Merge pull request #2142 from holta/nginx-quick-cleanup

(1) Quick clean high-level roles: NGINX, Apache, network, OpenVPN, numbered roles (stages) & defaults_vars.yml (2) Add vars/ubuntu-20.yml for Ubuntu 20.04 pre-releases (3) Fix http://box/mediawiki

roles/0-init/tasks/main.yml

@@ -21,13 +21,13 @@
   copy:
     src: "{{ iiab_dir }}/scripts/iiab-diagnostics"
     dest: /usr/bin/
-    mode: 0755
+    mode: '0755'
 
 - name: Create globally-writable directory /etc/iiab/diag so non-root users can run iiab-diagnostics
   file:
     state: directory
     path: /etc/iiab/diag
-    mode: 0777
+    mode: '0777'
 
 - name: Re-read local_facts.facts from /etc/ansible/facts.d
   setup:

roles/1-prep/tasks/main.yml

@@ -55,9 +55,9 @@
   copy:
     src: roles/1-prep/files/iiab.conf
     dest: /etc/tmpfiles.d/
-    owner: root
+    # owner: root
-    group: root
+    # group: root
-    mode: 0644
+    # mode: '0644'
     force: yes
   when: grep_ubermix.rc == 0    # 1 if absent in file, 2 if file doesn't exist
   #when: ro_dir.stat.exists
@@ -66,27 +66,26 @@
   include_role:
     name: sshd
   # has no "when: XXXXX_install" flag
-  tags: base, sshd
+  #tags: base, sshd
 
 - name: IIAB-ADMIN
   include_role:
     name: iiab-admin
   # has no "when: XXXXX_install" flag
-  tags: base, iiab-admin
+  #tags: base, iiab-admin
 
 - name: OPENVPN
   include_role:
     name: openvpn
   when: openvpn_install | bool
-  tags: openvpn
+  #tags: openvpn
 
 # for rpi, without rtc, we need time as soon as possible
 - name: Install chrony (an NTP package) especially for RPi's lacking RTC
   package:
     name: chrony
     state: present
-  tags:
+  #tags: download
-    - download
 
 #TODO: Use regexp filter instead of hard-code ip
 - name: Install /etc/chrony.conf from template
@@ -102,7 +101,7 @@
 # Curiously this has NOT stopped IIAB 7.0/master from working on Debian 10
 # pre-releases, during @floydianslips' March 2019 testing anyway!  SEE #1387
 - name: Disable AppArmor -- override OS default (ubuntu)
-  service:
+  systemd:
     name: apparmor
     enabled: False
     state: stopped
@@ -141,6 +140,3 @@
   template:
     src: roles/1-prep/templates/iiab.env.j2
     dest: "{{ iiab_env_file }}"
-    owner: root
-    group: root
-    mode: 0644

roles/2-common/tasks/main.yml

@@ -23,57 +23,21 @@
 - include_tasks: packages.yml
 - include_tasks: iptables.yml
 
-- sysctl:
+- name: Use 'sysctl' to set 10 network/kernel settings, turning off IPv6 if possible
-    name: net.ipv4.ip_forward
+  sysctl:
-    value: '1'
+    name: "{{ item.name }}"
-    state: present
+    value: "{{ item.value }}"
-
+  with_items:
-- sysctl:
+    - { name: 'net.ipv4.ip_forward', value: '1' }
-    name: net.ipv4.conf.default.rp_filter
+    - { name: 'net.ipv4.conf.default.rp_filter', value: '1' }
-    value: '1'
+    - { name: 'net.ipv4.conf.default.accept_source_route', value: '0' }
-    state: present
+    - { name: 'kernel.sysrq', value: '1' }
-
+    - { name: 'kernel.core_uses_pid', value: '1' }
-- sysctl:
+    - { name: 'net.ipv4.tcp_syncookies', value: '1' }
-    name: net.ipv4.conf.default.accept_source_route
+    - { name: 'kernel.shmmax', value: '268435456' }
-    value: '0'
+    - { name: 'net.ipv6.conf.all.disable_ipv6', value: '1' }    # IPv6 disabled
-    state: present
+    - { name: 'net.ipv6.conf.default.disable_ipv6', value: '1' }
-
+    - { name: 'net.ipv6.conf.lo.disable_ipv6', value: '1' }
-- sysctl:
-    name: kernel.sysrq
-    value: '1'
-    state: present
-
-- sysctl:
-    name: kernel.core_uses_pid
-    value: '1'
-    state: present
-
-- sysctl:
-    name: net.ipv4.tcp_syncookies
-    value: '1'
-    state: present
-
-- sysctl:
-    name: kernel.shmmax
-    value: '268435456'
-    state: present
-
-# IPv6 disabled
-
-- sysctl:
-    name: net.ipv6.conf.all.disable_ipv6
-    value: '1'
-    state: present
-
-- sysctl:
-    name: net.ipv6.conf.default.disable_ipv6
-    value: '1'
-    state: present
-
-- sysctl:
-    name: net.ipv6.conf.lo.disable_ipv6
-    value: '1'
-    state: present
 
