Free & Open Source — No License Fees

Universal Artifact
Repository Manager

Drop-in replacement for other artifact repository managers. Manage Maven, Docker, npm, PyPI, Helm and 9 more formats — in one self-hosted registry, forever free.

Quick Deploy Star on GitHub Read the Docs

Maven npm Docker PyPI Go Modules NuGet Helm Cargo Apt Yum Conan Raw Conda Terraform

14

Artifact Formats

1729

Tests Passing

100%

Nexus API Compat

$0

License Fee

Migrate from Nexus

Stream all repos, users, and artifacts from a live Nexus instance in one command. Pausable, conflict-safe.

Webhooks & Events

Async fire-and-forget delivery for artifact.published, artifact.deleted, repo.created, promotion.requested/approved and more. Slack, CI-CD, custom integrations.

OIDC / SSO Built-in

Keycloak, Google, Entra ID, Okta. JIT user provisioning, group-to-role mapping from IdP claims.

Cleanup Policies

Automated retention rules: max age, last-downloaded threshold, retain-N-versions. CRON scheduling.

S3-Compatible Storage

Route any repository to MinIO, AWS S3, Wasabi, or local filesystem. Per-repo blob store assignment.

Audit Log & CVE Scan

90-day audit trail with NDJSON streaming export. Trivy-powered Docker image scanning and OSV.dev for Maven/npm/PyPI/Cargo.

Staging & Promotion

Promotion rules with CEL path filters, scan pass gates, and manual approval. Bulk-promote from Browse. Webhook-driven approval workflow.

Content Replication

Push artifacts to remote Nexspence instances on cron schedule. AES-256-GCM credentials, per-asset diff, run history.

Product Demo

See Nexspence in action

Full walkthrough — repository management, artifact upload, RBAC, CVE scanning, build promotion, and more.

⬇ Download MP4 (56 MB)

14 Formats

One registry for all your artifacts

Every format supports Hosted, Proxy, and Group types. One URL for your entire organization.

Maven

Maven 2/3

HostedProxyGroup

npm

Registry v1

HostedProxyGroup

Docker

OCI Distrib. v2

HostedProxyGroup

PyPI

Simple Index

HostedProxyGroup

Go Modules

GOPROXY v2

HostedProxy

NuGet

v2 OData / v3

HostedProxyGroup

Helm

Chart Repo

HostedProxy

Cargo

Sparse Index

HostedProxy

Apt

Debian Packages

HostedProxy

Yum / RPM

repomd.xml

HostedProxy

Conan

Conan v1

HostedProxy

Raw

PUT/GET/DELETE

Hosted

Conda

channel / repodata

HostedProxy

Terraform

Registry Mirror

HostedProxy

Infrastructure as Code

Manage Nexspence with Terraform

Official provider on the Terraform Registry — repositories, blob stores, users, roles, content selectors, privileges, cleanup policies, routing rules, webhooks and promotion rules, all version-controlled.

nexspence/nexspence v0.2.0

main.tf

# Pin the provider — terraform init pulls it from the registry
terraform {
  required_providers {
    nexspence = {
      source  = "nexspence/nexspence"
      version = "~> 0.2"
    }
  }
}

resource "nexspence_repository" "maven_central" {
  name       = "maven-central"
  format     = "maven2"
  type       = "proxy"
  proxy { remote_url = "https://repo1.maven.org/maven2/" }
}

Terraform Registry Provider Docs Source

Clean Architecture

Handler → Service → Repository

No circular imports. All DB access through mockable interfaces. Plugin-style format handlers for each of the 14 formats.

Go

Go (Golang) + Gin

Backend · pgx · golang-migrate

Re

React + TypeScript

Vite · Zustand · React Query

PG

PostgreSQL + pgxpool

Database · goose migrations

S3

S3 / MinIO Blob Store

Local filesystem or any S3-compatible

Request Flow

HTTP / Router

GinRBACAuthMiddlewareAudit

Handlers

AuthHandlerComponentHandlerPromotionHandlerBackupHandler

Format Handlers

DockerMavennpmHelm+10

Services

RepositoryServicePromotionServiceReplicationServiceCleanupServiceWebhookService

Repository

ComponentRepoAssetRepoPromotionRepoAuditRepo

Storage

PostgreSQLLocalBlobStoreS3BlobStore

Security

Enterprise Auth — Zero Cost

OIDC SSO, LDAP, API tokens, JWT, and fine-grained RBAC with CEL content selectors — all built in.

OIDC / SSO Providers

Auth code + PKCE. AES-256-GCM sealed state cookie. JIT provisioning. Group-to-role mapping from IdP claims.

Keycloak

Google

Azure Entra

Okta

Authentication Methods

Multiple strategies in one middleware — no extra config per client type.

JWT Bearer tokens — short-lived, configurable max days
API Tokens nxs_* — SHA-256 hash only stored
HTTP Basic — username/password or API token as password
LDAP bind with JIT sync and admin role mapping
Anonymous read-through for public repos

RBAC + Content Selectors

CEL expression path-level scoping. Nexus-compatible privilege model.

User → Role → Privilege → Content Selector

format == "maven2" &&
path =~ "^/com/example/"

CVE Scanning + Audit Logs

Trivy-based Docker image scanning. 90-day audit trail with NDJSON export.

Scan on-demand via GET /api/v1/components/:id/scan
Results cached in component.extra JSON
Audit log: date/user filters, NDJSON streaming export
90-day retention via monthly partition rotation

Install

Up and running in 2 minutes

Choose your deployment method. Docker Compose for a quick start, native packages for bare-metal installs, or Helm for production Kubernetes.

📦

Download the latest release

Pre-packaged with docker-compose.yml and config.yaml — unpack and run

GitHub Releases →

01

Unpack the release

Extract the archive: tar -xzf nexspence-v*.tar.gz && cd nexspence-*

02

Edit config.yaml

Change jwt_secret (min 32 chars) and admin_password — everything else works out of the box

03

Start and open

Auto-migrates on first start. Login at localhost:8081 — credentials: admin / admin123

shell

$ tar -xzf nexspence-v*.tar.gz $ cd nexspence-* $ # edit config.yaml — change jwt_secret and admin_password $ docker compose up -d # starts postgres + nexspence, auto-migrates on first run $ open http://localhost:8081 # login: admin / admin123

With MinIO — S3-compatible storage

MinIO is included in docker-compose.yml. Set the storage type via env var — MinIO API on port 9000, console on 9001.

shell

$ NEXSPENCE_STORAGE_DEFAULT_TYPE=s3 \ docker compose up -d # MinIO S3 API: http://localhost:9000 # MinIO console: http://localhost:9001 # minioadmin / minioadmin # Nexspence UI: http://localhost:8081

HA Cluster — High Availability

Uses docker-compose.ha.yml: 2 × Nexspence nodes, nginx load balancer (least_conn), Redis, MinIO, PostgreSQL.

shell

$ docker compose \ -f docker-compose.ha.yml \ up -d # 2 × Nexspence + nginx LB (least_conn) # + Redis + MinIO + PostgreSQL # Load balancer: http://localhost:8080

With Keycloak SSO

Starts a pre-configured Keycloak dev instance with the nexspence realm imported. "Sign in with Keycloak" appears on the login page.

shell

$ OIDC_ENABLED=true \ docker compose \ --profile keycloak \ up -d # Nexspence UI: http://localhost:8081 # login: admin / admin123 # Keycloak admin: http://localhost:8180 # login: admin / admin # Test SSO user: testuser / testpass # mapped to nx-admin role

View on GitHub

All releases & changelogs →

Requirements: Helm 3.x · Kubernetes ≥ 1.26. Image ghcr.io/nexspence/nexspence is pulled automatically from GitHub Container Registry.

NETWORKING OPTION

shell — nginx ingress

$ helm install nexspence \ deploy/helm/nexspence \ -f deploy/helm/nexspence/values-examples/nginx.yaml \ --set config.jwtSecret="$(openssl rand -hex 32)" \ --set config.adminPassword="changeme" \ --namespace nexspence \ --create-namespace

shell — traefik ingress (HTTPS)

$ helm install nexspence \ deploy/helm/nexspence \ -f deploy/helm/nexspence/values-examples/traefik.yaml \ --set config.jwtSecret="$(openssl rand -hex 32)" \ --set config.adminPassword="changeme" \ --namespace nexspence \ --create-namespace # Routes via websecure entrypoint # TLS secret: nexspence-tls

shell — cilium ingress-controller

# Requires: Cilium ≥ 1.12 # with ingress controller enabled $ helm install nexspence \ deploy/helm/nexspence \ -f deploy/helm/nexspence/values-examples/cilium-ingress.yaml \ --set config.jwtSecret="$(openssl rand -hex 32)" \ --set config.adminPassword="changeme" \ --namespace nexspence \ --create-namespace

shell — istio gateway + virtual service

# Requires: istioctl install \ # --set profile=default $ helm install nexspence \ deploy/helm/nexspence \ -f deploy/helm/nexspence/values-examples/istio-gateway.yaml \ --set config.jwtSecret="$(openssl rand -hex 32)" \ --set config.adminPassword="changeme" \ --namespace nexspence \ --create-namespace

shell — cilium K8s Gateway API

# Requires: Cilium ≥ 1.14 # K8s Gateway API CRDs installed $ helm install nexspence \ deploy/helm/nexspence \ -f deploy/helm/nexspence/values-examples/cilium-gateway.yaml \ --set config.jwtSecret="$(openssl rand -hex 32)" \ --set config.adminPassword="changeme" \ --namespace nexspence \ --create-namespace

Full Helm reference → All releases & changelogs →

Single self-contained binary — the web UI is embedded, so the only runtime dependency is an external PostgreSQL (13+). Download the package or archive for your OS from GitHub Releases.

01

Install the package

Linux .deb/.rpm install the binary, a nexspence user and a systemd unit. macOS & Windows ship as archives with launchd / service scripts.

02

Point at PostgreSQL & edit config

Set database.dsn, jwt_secret (min 32 chars) and admin_password in /etc/nexspence/config.yaml. Schema auto-migrates on first start.

03

Enable the service

Run systemctl enable --now nexspence, then open localhost:8081.

shell — Debian / Ubuntu

$ sudo dpkg -i nexspence_*_linux_amd64.deb $ sudo nano /etc/nexspence/config.yaml # set database.dsn, jwt_secret and admin_password $ sudo systemctl enable --now nexspence $ open http://localhost:8081

RHEL / Fedora / SUSE — .rpm

Same layout as the .deb — installs the binary, the nexspence user and the systemd unit.

shell

$ sudo rpm -i nexspence_*_linux_amd64.rpm $ sudo nano /etc/nexspence/config.yaml $ sudo systemctl enable --now nexspence

macOS — archive + launchd

Extract the darwin archive, install the binary and the launchd daemon. The binary is unsigned, so clear the quarantine attribute.

shell

$ tar -xzf nexspence_*_darwin_arm64.tar.gz $ sudo cp nexspence /usr/local/bin/ $ sudo xattr -dr com.apple.quarantine /usr/local/bin/nexspence $ sudo cp packaging/launchd/com.nexspence.server.plist /Library/LaunchDaemons/ $ sudo launchctl load -w /Library/LaunchDaemons/com.nexspence.server.plist

Windows — service

Extract the windows zip, then from an elevated PowerShell register the service and start it.

PowerShell (Administrator)

PS> .\packaging\windows\install-service.ps1 PS> notepad C:\ProgramData\Nexspence\config.yaml PS> Start-Service nexspence

Full native install guide →

All releases & changelogs →

Comparison

Nexspence vs other systems

Everything commercial managers charge for — included in Nexspence, free forever.

Feature	Nexspence	Other systems
Price	$0 forever	Free / paid tiers
Nexus REST API v1	100% compatible	Native
OIDC / SSO	Keycloak, Google, Entra, Okta	Paid tier only
LDAP Authentication	Built-in	Built-in
Docker OCI v2	Full spec	Full spec
S3 Blob Store	Any S3-compatible	Paid tier only
Vulnerability Scanning	Trivy (built-in)	Paid add-on
Webhooks	Built-in async	Paid tier only
Per-repo Export / Import	Streaming tar.gz	Admin UI
Go Modules (GOPROXY)	Native	Community plugin
Cargo / Conan	Native	Not supported
Audit Log NDJSON Export	Built-in streaming	Paid feature
Component Tagging	Yes (GIN index)	Paid tier only
CEL Content Selectors	Yes	XPath / Regex
SAML 2.0 SSO	Built-in	Paid tier only
High Availability (Redis + S3)	Built-in	Paid tier only
Content Replication	Built-in (cron, AES-GCM creds)	Paid tier only
Staging & Build Promotion	Built-in (CEL filter, approval)	Paid tier only
Conda / Terraform Registry	Native	Not supported

Ready to switch?

One command streams all repos, users, and artifacts. 100% API compatible — zero client changes.

Star on GitHub Quick Deploy →

Universal Artifact Repository Manager

See Nexspence in action

One registry for all your artifacts

Manage Nexspence with Terraform

Handler → Service → Repository

Enterprise Auth — Zero Cost

Up and running in 2 minutes

Nexspence vs other systems

Universal Artifact
Repository Manager