Use mirsg infra collection (#108)

Fixes #106 
Fixes #102 

Use Ansible roles from the `mirsg.infrastructure` Collection for
installing / configuring XNAT.

- Includes changes from previous
[PR](#106)
- add role to mount EFS (this was previously part of the provision role,
but the `mirsg.infrastructure.provision` role is used instead)
- remove unused roles and playbooks
- add a template for the nginx config for use by the
`mirsg.infrastructure.nginx` role
- `mirsg.infrastructure` include a fix for #102 (the Docker version is
pinned to <25)

There are a **lot** of changes here, but they are all internal (i.e.
there are no changes in how to use this repo, and users shouldn't need
to update their `terraform.tfvars` files etc.)

---------

Co-authored-by: Paul Smith <[email protected]>
Co-authored-by: ruaridhg <[email protected]>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

README.md

@@ -95,6 +95,21 @@ To destroy the infrastructure, go to the `xnat-aws/provision` directory and type
 terraform destroy
 ```
 
+If this command is interrupted i.e. you lose internet connection when running locally, you may find that you can no longer run `terraform destroy` successfully.
+Therefore you need to manually delete some resources in the AWS console, but you can encounter errors when attempting to delete certain resources:
+`The vpc 'vpc-id' has dependencies and cannot be deleted.` or
+`Network interface is currently in use and is of type "interface".`
+
+To find the remaining VPC dependencies, go to the `xnat-aws/provision` directory and type:
+
+```bash
+    ./show_resources_to_delete.sh
+```
+
+N.B. You need to add your `VPC ID` and `region` to the `show_resources_to_delete.sh` script.
+
+After deleting the dependiences you can retry deleting your VPC and/or Network interface - [see more info](https://repost.aws/knowledge-center/troubleshoot-dependency-error-delete-vpc).
+
 ## AWS cost estimate
 
 [It is estimated](provision/aws-cost-estimate.pdf) the AWS resources will cost approximately **$270

configure/.gitignore

@@ -9,5 +9,5 @@
 hosts.yml
 .vault_password
 group_vars/all/vault
-group_vars/web/vault
+group_vars/xnat/vault
 

configure/README.md

@@ -15,7 +15,7 @@ This will install the dependencies listed in [requirements.txt](requirements.txt
 To run the configuration with Ansible we will need to:
 
 - install required Ansible roles and collection
-- run the `install_container_service.yml` and `install_xnat.yml` playbooks
+- run the `install_xnat.yml` playbooks
 
 These steps are done in the script `xnat-aws/configure/install_xnat.sh`. To run the script, go to the `xnat-aws/configure` directory and run the following command:
 

configure/group_vars/all/vars

@@ -0,0 +1,100 @@
+---
+xnat_data_dir: /data
+xnat_root_dir: "{{ xnat_data_dir }}/xnat"
+xnat_home_dir: "{{ xnat_root_dir }}/home"
+
+xnat_common_config:
+  admin_email: xnatadmin@{{ hostvars['xnat_web']['ansible_host'] }}
+  restrictUserListAccessToAdmins: true
+  uiAllowNonAdminProjectCreation: false
+  allowNonAdminsToClaimUnassignedSessions: true
+  reloadPrearcDatabaseOnStartup: true
+  par: false
+  primaryAdminUsername: "{{ xnat_service_admin.username }}"
+  receivedFileUser: "{{ xnat_service_admin.username }}"
+  ipsThatCanSendEmailsThroughRest: 127.0.0.1
+  sessionXmlRebuilderInterval: "5"
+  # "^.*$" for all IPs
+  enabledProviders:
+    - localdb
+  enableSitewideAnonymizationScript: true
+  sitewideAnonymizationScript:
+    //\nversion \"6.1\"\nproject != \"Unassigned\" ? (0008,1030) :=
+    project\n(0010,0010) := subject\n(0010,0020) := session
+
+xnat_service_admin:
+  username: "admin_user"
+  firstname: "admin"
+  lastname: "user"
+  password: "{{ vault_service_admin_password }}"
+
+package_registry:
+  enabled: false
+  url: ""
+  authentication_header:
+    Bearer {{ vault_package_registry_token | default(omit) }}