 - name: Install /etc/profile.d/zzz_iiab.sh from template, to add sbin dirs to unprivileged users' $PATH
   template:
@@ -91,4 +55,3 @@
     dest: "{{ iiab_env_file }}"
     regexp: '^STAGE=*'
     line: 'STAGE=2'
-    state: present

roles/3-base-server/tasks/main.yml

@@ -3,30 +3,29 @@
 - name: ...IS BEGINNING =====================================
   command: echo
 
+- name: Install NGINX (configured LATER, in Stage 9-LOCAL-ADDONS)
+  include_tasks: roles/nginx/tasks/install.yml
+  when: nginx_install | bool
+
 - name: HTTPD (APACHE)
   include_role:
     name: httpd
   when: apache_install | bool
-  tags: base, httpd
+  #tags: base, httpd
 
 - name: MYSQL
   include_role:
     name: mysql
-  # has no "when: XXXXX_install" flag
+  when: mysql_install | bool
-  tags: base, mysql
+  #tags: base, mysql
-
-- name: Install nginx
-  include_tasks: roles/nginx/tasks/install.yml
-  when: nginx_install | bool
 
 - name: Install dnsmasq
   include_tasks: roles/network/tasks/dnsmasq.yml
   when: dnsmasq_install | bool
-  tags: base, domain, dnsmasq, network
+  #tags: base, domain, dnsmasq, network
 
 - name: Recording STAGE 3 HAS COMPLETED =====================
   lineinfile:
     dest: "{{ iiab_env_file }}"
     regexp: '^STAGE=*'
     line: 'STAGE=3'
-    state: present

roles/4-server-options/tasks/main.yml

@@ -8,29 +8,29 @@
 - name: Install named / BIND
   include_tasks: roles/network/tasks/named.yml
   when: named_install | bool
-  tags: base, named, network, domain
+  #tags: base, named, network, domain
 
 - name: Installing dhcpd
   include_tasks: roles/network/tasks/dhcpd.yml
   when: dhcpd_install | bool
-  tags: base, dhcpd, network, domain
+  #tags: base, dhcpd, network, domain
 
 - name: Install Squid (and DansGuardian if dansguardian_install)
   include_tasks: roles/network/tasks/squid.yml
   when: squid_install | bool
-  tags: base, squid, network, domain
+  #tags: base, squid, network, domain
 
 - name: Install Bluetooth - only on Raspberry Pi
   include_role:
     name: bluetooth
   when: (is_rpi and bluetooth_install) or bluetooth_installed is defined
-  tags: bluetooth
+  #tags: bluetooth
 
 - name: USB-LIB
   include_role:
     name: usb-lib
   when: usb_lib_install | bool
-  tags: usb-lib
+  #tags: usb-lib
 
 # NETWORK moved to the very end, after Stage 9 (9-LOCAL-ADDONS)
 # It can also be run manually using: cd /opt/iiab/iiab; ./iiab-network
@@ -46,25 +46,25 @@
   include_role:
     name: homepage
   # has no "when: XXXXX_install" flag
-  tags: base, homepage
+  #tags: base, homepage
 
 - name: POSTGRESQL
   include_role:
     name: postgresql
   when: postgresql_install | bool
-  tags: postgresql, pathagar, moodle
+  #tags: postgresql, pathagar, moodle
 
 - name: CUPS
   include_role:
     name: cups
   when: cups_install or cups_installed is defined
-  tags: cups
+  #tags: cups
 
