH_REGISTRY)/$(REPO)
 COMPOSE_FILE ?= docker-compose.yml
 COMPOSE_PROD_FILE ?= docker-compose.prod.yml
 
@@ -32,6 +34,8 @@ build: ## Build the standard Ubuntu-based image
 		--build-arg VCS_REF=$(shell git rev-parse --short HEAD 2>/dev/null || echo "unknown") \
 		-t $(IMAGE_NAME):$(IMAGE_TAG) \
 		-t $(IMAGE_NAME):latest \
+		-t $(PUSH_IMAGE_NAME):$(IMAGE_TAG) \
+		-t $(PUSH_IMAGE_NAME):latest \
 		-f Dockerfile .
 
 build-slim: ## Build the lightweight Debian-based image
@@ -42,6 +46,8 @@ build-slim: ## Build the lightweight Debian-based image
 		--build-arg VCS_REF=$(shell git rev-parse --short HEAD 2>/dev/null || echo "unknown") \
 		-t $(IMAGE_NAME):$(IMAGE_TAG)-slim \
 		-t $(IMAGE_NAME):latest-slim \
+		-t $(PUSH_IMAGE_NAME):$(IMAGE_TAG)-slim \
+		-t $(PUSH_IMAGE_NAME):latest-slim \
 		-f Dockerfile.slim .
 
 build-all: build build-slim ## Build both standard and slim images
@@ -144,13 +150,17 @@ backup: ## Backup database and filestore
 	@docker-compose -f $(COMPOSE_FILE) exec openspp tar -czf - /var/lib/openspp > backups/filestore_$(shell date +%Y%m%d_%H%M%S).tar.gz
 	@echo "$(GREEN)Backup completed in ./backups/$(NC)"
 
-push: ## Push images to registry
-	@echo "$(GREEN)Pushing images to $(REGISTRY)...$(NC)"
-	docker push $(IMAGE_NAME):$(IMAGE_TAG)
-	docker push $(IMAGE_NAME):latest
-	docker push $(IMAGE_NAME):$(IMAGE_TAG)-slim
-	docker push $(IMAGE_NAME):latest-slim
+push: ## Push images to Nexus registry
+	@echo "$(GREEN)Pushing images to $(PUSH_REGISTRY)...$(NC)"
+	@echo "$(YELLOW)Note: Make sure you're logged in: docker login $(PUSH_REGISTRY)$(NC)"
+	docker push $(PUSH_IMAGE_NAME):$(IMAGE_TAG)
+	docker push $(PUSH_IMAGE_NAME):latest
+	docker push $(PUSH_IMAGE_NAME):$(IMAGE_TAG)-slim
+	docker push $(PUSH_IMAGE_NAME):latest-slim
 	@echo "$(GREEN)Images pushed successfully$(NC)"
+	@echo "$(GREEN)Images available for public access at:$(NC)"
+	@echo "  $(IMAGE_NAME):$(IMAGE_TAG)"
+	@echo "  $(IMAGE_NAME):$(IMAGE_TAG)-slim"
 
 scan: ## Security scan with Trivy
 	@echo "$(GREEN)Scanning images for vulnerabilities...$(NC)"
@@ -161,9 +171,11 @@ scan: ## Security scan with Trivy
 info: ## Show environment information
 	@echo "$(GREEN)OpenSPP Docker Environment Information$(NC)"
 	@echo "Image Tag: $(IMAGE_TAG)"
-	@echo "Registry: $(REGISTRY)"
+	@echo "Public Registry: $(REGISTRY)"
+	@echo "Push Registry: $(PUSH_REGISTRY)"
 	@echo "Repository: $(REPO)"
-	@echo "Image: $(IMAGE_NAME)"
+	@echo "Public Image: $(IMAGE_NAME)"
+	@echo "Push Image: $(PUSH_IMAGE_NAME)"
 	@echo "APT Repository: https://builds.acn.fr/repository/apt-openspp-daily"
 	@echo ""
 	@echo "$(YELLOW)Container Status:$(NC)"
@@ -190,4 +202,9 @@ prod-check: ## Validate production readiness
 	@echo -n "4. Checking admin password... "
 	@docker-compose -f $(COMPOSE_FILE) exec openspp grep "admin_passwd" /etc/openspp/odoo.conf | grep -q "admin_passwd = admin" && echo "$(RED)✗ Using default password$(NC)" || echo "$(GREEN)✓$(NC)"
 	@echo ""
-	@echo "$(GREEN)Production check complete$(NC)"
+	@echo "$(GREEN)Production check complete$(NC)"
+
+login: ## Login to Nexus Docker registry
+	@echo "$(GREEN)Logging in to Nexus registry: $(PUSH_REGISTRY)$(NC)"
+	@docker login $(PUSH_REGISTRY)
+	@echo "$(GREEN)Successfully logged in to $(PUSH_REGISTRY)$(NC)"

