CI/Docker: use SSL-free Nexus endpoints (mirror serves partial chain)

The HTTPS Nexus serves an incomplete cert chain that container trust stores
reject (NU1301 PartialChain / UNABLE_TO_GET_ISSUER), failing CI restore/install.
- NuGet has no strict-ssl flag → point CI + Dockerfile + compose at the plain-HTTP
  Nexus (http://171.22.25.73:8081, allowInsecureConnections) — no TLS, no cert check.
- npm: add --strict-ssl=false to the CI web-check install (Dockerfile already had it);
  Docker npm registry default also moved to the HTTP Nexus.
- ENV_FILE.example documents NUGET_INDEX/NPM_REGISTRY overrides.

Local dev (Windows trusts the cert) + image base pulls (Docker trusts it) are
unaffected — only in-container package feeds switch to HTTP.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

.gitea/workflows/ci-cd.yml

@@ -37,7 +37,9 @@ jobs:
           <configuration>
             <packageSources>
               <clear />
-              <add key="nexus" value="https://mirror.soroushasadi.com/repository/nuget-group/index.json" protocolVersion="3" />
+              <!-- Plain-HTTP Nexus: the HTTPS mirror serves a partial cert chain that
+                   container trust stores can't validate (NU1301 PartialChain). HTTP = no SSL. -->
+              <add key="nexus" value="http://171.22.25.73:8081/repository/nuget-group/index.json" protocolVersion="3" allowInsecureConnections="true" />
             </packageSources>
             <config>
               <add key="http_retry_count" value="8" />
@@ -77,7 +79,7 @@ jobs:
           tar -xzf /tmp/repo.tar.gz --strip-components=1
 
       - name: Install
-        run: npm ci --legacy-peer-deps --registry https://mirror.soroushasadi.com/repository/npm-group/
+        run: npm ci --legacy-peer-deps --strict-ssl=false --registry https://mirror.soroushasadi.com/repository/npm-group/
 
       - name: TypeScript check
         run: npx tsc --noEmit

Dockerfile

@@ -11,7 +11,7 @@ COPY package*.json ./
 # NPM_REGISTRY=http://<nexus-ip>:8081/repository/npm-group/ for hosts whose trust
 # store lacks the mirror's intermediate (PartialChain) — e.g. local Docker Desktop.
 # strict-ssl=false also tolerates the partial chain when HTTPS is used.
-ARG NPM_REGISTRY=https://mirror.soroushasadi.com/repository/npm-group/
+ARG NPM_REGISTRY=http://171.22.25.73:8081/repository/npm-group/
 RUN npm ci --legacy-peer-deps --strict-ssl=false --no-audit --no-fund \
       --registry "${NPM_REGISTRY}"
 COPY . .

deploy/ENV_FILE.example

@@ -29,6 +29,12 @@ NEXT_PUBLIC_SERVER_URL=http://localhost:1505
 # Origins allowed by the API's CORS (comma-separated). Must include the web URL.
 CORS_ORIGINS=http://localhost:1500
 
+# Package mirrors used during Docker builds. Default to the plain-HTTP Nexus
+# (no SSL) because the HTTPS mirror serves a partial cert chain that fresh
+# container trust stores reject. Override only if your Nexus moves.
+# NUGET_INDEX=http://171.22.25.73:8081/repository/nuget-group/index.json
+# NPM_REGISTRY=http://171.22.25.73:8081/repository/npm-group/
+
 # ZarinPal (sandbox for now — switch in admin/panel later)
 ZARINPAL_MERCHANT_ID=299685fb-cadf-4dfc-98e2-d4af5d81528d
 ZARINPAL_SANDBOX=true

docker-compose.yml

@@ -30,8 +30,9 @@ services:
       context: ./server
       dockerfile: Dockerfile
       args:
-        # Default HTTPS; local .env overrides to the HTTP Nexus IP (PartialChain).
+        # Plain-HTTP Nexus (no SSL) — the HTTPS mirror serves a partial cert chain
-        NUGET_INDEX: ${NUGET_INDEX:-https://mirror.soroushasadi.com/repository/nuget-group/index.json}
+        # containers can't validate. Override via .env if needed.
+        NUGET_INDEX: ${NUGET_INDEX:-http://171.22.25.73:8081/repository/nuget-group/index.json}
     image: hokm-server:latest
     container_name: hokm-server
     restart: unless-stopped
@@ -70,8 +71,8 @@ services:
         # BROWSER uses to reach the API (host-mapped api port, or LAN IP).
         NEXT_PUBLIC_USE_SERVER: "1"
         NEXT_PUBLIC_SERVER_URL: ${NEXT_PUBLIC_SERVER_URL:-http://localhost:1505}
-        # Default HTTPS; local .env overrides to the HTTP Nexus IP (PartialChain).
+        # Plain-HTTP Nexus (no SSL). Override via .env if needed.
-        NPM_REGISTRY: ${NPM_REGISTRY:-https://mirror.soroushasadi.com/repository/npm-group/}
+        NPM_REGISTRY: ${NPM_REGISTRY:-http://171.22.25.73:8081/repository/npm-group/}
     image: hokm-web:latest
     container_name: hokm-web
     restart: unless-stopped

server/Dockerfile

@@ -6,7 +6,7 @@ WORKDIR /src
 # NUGET_INDEX=http://<nexus-ip>:8081/repository/nuget-group/index.json for hosts
 # whose trust store lacks the mirror's intermediate (PartialChain) — e.g. local
 # Docker Desktop. allowInsecureConnections lets .NET 10 use the HTTP feed.
-ARG NUGET_INDEX=https://mirror.soroushasadi.com/repository/nuget-group/index.json
+ARG NUGET_INDEX=http://171.22.25.73:8081/repository/nuget-group/index.json
 RUN printf '%s\n' \
   '<?xml version="1.0" encoding="utf-8"?>' \
   '<configuration>' \