 - name: SAMBA
   include_role:
     name: samba
   when: samba_install or samba_installed is defined
-  tags: samba
+  #tags: samba
 
 - name: Run /usr/bin/iiab-refresh-wiki-docs (scraper script) to create http://box/info offline documentation.  (This script was installed at the beginning of Stage 3 = roles/3-base-server/tasks/main.yml, which ran Apache playbook = roles/httpd/tasks/main.yml)
   command: /usr/bin/iiab-refresh-wiki-docs
@@ -75,4 +75,3 @@
     dest: "{{ iiab_env_file }}"
     regexp: '^STAGE=*'
     line: 'STAGE=4'
-    state: present

roles/5-xo-services/tasks/main.yml

@@ -7,23 +7,22 @@
   include_role:
     name: activity-server
   when: activity_server_install | bool
-  tags: olpc, activity-server
+  #tags: olpc, activity-server
 
 - name: EJABBERD_XS
   include_role:
     name: ejabberd_xs
   when: ejabberd_xs_install | bool
-  tags: olpc, ejabberd-xs
+  #tags: olpc, ejabberd-xs
 
 - name: IDMGR
   include_role:
     name: idmgr
   when: idmgr_install | bool
-  tags: olpc, idmgr
+  #tags: olpc, idmgr
 
 - name: Recording STAGE 5 HAS COMPLETED =====================
   lineinfile:
     dest: "{{ iiab_env_file }}"
     regexp: '^STAGE=*'
     line: 'STAGE=5'
-    state: present

roles/6-generic-apps/tasks/main.yml

@@ -6,75 +6,79 @@
 - name: AZURACAST
   include_role:
     name: azuracast
-  tags: azuracast
+  when: azuracast_install | bool
+  #tags: azuracast
 
+# UNMAINTAINED
 - name: DOKUWIKI
   include_role:
     name: dokuwiki
-  tags: dokuwiki
+  when: dokuwiki_install | bool
-
+  #tags: dokuwiki
-- name: MEDIAWIKI
-  include_role:
-    name: mediawiki
-  tags: mediawiki
 
 # UNMAINTAINED
 - name: EJABBERD
   include_role:
     name: ejabberd
   when: ejabberd_install | bool
-  tags: ejabberd
+  #tags: ejabberd
 
 - name: ELGG
   include_role:
     name: elgg
-  tags: elgg
+  when: elgg_install | bool
+  #tags: elgg
 
 - name: GITEA
   include_role:
     name: gitea
-  tags: gitea
+  when: gitea_install | bool
+  #tags: gitea
 
 - name: LOKOLE
   include_role:
     name: lokole
-  tags: lokole
+  when: lokole_install | bool
+  #tags: lokole
+
+- name: MEDIAWIKI
+  include_role:
+    name: mediawiki
+  when: mediawiki_install | bool
+  #tags: mediawiki
 
 - name: MOSQUITTO
   include_role:
     name: mosquitto
-  tags: mosquitto
+  when: mosquitto_install | bool
+  #tags: mosquitto
 
 - name: NODE-RED
   include_role:
     name: nodered
-  tags: nodered
+  when: nodered_install | bool
+  #tags: nodered
 
 - name: NEXTCLOUD
   include_role:
     name: nextcloud
-  tags: nextcloud
+  when: nextcloud_install | bool
-
+  #tags: nextcloud
-#- name: OWNCLOUD
-#  include_role:
-#    name: owncloud
-#  when: owncloud_install | bool
-#  tags: owncloud
 
 - name: PBX
   include_role:
     name: pbx
   when: pbx_install | bool
-  tags: pbx  
+  #tags: pbx  
 
 - name: WORDPRESS
   include_role:
     name: wordpress
-  tags: wordpress
+  when: wordpress_install | bool
+  #tags: wordpress
 
 - name: Recording STAGE 6 HAS COMPLETED ====================
   lineinfile:
     dest: "{{ iiab_env_file }}"
     regexp: '^STAGE=*'
     line: 'STAGE=6'
-    state: present

roles/7-edu-apps/tasks/main.yml

@@ -6,50 +6,55 @@
 - name: KALITE
   include_role:
     name: kalite
-  tags: kalite
+  when: kalite_install | bool
+  #tags: kalite
 
 - name: KOLIBRI
   include_role:
     name: kolibri
-  tags: kolibri
+  when: kolibri_install | bool
+  #tags: kolibri
 
 - name: KIWIX
   include_role:
     name: kiwix
-  tags: kiwix
+  when: kiwix_install | bool
+  #tags: kiwix
 
 - name: MOODLE
   include_role:
     name: moodle
-  tags: olpc, moodle
+  when: moodle_install | bool
+  #tags: olpc, moodle
 
 - name: OSM-VECTOR-MAPS
   include_role:
     name: osm-vector-maps
-  tags: osm, maps
+  when: osm_vector_maps_install | bool
+  #tags: osm, maps
 
 # UNMAINTAINED
 - name: OSM
   include_role:
     name: osm
   when: osm_install is defined and osm_install
-  tags: osm, maps
+  #tags: osm, maps
 
 # UNMAINTAINED
 - name: PATHAGAR
   include_role:
     name: pathagar
   when: pathagar_install is defined and pathagar_install
-  tags: pathagar
+  #tags: pathagar
 
 - name: SUGARIZER
   include_role:
     name: sugarizer
-  tags: sugarizer
+  when: sugarizer_install | bool
+  #tags: sugarizer
 
 - name: Recording STAGE 7 HAS COMPLETED ========================
   lineinfile:
     dest: "{{ iiab_env_file }}"
     regexp: '^STAGE=*'
     line: 'STAGE=7'
-    state: present

roles/8-mgmt-tools/tasks/main.yml

@@ -7,39 +7,40 @@
   include_role:
     name: transmission
   when: transmission_install | bool
-  tags: transmission
+  #tags: transmission
 
 - name: AWSTATS
   include_role:
     name: awstats
-  tags: awstats
+  when: awstats_install | bool
+  #tags: awstats
   
 - name: MONIT
   include_role:
     name: monit
   when: monit_install | bool
-  tags: monit
+  #tags: monit
 
 - name: MUNIN
   include_role:
     name: munin
-  tags: munin
+  when: munin_install | bool
+  #tags: munin
 
 - name: PHPMYADMIN
   include_role:
     name: phpmyadmin
   when: phpmyadmin_install | bool
-  tags: phpmyadmin
+  #tags: phpmyadmin
 
 - name: VNSTAT
   include_role:
     name: vnstat
   when: vnstat_install | bool
-  tags: vnstat
+  #tags: vnstat
 
 - name: Recording STAGE 8 HAS COMPLETED ======================
   lineinfile:
     dest: "{{ iiab_env_file }}"
     regexp: '^STAGE=*'
     line: 'STAGE=8'
-    state: present

roles/9-local-addons/tasks/main.yml

@@ -6,55 +6,53 @@
 - name: INTERNETARCHIVE
   include_role:
     name: internetarchive
-  tags: internetarchive
+  when: internetarchive_install | bool
+  #tags: internetarchive
 
-# Until porting complete (@jvonau helping transition to Python 3)
+# Is porting to Python 3 complete, and if so does this belong elsewhere?
-#- name: 'Install Python 2.7 packages: python, python-pip'
-#  package:
-#    name:
-#      - python
-#      - python-pip    # Used by Admin Console
-#    state: present
-
-# To be ported soon
 - name: CAPTIVE PORTAL
   include_tasks: roles/captiveportal/tasks/main.yml
   when: captiveportal_install | bool
-  tags: base, captiveportal, network, domain
+  #tags: base, captiveportal, network, domain
 
 - name: MINETEST
   include_role:
     name: minetest
-  tags: minetest
+  when: minetest_install | bool
+  #tags: minetest
 
 # KEEP AT THE END as this installs dependencies from Debian's 'testing' branch!
 - name: CALIBRE
   include_role:
     name: calibre
-  tags: calibre
+  when: calibre_install | bool
+  #tags: calibre
 
 - name: CALIBRE-WEB
   include_role:
     name: calibre-web
-  tags: calibre-web
+  when: calibreweb_install | bool
+  #tags: calibre-web
 
 # Could split these two below to Stage 10?
 
-- name: Configure NGINX
+- name: Configure NGINX (already installed in Stage 3-BASE-SERVER)
+  # If just CONFIGURING, should we use one of the following instead ??
+  # include_tasks: roles/nginx/tasks/setup.yml
+  # include_tasks: roles/nginx/tasks/enable.yml
   include_role:
     name: nginx
   when: nginx_install | bool
-  tags: base, nginx
+  #tags: base, nginx
 
 - name: Configure Apache systemd service ({{ apache_service }})
   include_role:
     name: httpd-enable
   when: apache_install | bool
-  tags: base, httpd
+  #tags: base, httpd
 
 - name: Recording STAGE 9 HAS COMPLETED ====================
   lineinfile:
     dest: "{{ iiab_env_file }}"
     regexp: '^STAGE=*'
     line: 'STAGE=9'
-    state: present

roles/httpd/defaults/main.yml

@@ -1,6 +1,12 @@
 # default_language: en
 # language_priority: en es fr
 
+# apache_install: True
+# apache_enabled: False
+
+# apache_port: 8090    # NGINX proxies to this IP address, for legacy IIAB services still requiring Apache
+# apache_interface: 127.0.0.1
+
 # For schools that use WordPress/Nextcloud/Moodle intensively:  iiab/iiab#1147
 # apache_high_php_limits: False
 # WARNING: Enabling this might cause excess use of RAM/disk or other resources!

roles/mediawiki/defaults/main.yml

@@ -26,4 +26,5 @@ mediawiki_install_path: "{{ content_base }}"    # /library
 mediawiki_abs_path: "{{ mediawiki_install_path }}/mediawiki-{{ mediawiki_version }}"
 
 mediawiki_url: /wiki
+mediawiki_url2: /mediawiki
 mediawiki_full_url: "http://{{ iiab_hostname }}.{{ iiab_domain }}{{ mediawiki_url }}"    # http://box.lan/wiki

roles/mediawiki/tasks/enable.yml

@@ -16,13 +16,13 @@
 
 # NGINX
 
-- name: Enable http://box{{ mediawiki_url }} via NGINX, by installing {{ nginx_config_dir }}/mediawiki-nginx.conf from template
+- name: Enable http://box{{ mediawiki_url }} & http://box{{ mediawiki_url2 }} via NGINX, by installing {{ nginx_config_dir }}/mediawiki-nginx.conf from template
   template:
     src: mediawiki-nginx.conf.j2
     dest: "{{ nginx_config_dir }}/mediawiki-nginx.conf"
   when: nginx_install and mediawiki_enabled
 
-- name: Disable http://box{{ mediawiki_url }} via NGINX, by removing {{ nginx_config_dir }}/mediawiki-nginx.conf
+- name: Disable http://box{{ mediawiki_url }} & http://box{{ mediawiki_url2 }} via NGINX, by removing {{ nginx_config_dir }}/mediawiki-nginx.conf
   file:
     path: "{{ nginx_config_dir }}/mediawiki-nginx.conf"
     state: absent

roles/mediawiki/templates/mediawiki-nginx.conf.j2

@@ -52,3 +52,8 @@ location {{ mediawiki_url }}/ {
 location = {{ mediawiki_url }} {
     return 301 {{ mediawiki_url }}/Main_Page;
 }
+
+# http://box/mediawiki* redirect to http://box/wiki/Main_Page
+location {{ mediawiki_url2 }} {
+    return 301 {{ mediawiki_url }}/Main_Page;
+}

roles/network/tasks/main.yml

@@ -1,8 +1,6 @@
 - include_tasks: detected_network.yml
-  when: not installing   #REMOVE THIS LINE IF installing IS ALWAYS false AS SET IN roles/0-init/defaults/main.yml
+  when: not installing    # REMOVE THIS LINE IF installing IS ALWAYS false AS SET IN roles/0-init/defaults/main.yml
-  tags:
+  #tags: network, network-discover    # REMOVE SUCH LINES (BELOW TOO) AS WE'RE IN "network" ?
-    - network            #REMOVE SUCH LINES (BELOW TOO) AS WE'RE IN "network" ?
-    - network-discover
 
 - name: IF WIFI IS PRIMARY GATEWAY, PLEASE RUN 'iiab-hotspot-on' MANUALLY
   set_fact:
@@ -29,14 +27,10 @@
 
 - include_tasks: computed_network.yml
   when: not installing   #REMOVE THIS LINE IF installing IS ALWAYS false AS SET IN roles/0-init/defaults/main.yml
-  tags:
+  #tags: network, network-discover
-    - network
-    - network-discover
 
