From 96c8abbeb3587168dbb94092d34f7ddded6f5264 Mon Sep 17 00:00:00 2001
From: "soroush.asadi" <soroush.asadi@aliasaas.com>
Date: Fri, 5 Jun 2026 08:53:46 +0330
Subject: [PATCH] CI/Docker: use SSL-free Nexus endpoints (mirror serves
 partial chain)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The HTTPS Nexus serves an incomplete cert chain that container trust stores
reject (NU1301 PartialChain / UNABLE_TO_GET_ISSUER), failing CI restore/install.
- NuGet has no strict-ssl flag → point CI + Dockerfile + compose at the plain-HTTP
  Nexus (http://171.22.25.73:8081, allowInsecureConnections) — no TLS, no cert check.
- npm: add --strict-ssl=false to the CI web-check install (Dockerfile already had it);
  Docker npm registry default also moved to the HTTP Nexus.
- ENV_FILE.example documents NUGET_INDEX/NPM_REGISTRY overrides.

Local dev (Windows trusts the cert) + image base pulls (Docker trusts it) are
unaffected — only in-container package feeds switch to HTTP.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 .gitea/workflows/ci-cd.yml | 6 ++++--
 Dockerfile                 | 2 +-
 deploy/ENV_FILE.example    | 6 ++++++
 docker-compose.yml         | 9 +++++----
 server/Dockerfile          | 2 +-
 5 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/.gitea/workflows/ci-cd.yml b/.gitea/workflows/ci-cd.yml
index 7c8b3db..7680c0c 100644
--- a/.gitea/workflows/ci-cd.yml
+++ b/.gitea/workflows/ci-cd.yml
@@ -37,7 +37,9 @@ jobs:
           <configuration>
             <packageSources>
               <clear />
-              <add key="nexus" value="https://mirror.soroushasadi.com/repository/nuget-group/index.json" protocolVersion="3" />
+              <!-- Plain-HTTP Nexus: the HTTPS mirror serves a partial cert chain that
+                   container trust stores can't validate (NU1301 PartialChain). HTTP = no SSL. -->
+              <add key="nexus" value="http://171.22.25.73:8081/repository/nuget-group/index.json" protocolVersion="3" allowInsecureConnections="true" />
             </packageSources>
             <config>
               <add key="http_retry_count" value="8" />
@@ -77,7 +79,7 @@ jobs:
           tar -xzf /tmp/repo.tar.gz --strip-components=1
 
       - name: Install
-        run: npm ci --legacy-peer-deps --registry https://mirror.soroushasadi.com/repository/npm-group/
+        run: npm ci --legacy-peer-deps --strict-ssl=false --registry https://mirror.soroushasadi.com/repository/npm-group/
 
       - name: TypeScript check
         run: npx tsc --noEmit
diff --git a/Dockerfile b/Dockerfile
index a4c51f1..c534a98 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -11,7 +11,7 @@ COPY package*.json ./
 # NPM_REGISTRY=http://<nexus-ip>:8081/repository/npm-group/ for hosts whose trust
 # store lacks the mirror's intermediate (PartialChain) — e.g. local Docker Desktop.
 # strict-ssl=false also tolerates the partial chain when HTTPS is used.
-ARG NPM_REGISTRY=https://mirror.soroushasadi.com/repository/npm-group/
+ARG NPM_REGISTRY=http://171.22.25.73:8081/repository/npm-group/
 RUN npm ci --legacy-peer-deps --strict-ssl=false --no-audit --no-fund \
       --registry "${NPM_REGISTRY}"
 COPY . .
diff --git a/deploy/ENV_FILE.example b/deploy/ENV_FILE.example
index ea5b9ae..b059c42 100644
--- a/deploy/ENV_FILE.example
+++ b/deploy/ENV_FILE.example
@@ -29,6 +29,12 @@ NEXT_PUBLIC_SERVER_URL=http://localhost:1505
 # Origins allowed by the API's CORS (comma-separated). Must include the web URL.
 CORS_ORIGINS=http://localhost:1500
 
+# Package mirrors used during Docker builds. Default to the plain-HTTP Nexus
+# (no SSL) because the HTTPS mirror serves a partial cert chain that fresh
+# container trust stores reject. Override only if your Nexus moves.
+# NUGET_INDEX=http://171.22.25.73:8081/repository/nuget-group/index.json
+# NPM_REGISTRY=http://171.22.25.73:8081/repository/npm-group/
+
 # ZarinPal (sandbox for now — switch in admin/panel later)
 ZARINPAL_MERCHANT_ID=299685fb-cadf-4dfc-98e2-d4af5d81528d
 ZARINPAL_SANDBOX=true
diff --git a/docker-compose.yml b/docker-compose.yml
index 86cb224..e120544 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -30,8 +30,9 @@ services:
       context: ./server
       dockerfile: Dockerfile
       args:
-        # Default HTTPS; local .env overrides to the HTTP Nexus IP (PartialChain).
-        NUGET_INDEX: ${NUGET_INDEX:-https://mirror.soroushasadi.com/repository/nuget-group/index.json}
+        # Plain-HTTP Nexus (no SSL) — the HTTPS mirror serves a partial cert chain
+        # containers can't validate. Override via .env if needed.
+        NUGET_INDEX: ${NUGET_INDEX:-http://171.22.25.73:8081/repository/nuget-group/index.json}
     image: hokm-server:latest
     container_name: hokm-server
     restart: unless-stopped
@@ -70,8 +71,8 @@ services:
         # BROWSER uses to reach the API (host-mapped api port, or LAN IP).
         NEXT_PUBLIC_USE_SERVER: "1"
         NEXT_PUBLIC_SERVER_URL: ${NEXT_PUBLIC_SERVER_URL:-http://localhost:1505}
-        # Default HTTPS; local .env overrides to the HTTP Nexus IP (PartialChain).
-        NPM_REGISTRY: ${NPM_REGISTRY:-https://mirror.soroushasadi.com/repository/npm-group/}
+        # Plain-HTTP Nexus (no SSL). Override via .env if needed.
+        NPM_REGISTRY: ${NPM_REGISTRY:-http://171.22.25.73:8081/repository/npm-group/}
     image: hokm-web:latest
     container_name: hokm-web
     restart: unless-stopped
diff --git a/server/Dockerfile b/server/Dockerfile
index 3b7fd26..551798d 100644
--- a/server/Dockerfile
+++ b/server/Dockerfile
@@ -6,7 +6,7 @@ WORKDIR /src
 # NUGET_INDEX=http://<nexus-ip>:8081/repository/nuget-group/index.json for hosts
 # whose trust store lacks the mirror's intermediate (PartialChain) — e.g. local
 # Docker Desktop. allowInsecureConnections lets .NET 10 use the HTTP feed.
-ARG NUGET_INDEX=https://mirror.soroushasadi.com/repository/nuget-group/index.json
+ARG NUGET_INDEX=http://171.22.25.73:8081/repository/nuget-group/index.json
 RUN printf '%s\n' \
   '<?xml version="1.0" encoding="utf-8"?>' \
   '<configuration>' \