README.md

@@ -4,6 +4,12 @@ Production-ready Docker images for OpenSPP Social Protection Platform based on O
 
 > **Note:** This configuration uses OpenSPP daily builds from the [apt-openspp-daily](https://builds.acn.fr/repository/apt-openspp-daily/) repository. The package name is `openspp-17-daily`.
 
+## Docker Registry
+
+Images are hosted on ACN Nexus Docker Registry:
+- **Public access (pull):** `docker.acn.fr/openspp/openspp`
+- **Push access:** `docker-push.acn.fr/openspp/openspp` (requires authentication)
+
 ## Features
 
 - 🚀 **Multi-architecture support** (amd64, arm64)
@@ -66,7 +72,7 @@ docker run -d \
   -e DB_USER=openspp \
   -e DB_PASSWORD=openspp \
   -e ODOO_ADMIN_PASSWORD=admin \
-  openspp/openspp:latest
+  docker.acn.fr/openspp/openspp:latest
 ```
 
 ## Image Variants
@@ -75,13 +81,13 @@ docker run -d \
 - **Base**: Ubuntu 24.04 LTS
 - **Size**: ~1.5GB
 - **Use case**: Production deployments requiring maximum compatibility
-- **Tag**: `openspp/openspp:latest`
+- **Tag**: `docker.acn.fr/openspp/openspp:latest`
 
 ### Slim Image (Debian Bookworm)
 - **Base**: Debian bookworm-slim
 - **Size**: ~1.0GB
 - **Use case**: Resource-constrained environments
-- **Tag**: `openspp/openspp:latest-slim`
+- **Tag**: `docker.acn.fr/openspp/openspp:latest-slim`
 
 ## Configuration
 
@@ -189,17 +195,36 @@ See [kubernetes/](./kubernetes/) directory for Helm charts and manifests.
 
 ```bash
 # Build standard image (installs from APT repository)
-docker build -t openspp:local .
+make build
 
 # Build slim image (installs from APT repository)
-docker build -f Dockerfile.slim -t openspp:local-slim .
+make build-slim
+
+# Build both images
+make build-all
 
 # Build for multiple architectures
 docker buildx build --platform linux/amd64,linux/arm64 -t openspp:local .
 ```
 
 Note: The images automatically install the latest daily build from the OpenSPP APT repository at https://builds.acn.fr/repository/apt-openspp-daily/
 
+### Pushing to Nexus Registry
+
+```bash
+# Login to Nexus registry
+make login
+# Or manually:
+docker login docker-push.acn.fr
+
+# Push images
+make push
+```
+
+Images will be available at:
+- `docker.acn.fr/openspp/openspp:latest` (public access)
+- `docker.acn.fr/openspp/openspp:latest-slim` (public access)
+
 ### CI/CD Pipeline
 
 The Woodpecker CI pipeline automatically:

docker-compose.prod.yml

@@ -84,7 +84,7 @@ services:
 
   # OpenSPP Application (Using slim image for production)
   openspp:
-    image: ${REGISTRY:-docker.io}/openspp/openspp:${IMAGE_TAG:-daily}-slim
+    image: ${REGISTRY:-docker.acn.fr}/openspp/openspp:${IMAGE_TAG:-daily}-slim
     container_name: openspp_app_prod
     restart: always
     depends_on: