+  - build
   - deploy
+  - ship
-build production image:
-  stage: deploy
+  OPENSHIFT_SERVER: "https://api.paas.okd.cern.ch"
+    value: "repository"
+    description: Indicates where the pipeline should deploy (can be "repository" or "nexus")
+    rules:
+      - if: $CI_COMMIT_REF_NAME !=  "master" && $DEPLOYMENT_TARGET == "repository"
+        variables:
+          ENVIRONMENT_NAME: staging/repository
+          DEPLOYMENT_TIER: staging
+          UPSTREAM_DOCKER_TAG: pro
+          NAMESPACE: test-repository
+          ENVIRONMENT_URL: "test-repository.web.cern.ch/nexus"
+      - if: $CI_COMMIT_REF_NAME !=  "master" && $DEPLOYMENT_TARGET == "nexus"
+        variables:
+          ENVIRONMENT_NAME: staging/nexus
+          DEPLOYMENT_TIER: staging
+          UPSTREAM_DOCKER_TAG: oss
+          NAMESPACE: test-nexus
+          ENVIRONMENT_URL: "test-nexus.web.cern.ch/nexus"
+      - if: $CI_COMMIT_REF_NAME ==  "master" && $DEPLOYMENT_TARGET == "repository"
+        variables:
+          ENVIRONMENT_NAME: production/repository
+          DEPLOYMENT_TIER: production
+          UPSTREAM_DOCKER_TAG: pro
+          NAMESPACE: ics-repository
+          ENVIRONMENT_URL: "ics-repository.web.cern.ch/nexus"      
+      - if: $CI_COMMIT_REF_NAME ==  "master" && $DEPLOYMENT_TARGET == "nexus"
+        variables:                                 
+          ENVIRONMENT_NAME: production/nexus
+          DEPLOYMENT_TIER: production
+          UPSTREAM_DOCKER_TAG: oss
+          NAMESPACE: nexus
+          ENVIRONMENT_URL: "nexus.web.cern.ch/nexus"
+      - when: always 
+.openshift_auth_setup: &openshift_auth_setup
+  image: gitlab-registry.cern.ch/paas-tools/openshift-client:latest
+  environment:
+    name: ${ENVIRONMENT_NAME}
+    url: https://${ENVIRONMENT_URL}
+  before_script:
+    - echo "Sourcing ${ENV_CI_VAR} into .env file ( path ${!ENV_CI_VAR} ) "
+    - cat ${!ENV_CI_VAR} > .env
+    - echo -e '\n' >> .env
+    - echo "NAMESPACE=${NAMESPACE}" >> .env
+    - source .env
+    - echo "Authenticating with ${OPENSHIFT_SERVER} using ${OPENSHIFT_TOKEN}"
+    - oc login $OPENSHIFT_SERVER --token=$OPENSHIFT_TOKEN
+    - oc project $NAMESPACE
+Build image:
+  stage: build
-    name: gitlab-registry.cern.ch/ci-tools/docker-image-builder
+    name: gitlab-registry.cern.ch/ci-tools/docker-image-builder    
     entrypoint: [""]
     - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json
-    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination $CI_REGISTRY_IMAGE:prod
-  only:
-    - master
+    - /kaniko/executor --context $CI_PROJECT_DIR --build-arg UPSTREAM_DOCKER_TAG=${UPSTREAM_DOCKER_TAG} --dockerfile $CI_PROJECT_DIR/Dockerfile --destination $CI_REGISTRY_IMAGE:${UPSTREAM_DOCKER_TAG}-${DEPLOYMENT_TIER}
+  when: manual
-build dev image:
+Update deployment:
+  <<: *openshift_auth_setup
   stage: deploy
-  image: 
-    name: gitlab-registry.cern.ch/ci-tools/docker-image-builder
-    entrypoint: [""]
-    - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json
-    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination $CI_REGISTRY_IMAGE:latest
-  except:
-    - master
+    - echo "***** Updating instance deployment for ${ENVIRONMENT_NAME}"
+    - oc process --ignore-unknown-parameters -o json --param-file=.env -f deployment/templates/deployment.yml --local=true | jq '.items[] | select (.kind != "PersistentVolumeClaim")' | oc apply -f -
+    - oc process --ignore-unknown-parameters --param-file=.env -f deployment/templates/service.yml --local=true | oc apply -f -
+  when: manual
+import java.net.*;
+import java.io.*;
+import java.nio.channels.*;
+import java.util.Properties;
+public class MavenWrapperDownloader {
+    private static final String WRAPPER_VERSION = "0.5.6";
+    /**
+     * Default URL to download the maven-wrapper.jar from, if no 'downloadUrl' is provided.
+     */
+    private static final String DEFAULT_DOWNLOAD_URL = "https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/"
+        + WRAPPER_VERSION + "/maven-wrapper-" + WRAPPER_VERSION + ".jar";
+    /**
+     * Path to the maven-wrapper.properties file, which might contain a downloadUrl property to
+     * use instead of the default one.
+     */
+    private static final String MAVEN_WRAPPER_PROPERTIES_PATH =
+            ".mvn/wrapper/maven-wrapper.properties";
+    /**
+     * Path where the maven-wrapper.jar will be saved to.
+     */
+    private static final String MAVEN_WRAPPER_JAR_PATH =
+            ".mvn/wrapper/maven-wrapper.jar";
+    /**
+     * Name of the property which should be used to override the default download url for the wrapper.
+     */
+    private static final String PROPERTY_NAME_WRAPPER_URL = "wrapperUrl";
+    public static void main(String args[]) {
+        System.out.println("- Downloader started");
+        File baseDirectory = new File(args[0]);
+        System.out.println("- Using base directory: " + baseDirectory.getAbsolutePath());
+        // If the maven-wrapper.properties exists, read it and check if it contains a custom
+        // wrapperUrl parameter.
+        File mavenWrapperPropertyFile = new File(baseDirectory, MAVEN_WRAPPER_PROPERTIES_PATH);
+        String url = DEFAULT_DOWNLOAD_URL;
+        if(mavenWrapperPropertyFile.exists()) {
+            FileInputStream mavenWrapperPropertyFileInputStream = null;
+            try {
+                mavenWrapperPropertyFileInputStream = new FileInputStream(mavenWrapperPropertyFile);
+                Properties mavenWrapperProperties = new Properties();
+                mavenWrapperProperties.load(mavenWrapperPropertyFileInputStream);
+                url = mavenWrapperProperties.getProperty(PROPERTY_NAME_WRAPPER_URL, url);
+            } catch (IOException e) {
+                System.out.println("- ERROR loading '" + MAVEN_WRAPPER_PROPERTIES_PATH + "'");
+            } finally {
+                try {
+                    if(mavenWrapperPropertyFileInputStream != null) {
+                        mavenWrapperPropertyFileInputStream.close();
+                    }
+                } catch (IOException e) {
+                    // Ignore ...
+                }
+            }
+        }
+        System.out.println("- Downloading from: " + url);
+        File outputFile = new File(baseDirectory.getAbsolutePath(), MAVEN_WRAPPER_JAR_PATH);
+        if(!outputFile.getParentFile().exists()) {
+            if(!outputFile.getParentFile().mkdirs()) {
+                System.out.println(
+                        "- ERROR creating output directory '" + outputFile.getParentFile().getAbsolutePath() + "'");
+            }
+        }
+        System.out.println("- Downloading to: " + outputFile.getAbsolutePath());
+        try {
+            downloadFileFromURL(url, outputFile);
+            System.out.println("Done");
+            System.exit(0);
+        } catch (Throwable e) {
+            System.out.println("- Error downloading");
+            e.printStackTrace();
+            System.exit(1);
+        }
+    }
+    private static void downloadFileFromURL(String urlString, File destination) throws Exception {
+        if (System.getenv("MVNW_USERNAME") != null && System.getenv("MVNW_PASSWORD") != null) {
+            String username = System.getenv("MVNW_USERNAME");
+            char[] password = System.getenv("MVNW_PASSWORD").toCharArray();
+            Authenticator.setDefault(new Authenticator() {
+                @Override
+                protected PasswordAuthentication getPasswordAuthentication() {
+                    return new PasswordAuthentication(username, password);
+                }
+            });
+        }
+        URL website = new URL(urlString);
+        ReadableByteChannel rbc;
+        rbc = Channels.newChannel(website.openStream());
+        FileOutputStream fos = new FileOutputStream(destination);
+        fos.getChannel().transferFrom(rbc, 0, Long.MAX_VALUE);
+        fos.close();
+        rbc.close();
+    }
-FROM sonatype/nexus
+FROM sonatype/nexus:${UPSTREAM_DOCKER_TAG}
 USER root
 RUN yum install -y rsync
-RUN curl -o cern-root-ca.crt https://cafiles.cern.ch/cafiles/certificates/CERN%20Root%20Certification%20Authority%202.crt
-RUN curl -o cern-ca.crt https://cafiles.cern.ch/cafiles/certificates/CERN%20Certification%20Authority.crt
-RUN curl -o cern-ca1.crt "https://cafiles.cern.ch/cafiles/certificates/CERN%20Certification%20Authority(1).crt"
-RUN curl -o cern-grid-ca.crt "https://cafiles.cern.ch/cafiles/certificates/CERN%20Grid%20Certification%20Authority.crt"
-RUN /usr/lib/jvm/jre/bin/keytool -noprompt -import -file cern-root-ca.crt -storepass changeit -keystore /usr/lib/jvm/jre/lib/security/cacerts -alias cern-root
-RUN /usr/lib/jvm/jre/bin/keytool -noprompt -import -file cern-ca.crt -storepass changeit -keystore /usr/lib/jvm/jre/lib/security/cacerts -alias cern-ca
-RUN /usr/lib/jvm/jre/bin/keytool -noprompt -import -file cern-ca1.crt -storepass changeit -keystore /usr/lib/jvm/jre/lib/security/cacerts -alias cern-ca1
-RUN /usr/lib/jvm/jre/bin/keytool -noprompt -import -file cern-grid-ca.crt -storepass changeit -keystore /usr/lib/jvm/jre/lib/security/cacerts -alias cern-grid-ca
-RUN mv *.crt /etc/pki/tls/certs
+RUN curl -o cern-root-ca.crt "https://cafiles.cern.ch/cafiles/certificates/CERN%20Root%20Certification%20Authority%202.crt" && \
+    curl -o cern-ca.crt "https://cafiles.cern.ch/cafiles/certificates/CERN%20Certification%20Authority.crt" && \
+    curl -o cern-ca1.crt "https://cafiles.cern.ch/cafiles/certificates/CERN%20Certification%20Authority(1).crt" && \
+    curl -o cern-grid-ca.crt "https://cafiles.cern.ch/cafiles/certificates/CERN%20Grid%20Certification%20Authority.crt" && \
+    /usr/lib/jvm/jre/bin/keytool -noprompt -import -file cern-root-ca.crt -storepass changeit -keystore /usr/lib/jvm/jre/lib/security/cacerts -alias cern-root && \
+    /usr/lib/jvm/jre/bin/keytool -noprompt -import -file cern-ca.crt -storepass changeit -keystore /usr/lib/jvm/jre/lib/security/cacerts -alias cern-ca && \
+    /usr/lib/jvm/jre/bin/keytool -noprompt -import -file cern-ca1.crt -storepass changeit -keystore /usr/lib/jvm/jre/lib/security/cacerts -alias cern-ca1 && \
+    /usr/lib/jvm/jre/bin/keytool -noprompt -import -file cern-grid-ca.crt -storepass changeit -keystore /usr/lib/jvm/jre/lib/security/cacerts -alias cern-grid-ca && \
+    mv *.crt /etc/pki/tls/certs
+# Fall back to plain user
 USER nexus
+# Sonatype Nexus 2 deployment
+A Nexus 2 server image for the CERN environment.
+![Nexus Pro](documentation/nexus-pro.png)
+# How to deploy
+## Pre-requisite : How to setup Openshift for automated deployment
+An Openshift service account can be used to deploy and configure the application. The service account is limited to a given Openshift project (=namespace).
+Use the following commands to register a service account - for instance, we use an Openshift project called "test-nexus2-project" and a service account "nexus2-deployer".
+oc create serviceaccount nexus2-deployer
+oc policy add-role-to-user admin system:serviceaccount:test-nexus2-project:nexus2-deployer
+oc serviceaccounts get-token nexus2-deployer -n test-nexus2-project
+This should display the authentication token that you can now use to authenticate :
+oc login <YOUR_SERVER> --token=<YOUR_NEW_TOKEN>
+## Step 1 - Optionally push images to the Gitlab registry
+New images are pushed by Gitlab CI automatically. You can also build and push them manually.
+docker build -t gitlab-registry.cern.ch/industrial-controls/sw-infra/nexus2:$VERSION .
+docker push gitlab-registry.cern.ch/industrial-controls/sw-infra/nexus2:$VERSION
+## Step 2 - Process OpenShift templates
+To bootstrap deployment, you must apply the templates once (to create the required persistent volume claims a.k.a. PVCs). After that, the CI pipeline will automatically apply any changes you make to the templates (of course, the PVCs are left untouched to preserve persistent data).
+For example :
+oc process -p NAMESPACE=test-nexus -p IMAGE_VERSION=oss-staging -f deployment/templates/deployment.yml --local=true | oc apply -f - --server=https://api.paas.okd.cern.ch --token=$OPENSHIFT_TOKEN
+oc process -p NAMESPACE=test-nexus -f deployment/templates/service.yml --local=true | oc apply -f - --server=https://api.paas.okd.cern.ch --token=$OPENSHIFT_TOKEN
+# How to develop locally
+docker run -ti --rm --net=host  -v /tmp/sonatype_work:/sonatype-work:z gitlab-registry.cern.ch/industrial-controls/sw-infra/nexus2:oss-staging
+# How to synchronize file systems
+The Openshift deployment ships a small RSYNC pod sidecar service that allows to access the persistent storage (/sonatype-work) even when the Nexus service is shut down
+oc get pods
+oc rsync <LOCAL_PATH> rsync-pod:/sonatype-work
+Note : the Nexus official image expects all files to be located directly under ```/sonatype-work```. It should contains the usual Nexus 2 folder hierarchies (```storage```, ```conf``` )....
+Please note that the ```/sonatype-work/conf/nexus.xml``` file contains the base URL of your deployment. Make sure you update it when deploying the service at a new address.
+apiVersion: v1
+kind: Template
+  - apiVersion: v1
+    kind: DeploymentConfig  
+    metadata:
+      name: rsync-dc
+      labels:
+        app: rsync
+    spec:
+      replicas: 1
+      revisionHistoryLimit: 10
+      selector:
+        app: rsync
+        deploymentconfig: rsync-dc
+      strategy:
+        activeDeadlineSeconds: 21600
+        recreateParams:
+          timeoutSeconds: 300
+        resources: {}
+        type: Recreate
+      template:
+        metadata:
+          labels:
+            app: rsync
+            deploymentconfig: rsync-dc
+        spec: 
+          containers:
+            - image: instrumentisto/rsync-ssh
+              imagePullPolicy: IfNotPresent
+              name: rsync
+              command: ['sh', '-c', 'echo The app is running! && sleep 3600']
+              resources:
+                requests:
+                  cpu: 100m
+                  memory: 256Mi
+                limits:
+                  cpu: 495m
+                  memory: 256Mi
+              volumeMounts:
+                - mountPath: /sonatype-work
+                  name: nexus-work-volume
+              terminationMessagePath: /dev/termination-log
+              terminationMessagePolicy: File
+          dnsPolicy: ClusterFirst
+          restartPolicy: Always
+          schedulerName: default-scheduler
+          securityContext: {}
+          terminationGracePeriodSeconds: 30
+          volumes:
+            - name: nexus-work-volume
+              persistentVolumeClaim:
+                claimName: nexus-work-pvc                                               
+      test: false   
+      triggers:
+        - type: ConfigChange
+  - apiVersion: apps.openshift.io/v1
+    kind: DeploymentConfig
+    metadata:
+      labels:
+        app: nexus2
+      name: nexus2-dc
+      namespace: ${NAMESPACE}
+      selfLink: >-
+        /apis/apps.openshift.io/v1/namespaces/${NAMESPACE}/deploymentconfigs/nexus2
+    spec:
+      replicas: 1
+      selector:
+        app: nexus2
+        deploymentconfig: nexus2-dc
+      strategy:
+        activeDeadlineSeconds: 21600
+        recreateParams:
+          timeoutSeconds: 600
+        resources: {}
+        type: Recreate
+      template:
+        metadata:
+          labels:
+            app: nexus2
+            deploymentconfig: nexus2-dc
+        spec:
+          containers:
+            - image: >-
+                gitlab-registry.cern.ch/industrial-controls/sw-infra/nexus2:${IMAGE_VERSION}
+              imagePullPolicy: IfNotPresent
+              name: nexus2
+              livenessProbe:
+                failureThreshold: 5
+                httpGet:
+                  path: /nexus
+                  port: 8081
+                  scheme: HTTP
+                initialDelaySeconds: 30
+                periodSeconds: 30
+                successThreshold: 1
+                timeoutSeconds: 5
+              readinessProbe:
+                failureThreshold: 5
+                httpGet:
+                  path: /nexus
+                  port: 8081
+                  scheme: HTTP
+                initialDelaySeconds: 30
+                periodSeconds: 30
+                successThreshold: 1
+                timeoutSeconds: 15
+              # envFrom:
+              #   - configMapRef:
+              #       name: env-config
+              env:
+                - name: CONTEXT
+                  value: nexus
+              ports:
+                - containerPort: 8081
+                  protocol: TCP
+              resources: 
+                requests:
+                  cpu: 1000m
+                  memory: 1024Mi
+                limits:
+                  cpu: 1400m
+                  memory: 2048Mi
+              terminationMessagePath: /dev/termination-log
+              terminationMessagePolicy: File
+              volumeMounts:
+                - mountPath: /sonatype-work
+                  name: nexus-work-volume
+          dnsPolicy: ClusterFirst
+          restartPolicy: Always
+          schedulerName: default-scheduler
+          securityContext: { }
+          terminationGracePeriodSeconds: 30
+          volumes:
+            - name: nexus-work-volume
+              persistentVolumeClaim:
+                claimName: nexus-work-pvc
+  - 
+    kind: PersistentVolumeClaim
+    apiVersion: v1
+    metadata:
+      name: nexus-work-pvc
+      labels:
+        app: nexus2
+    spec:
+      accessModes:
+        - ReadWriteMany
+      resources:
+        requests:
+          storage: 190Gi
+  - name: IMAGE_VERSION
+    description: Image tag to deploy
+    required: true
+  - name: NAMESPACE
+    description: Nexus instance namespaces
+    required: true
+apiVersion: v1
+kind: Template
+  name: nexus2-service-template
+  - apiVersion: v1
+    kind: Service
+    metadata:
+      labels:
+        app: nexus2
+      name: nexus2-service
+      namespace: ${NAMESPACE}
+      selfLink: /api/v1/namespaces/${NAMESPACE}/services/nexus2
+    spec:
+      ports:
+        - name: 8081-tcp
+          port: 8081
+          protocol: TCP
+          targetPort: 8081
+      selector:
+        deploymentconfig: nexus2-dc
+      sessionAffinity: None
+      type: ClusterIP
+  - apiVersion: route.openshift.io/v1
+    kind: Route
+    metadata:
+      labels:
+        app: nexus2
+      annotations:
+        router.cern.ch/network-visibility: Internet
+      name: nexus2-route
+      namespace: ${NAMESPACE}
+    spec:
+      host: ${NAMESPACE}.web.cern.ch
+      path: /nexus
+      port:
+        targetPort: 8081-tcp
+      tls:
+        insecureEdgeTerminationPolicy: Redirect
+        termination: edge
+      to:
+        kind: Service
+        name: nexus2-service
+        weight: 100
+      wildcardPolicy: None
+  - name: NAMESPACE
+    description: nexus2 instance namespace (hostname)
+    required: true
+# ----------------------------------------------------------------------------
+# Maven Start Up Batch script
+# Required ENV vars:
+# ------------------
+#   JAVA_HOME - location of a JDK home dir
+# Optional ENV vars
+# -----------------
+#   M2_HOME - location of maven2's installed home dir
+#   MAVEN_OPTS - parameters passed to the Java VM when running Maven
+#     e.g. to debug Maven itself, use
+#       set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000
+#   MAVEN_SKIP_RC - flag to disable loading of mavenrc files
+# ----------------------------------------------------------------------------
+if [ -z "$MAVEN_SKIP_RC" ] ; then
+  if [ -f /etc/mavenrc ] ; then
+    . /etc/mavenrc
+  fi
+  if [ -f "$HOME/.mavenrc" ] ; then
+    . "$HOME/.mavenrc"
+  fi
+# OS specific support.  $var _must_ be set to either true or false.
+case "`uname`" in
+  CYGWIN*) cygwin=true ;;
+  MINGW*) mingw=true;;
+  Darwin*) darwin=true
+    # Use /usr/libexec/java_home if available, otherwise fall back to /Library/Java/Home
+    # See https://developer.apple.com/library/mac/qa/qa1170/_index.html
+    if [ -z "$JAVA_HOME" ]; then
+      if [ -x "/usr/libexec/java_home" ]; then
+        export JAVA_HOME="`/usr/libexec/java_home`"
+      else
+        export JAVA_HOME="/Library/Java/Home"
+      fi
+    fi
+    ;;
+if [ -z "$JAVA_HOME" ] ; then
+  if [ -r /etc/gentoo-release ] ; then
+    JAVA_HOME=`java-config --jre-home`
+  fi
+if [ -z "$M2_HOME" ] ; then
+  ## resolve links - $0 may be a link to maven's home
+  PRG="$0"
+  # need this for relative symlinks
+  while [ -h "$PRG" ] ; do
+    ls=`ls -ld "$PRG"`
+    link=`expr "$ls" : '.*-> \(.*\)$'`
+    if expr "$link" : '/.*' > /dev/null; then
+      PRG="$link"
+    else
+      PRG="`dirname "$PRG"`/$link"
+    fi
+  done
+  saveddir=`pwd`
+  M2_HOME=`dirname "$PRG"`/..
+  # make it fully qualified
+  M2_HOME=`cd "$M2_HOME" && pwd`
+  cd "$saveddir"
+  # echo Using m2 at $M2_HOME
+# For Cygwin, ensure paths are in UNIX format before anything is touched
+if $cygwin ; then
+  [ -n "$M2_HOME" ] &&
+    M2_HOME=`cygpath --unix "$M2_HOME"`
+  [ -n "$JAVA_HOME" ] &&
+    JAVA_HOME=`cygpath --unix "$JAVA_HOME"`
+  [ -n "$CLASSPATH" ] &&
+    CLASSPATH=`cygpath --path --unix "$CLASSPATH"`
+# For Mingw, ensure paths are in UNIX format before anything is touched
+if $mingw ; then
+  [ -n "$M2_HOME" ] &&
+    M2_HOME="`(cd "$M2_HOME"; pwd)`"
+  [ -n "$JAVA_HOME" ] &&
+    JAVA_HOME="`(cd "$JAVA_HOME"; pwd)`"
+if [ -z "$JAVA_HOME" ]; then
+  javaExecutable="`which javac`"
+  if [ -n "$javaExecutable" ] && ! [ "`expr \"$javaExecutable\" : '\([^ ]*\)'`" = "no" ]; then
+    # readlink(1) is not available as standard on Solaris 10.
+    readLink=`which readlink`
+    if [ ! `expr "$readLink" : '\([^ ]*\)'` = "no" ]; then
+      if $darwin ; then
+        javaHome="`dirname \"$javaExecutable\"`"
+        javaExecutable="`cd \"$javaHome\" && pwd -P`/javac"
+      else
+        javaExecutable="`readlink -f \"$javaExecutable\"`"
+      fi
+      javaHome="`dirname \"$javaExecutable\"`"
+      javaHome=`expr "$javaHome" : '\(.*\)/bin'`
+      JAVA_HOME="$javaHome"
+      export JAVA_HOME
+    fi
+  fi
+if [ -z "$JAVACMD" ] ; then
+  if [ -n "$JAVA_HOME"  ] ; then
+    if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
+      # IBM's JDK on AIX uses strange locations for the executables
+      JAVACMD="$JAVA_HOME/jre/sh/java"
+    else
+      JAVACMD="$JAVA_HOME/bin/java"
+    fi
+  else
+    JAVACMD="`which java`"
+  fi
+if [ ! -x "$JAVACMD" ] ; then
+  echo "Error: JAVA_HOME is not defined correctly." >&2
+  echo "  We cannot execute $JAVACMD" >&2
+  exit 1
+if [ -z "$JAVA_HOME" ] ; then
+  echo "Warning: JAVA_HOME environment variable is not set."
+# traverses directory structure from process work directory to filesystem root
+# first directory with .mvn subdirectory is considered project base directory
+find_maven_basedir() {
+  if [ -z "$1" ]
+  then
+    echo "Path not specified to find_maven_basedir"
+    return 1
+  fi
+  basedir="$1"
+  wdir="$1"
+  while [ "$wdir" != '/' ] ; do
+    if [ -d "$wdir"/.mvn ] ; then
+      basedir=$wdir
+      break
+    fi
+    # workaround for JBEAP-8937 (on Solaris 10/Sparc)
+    if [ -d "${wdir}" ]; then
+      wdir=`cd "$wdir/.."; pwd`
+    fi
+    # end of workaround
+  done
+  echo "${basedir}"
+# concatenates all lines of a file
+concat_lines() {
+  if [ -f "$1" ]; then
+    echo "$(tr -s '\n' ' ' < "$1")"
+  fi
+BASE_DIR=`find_maven_basedir "$(pwd)"`
+if [ -z "$BASE_DIR" ]; then
+  exit 1;
+# Extension to allow automatically downloading the maven-wrapper.jar from Maven-central
+# This allows using the maven wrapper in projects that prohibit checking in binary data.
+if [ -r "$BASE_DIR/.mvn/wrapper/maven-wrapper.jar" ]; then
+    if [ "$MVNW_VERBOSE" = true ]; then
+      echo "Found .mvn/wrapper/maven-wrapper.jar"
+    fi
+    if [ "$MVNW_VERBOSE" = true ]; then
+      echo "Couldn't find .mvn/wrapper/maven-wrapper.jar, downloading it ..."
+    fi
+    if [ -n "$MVNW_REPOURL" ]; then
+      jarUrl="$MVNW_REPOURL/io/takari/maven-wrapper/0.5.6/maven-wrapper-0.5.6.jar"
+    else
+      jarUrl="https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.5.6/maven-wrapper-0.5.6.jar"
+    fi
+    while IFS="=" read key value; do
+      case "$key" in (wrapperUrl) jarUrl="$value"; break ;;
+      esac
+    done < "$BASE_DIR/.mvn/wrapper/maven-wrapper.properties"
+    if [ "$MVNW_VERBOSE" = true ]; then
+      echo "Downloading from: $jarUrl"
+    fi
+    wrapperJarPath="$BASE_DIR/.mvn/wrapper/maven-wrapper.jar"
+    if $cygwin; then
+      wrapperJarPath=`cygpath --path --windows "$wrapperJarPath"`
+    fi
+    if command -v wget > /dev/null; then
+        if [ "$MVNW_VERBOSE" = true ]; then
+          echo "Found wget ... using wget"
+        fi
+        if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then
+            wget "$jarUrl" -O "$wrapperJarPath"
+        else
+            wget --http-user=$MVNW_USERNAME --http-password=$MVNW_PASSWORD "$jarUrl" -O "$wrapperJarPath"
+        fi
+    elif command -v curl > /dev/null; then
+        if [ "$MVNW_VERBOSE" = true ]; then
+          echo "Found curl ... using curl"
+        fi
+        if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then
+            curl -o "$wrapperJarPath" "$jarUrl" -f
+        else
+            curl --user $MVNW_USERNAME:$MVNW_PASSWORD -o "$wrapperJarPath" "$jarUrl" -f
+        fi
+    else
+        if [ "$MVNW_VERBOSE" = true ]; then
+          echo "Falling back to using Java to download"
+        fi
+        javaClass="$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.java"
+        # For Cygwin, switch paths to Windows format before running javac
+        if $cygwin; then
+          javaClass=`cygpath --path --windows "$javaClass"`
+        fi
+        if [ -e "$javaClass" ]; then
+            if [ ! -e "$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.class" ]; then
+                if [ "$MVNW_VERBOSE" = true ]; then
+                  echo " - Compiling MavenWrapperDownloader.java ..."
+                fi
+                # Compiling the Java class
+                ("$JAVA_HOME/bin/javac" "$javaClass")
+            fi
+            if [ -e "$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.class" ]; then
+                # Running the downloader
+                if [ "$MVNW_VERBOSE" = true ]; then
+                  echo " - Running MavenWrapperDownloader.java ..."
+                fi
+                ("$JAVA_HOME/bin/java" -cp .mvn/wrapper MavenWrapperDownloader "$MAVEN_PROJECTBASEDIR")
+            fi
+        fi
+    fi
+# End of extension
+if [ "$MVNW_VERBOSE" = true ]; then
+MAVEN_OPTS="$(concat_lines "$MAVEN_PROJECTBASEDIR/.mvn/jvm.config") $MAVEN_OPTS"
+# For Cygwin, switch paths to Windows format before running java
+if $cygwin; then
+  [ -n "$M2_HOME" ] &&
+    M2_HOME=`cygpath --path --windows "$M2_HOME"`
+  [ -n "$JAVA_HOME" ] &&
+    JAVA_HOME=`cygpath --path --windows "$JAVA_HOME"`
+  [ -n "$CLASSPATH" ] &&
+    CLASSPATH=`cygpath --path --windows "$CLASSPATH"`
+    MAVEN_PROJECTBASEDIR=`cygpath --path --windows "$MAVEN_PROJECTBASEDIR"`
+# Provide a "standardized" way to retrieve the CLI args that will
+# work with both Windows and non-Windows executions.
+exec "$JAVACMD" \
+  -classpath "$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.jar" \
+  "-Dmaven.home=${M2_HOME}" "-Dmaven.multiModuleProjectDirectory=${MAVEN_PROJECTBASEDIR}" \
+@REM ----------------------------------------------------------------------------
+@REM Maven Start Up Batch script
+@REM Required ENV vars:
+@REM JAVA_HOME - location of a JDK home dir
+@REM Optional ENV vars
+@REM M2_HOME - location of maven2's installed home dir
+@REM MAVEN_BATCH_ECHO - set to 'on' to enable the echoing of the batch commands
+@REM MAVEN_BATCH_PAUSE - set to 'on' to wait for a keystroke before ending
+@REM MAVEN_OPTS - parameters passed to the Java VM when running Maven
+@REM     e.g. to debug Maven itself, use
+@REM set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000
+@REM MAVEN_SKIP_RC - flag to disable loading of mavenrc files
+@REM ----------------------------------------------------------------------------
+@REM Begin all REM lines with '@' in case MAVEN_BATCH_ECHO is 'on'
+@echo off
+@REM set title of command window
+title %0
+@REM enable echoing by setting MAVEN_BATCH_ECHO to 'on'
+@if "%MAVEN_BATCH_ECHO%" == "on"  echo %MAVEN_BATCH_ECHO%
+@REM set %HOME% to equivalent of $HOME
+if "%HOME%" == "" (set "HOME=%HOMEDRIVE%%HOMEPATH%")
+@REM Execute a user defined script before this one
+if not "%MAVEN_SKIP_RC%" == "" goto skipRcPre
+@REM check for pre script, once with legacy .bat ending and once with .cmd ending
+if exist "%HOME%\mavenrc_pre.bat" call "%HOME%\mavenrc_pre.bat"
+if exist "%HOME%\mavenrc_pre.cmd" call "%HOME%\mavenrc_pre.cmd"
+@REM To isolate internal variables from possible post scripts, we use another setlocal
+if not "%JAVA_HOME%" == "" goto OkJHome
+echo Error: JAVA_HOME not found in your environment. >&2
+echo Please set the JAVA_HOME variable in your environment to match the >&2
+echo location of your Java installation. >&2
+goto error
+if exist "%JAVA_HOME%\bin\java.exe" goto init
+echo Error: JAVA_HOME is set to an invalid directory. >&2
+echo JAVA_HOME = "%JAVA_HOME%" >&2
+echo Please set the JAVA_HOME variable in your environment to match the >&2
+echo location of your Java installation. >&2
+goto error
+@REM Find the project base dir, i.e. the directory that contains the folder ".mvn".
+@REM Fallback to current working directory if not found.
+IF NOT "%MAVEN_PROJECTBASEDIR%"=="" goto endDetectBaseDir
+set EXEC_DIR=%CD%
+IF EXIST "%WDIR%"\.mvn goto baseDirFound
+cd ..
+IF "%WDIR%"=="%CD%" goto baseDirNotFound
+set WDIR=%CD%
+goto findBaseDir
+cd "%EXEC_DIR%"
+goto endDetectBaseDir
+cd "%EXEC_DIR%"
+IF NOT EXIST "%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config" goto endReadAdditionalConfig
+@setlocal EnableExtensions EnableDelayedExpansion
+for /F "usebackq delims=" %%a in ("%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config") do set JVM_CONFIG_MAVEN_PROPS=!JVM_CONFIG_MAVEN_PROPS! %%a
+SET MAVEN_JAVA_EXE="%JAVA_HOME%\bin\java.exe"
+set WRAPPER_JAR="%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.jar"
+set WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain
+set DOWNLOAD_URL="https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.5.6/maven-wrapper-0.5.6.jar"
+FOR /F "tokens=1,2 delims==" %%A IN ("%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.properties") DO (
+    IF "%%A"=="wrapperUrl" SET DOWNLOAD_URL=%%B
+@REM Extension to allow automatically downloading the maven-wrapper.jar from Maven-central
+@REM This allows using the maven wrapper in projects that prohibit checking in binary data.
+if exist %WRAPPER_JAR% (
+    if "%MVNW_VERBOSE%" == "true" (
+        echo Found %WRAPPER_JAR%
+    )
+) else (
+    if not "%MVNW_REPOURL%" == "" (
+        SET DOWNLOAD_URL="%MVNW_REPOURL%/io/takari/maven-wrapper/0.5.6/maven-wrapper-0.5.6.jar"
+    )
+    if "%MVNW_VERBOSE%" == "true" (
+        echo Couldn't find %WRAPPER_JAR%, downloading it ...
+        echo Downloading from: %DOWNLOAD_URL%
+    )
+    powershell -Command "&{"^
+		"$webclient = new-object System.Net.WebClient;"^
+		"if (-not ([string]::IsNullOrEmpty('%MVNW_USERNAME%') -and [string]::IsNullOrEmpty('%MVNW_PASSWORD%'))) {"^
+		"$webclient.Credentials = new-object System.Net.NetworkCredential('%MVNW_USERNAME%', '%MVNW_PASSWORD%');"^
+		"}"^
+		"[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $webclient.DownloadFile('%DOWNLOAD_URL%', '%WRAPPER_JAR%')"^
+		"}"
+    if "%MVNW_VERBOSE%" == "true" (
+        echo Finished downloading %WRAPPER_JAR%
+    )
+@REM End of extension
+@REM Provide a "standardized" way to retrieve the CLI args that will
+@REM work with both Windows and non-Windows executions.
+if ERRORLEVEL 1 goto error
+goto end
+@endlocal & set ERROR_CODE=%ERROR_CODE%
+if not "%MAVEN_SKIP_RC%" == "" goto skipRcPost
+@REM check for post script, once with legacy .bat ending and once with .cmd ending
+if exist "%HOME%\mavenrc_post.bat" call "%HOME%\mavenrc_post.bat"
+if exist "%HOME%\mavenrc_post.cmd" call "%HOME%\mavenrc_post.cmd"
+@REM pause the script if MAVEN_BATCH_PAUSE is set to 'on'
+if "%MAVEN_BATCH_PAUSE%" == "on" pause
+if "%MAVEN_TERMINATE_CMD%" == "on" exit %ERROR_CODE%
+exit /B %ERROR_CODE%
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <groupId>cern.accosft.swinfra.nexus</groupId>
+  <artifactId>nexus2</artifactId>
+  <version>2.14.19-1</version>
+  <description>CentOS Maven image with CERN customizations</description>
+  <scm>
+     <developerConnection>scm:git:ssh://git@gitlab.cern.ch:7999/industrial-controls/sw-infra/nexus2.git</developerConnection>
+  </scm>
+  <properties>
+    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    <mavenzip.url>https://cern.ch/maven/apache-maven-3.6.2-bin-cern-settings.zip</mavenzip.url>
+  </properties>
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>com.amashchenko.maven.plugin</groupId>
+        <artifactId>gitflow-maven-plugin</artifactId>
+        <version>1.11.0</version>
+      </plugin>
+      <plugin>
+          <groupId>org.codehaus.mojo</groupId>
+          <artifactId>versions-maven-plugin</artifactId>
+          <version>2.5</version>
+      </plugin>
+    </plugins>
+  </build>