+
+# Set this to true if selinux is enabled on the hosting OS
+selinux_enabled: true
+
+# XNAT supports PostgreSQL 11-14
+postgresql_version: 14
+postgresql_use_ssl: false
+
+java_keystore:
+  keystore_pass: "{{ vault_keystore_password }}"
+
+# JSON representation of the site-wide anonymisation script: this could be
+# defined in a string, or extracted from a template file e.g. using
+# lookup('template, 'foo.j2') | to_json
+xnat_sitewide_anonymization_script:
+  "{{ xnat_common_config.sitewideAnonymizationScript | to_json }}"
+
+# web server VM
+web_server:
+  host: "{{ hostvars['xnat_web']['ansible_host'] }}"
+  url: "http://{{ hostvars['xnat_web']['ansible_host'] }}"
+  ip: "{{ hostvars['xnat_web']['private_ip'] }}"
+  storage_dir: "{{ external_storage_drive }}/data"
+
+# database server VM
+db_server:
+  host: "{{ hostvars['xnat_web']['database_hostname'] }}"
+  port: "{{ hostvars['xnat_web']['database_port'] }}"
+  postgresql_database: "{{ hostvars['xnat_web']['database_name'] }}"
+  postgresql_user: "{{ hostvars['xnat_web']['database_user'] }}"
+  postgresql_password: "{{ vault_postgres_xnat_password }}"
+
+# SSL certificate settings
+ssl:
+  use_ssl: false
+  server_cert: "/etc/ssl/certs/{{ hostvars['xnat_web']['ansible_host'] }}.cert"
+  server_key: "/etc/ssl/certs/{{ hostvars['xnat_web']['ansible_host'] }}.key"
+  validate_certs: false
+
+
+# XNAT configuration
+xnat_config:
+  site_name: MIRSG_XNAT
+  site_description: <h1>MIRSG XNAT</h1><p>A test instance of XNAT.
+  admin_password: "{{ vault_admin_password }}"
+
+# mirsg.infrastructure.install_python
+install_python:
+  version: "3"
+  pip_version: 21.3.1
+  pip_executable: /usr/bin/pip3
+  system_packages:
+    - python3
+    - python3-pip
+    - python3-setuptools
+  pip_packages:
+    - cryptography
+
+# Mount point for external storage
+external_storage_drive: "/storage"
+mount_efs_src: "{{ hostvars[inventory_hostname]['efs_hostname'] }}:/"
+mount_efs_directory: "{{ external_storage_drive }}"
+mount_efs_fstype: "nfs4"
+mount_efs_opts: "nfsvers=4.1,rsize=1048576,hard,timeo=600,retrans=2,noresvport"
+mount_efs_state: mounted

configure/group_vars/container_service.yml

@@ -0,0 +1,8 @@
+---
+# mirsg.infrastructure.docker - only used by the container_service_host group
+# but the container_service_client group needs access to these variables
+docker_client_certificate_cache_directory:
+  "{{ ansible_cache_dir }}/cserv_certificates/cserv"
+docker_server_hostname: "{{ hostvars['xnat_cserv']['ansible_host'] }}"
+docker_server_ip: "{{ hostvars['xnat_cserv']['private_ip'] }}"
+docker_server_port: 2376

configure/group_vars/container_service_client.yml

@@ -0,0 +1,15 @@
+---
+# mirsg.xnat_container_service
+xnat_container_service_name: Container Service
+xnat_container_service_url: "{{ web_server.url }}/xapi/docker/server"
+xnat_container_service_client_hostname: "{{ hostvars['xnat_web']['ansible_host'] }}"
+xnat_container_service_validate_certs: "{{ ssl.validate_certs }}"
+
+xnat_container_service_hostname: "{{ docker_server_hostname }}"
+xnat_container_service_ip: "{{ docker_service_ip }}"
+xnat_container_service_port: "{{ docker_server_port }}"
+xnat_container_service_certificate_cache_directory:
+  "{{ docker_client_certificate_cache_directory }}"
+
+xnat_container_service_path_translation_xnat_prefix: "{{ xnat_root_dir }}"
+xnat_container_service_path_translation_docker_prefix: /storage/data/xnat

configure/group_vars/container_service_host.yml

@@ -0,0 +1,10 @@
+---
+# mirsg.infrastructure.docker
+docker_generate_certificates: true # generate TLS certs for clients
+docker_client_hostnames:
+  - "{{ hostvars['xnat_web']['ansible_host'] }}"
+docker_tls_verify: false
+
+# docker<25 is required for XNAT
+# see: https://groups.google.com/g/xnat_discussion/c/yyPBkN4kayE/m/LUe5GQH5AAAJ
+docker_version: 24.0.9