 - include_tasks: hostapd.yml
-  tags:
+  #tags: network, AP
-    - network
-    - AP
 
 #- name: RPi - don't reboot to AP post install - installed via wifi - don't blow away current network
 #  set_fact:
@@ -50,17 +44,12 @@
 ##### End static ip address info
 
 #- include_tasks: hosts.yml
-#  tags:
+#  tags: network, hostname, domain
-#    - network
-#    - hostname
-#    - domain
 
 - name: Configure wondershaper
   include_tasks: wondershaper.yml
   when: wondershaper_install | bool or wondershaper_installed is defined
-  tags:
+  #tags: network, wondershaper
-    - network
-    - wondershaper
 
 - name: (Re)Install named
   include_tasks: named.yml
@@ -76,24 +65,13 @@
 
 #### start services
 - include_tasks: avahi.yml
-  tags:
+  #tags: network
-    - network
 
 - include_tasks: computed_services.yml
-  tags:
+  #tags: network, named, dhcpd, dnsmasq, squid
-    - network
-    - named
-    - dhcpd
-    - dnsmasq
-    - squid
 
 - include_tasks: enable_services.yml
-  tags:
+  #tags: network, named, dhcpd, dnsmasq, squid
-    - network
-    - named
-    - dhcpd
-    - dnsmasq
-    - squid
 
 #### end services
 #### Start network layout
@@ -101,52 +79,40 @@
   include_tasks: ifcfg_mods.yml
   when: is_redhat | bool
   #and not installing
-  tags:
+  #tags: network
-    - network
 
 - name: Netplan in use on Ubuntu 18.04+
   include_tasks: netplan.yml
   when: is_ubuntu and not is_ubuntu_16
   #when: is_ubuntu_18 | bool
   #and not installing
-  tags:
+  #tags: network
-    - network
 
 - name: NetworkManager in use
   include_tasks: NM-debian.yml
   when: is_debuntu and network_manager_active
   #and not installing
-  tags:
+  #tags: network
-    - network
 
 - name: systemd-networkd in use
   include_tasks: sysd-netd-debian.yml
   when: is_debuntu and systemd_networkd_active
   #and not installing
-  tags:
+  #tags: network
-    - network
 
 - name: RPi's have dhcpcd in use
   include_tasks: rpi_debian.yml
   when: is_debuntu and is_rpi
   #and not installing
-  tags:
+  #tags: network
-    - network
 
 - name: Not RPi, Not NetworkManager, Not systemd-networkd in use
   include_tasks: debian.yml
   when: (not is_rpi and not network_manager_active and not systemd_networkd_active and is_debuntu) or is_ubuntu_16
   #and not installing
-  tags:
+  #tags: network
-    - network
 
 #### end network layout
 - include_tasks: restart.yml
   when: not installing
-  tags:
+  #tags: network, named, dhcpd, dnsmasq, squid, AP
-    - network
-    - named
-    - dhcpd
-    - dnsmasq
-    - squid
-    - AP

roles/nginx/defaults/main.yml

@@ -1 +1,14 @@
-nginx_log_dir: /var/log/nginx
+# 2019-01-13: IIAB's use of NGINX is still evolving -- please review this
+# evolving doc: https://github.com/iiab/iiab/blob/master/roles/nginx/README.md
+
+# nginx_install: True
+# nginx_enabled: True
+
+# nginx_port: 80
+# nginx_interface: 0.0.0.0
+
+# nginx_config_dir: /etc/nginx/conf.d
+# nginx_log_dir: /var/log/nginx
+
+# All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml
+# If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!

roles/openvpn/tasks/main.yml

@@ -1,11 +1,16 @@
+# TO DO: WRAP 10 OR 11 STANZAS BELOW (and saving vars to iiab_ini_file at
+# bottom) INTO install.yml, somehow conditioned by...
+# when: openvpn_install | bool
+#
+# BEWARE: 11th stanza (ssh pubkey deletions) is already conditioned by...
+# when: not openvpn_install
+
 - name: Install OpenVPN and Nmap packages
   package:
     name:
       - openvpn
       - nmap
     state: present
-  #tags:
-  #  - download
 
 # Newer versions of NMap do not include NCat, needed to announce /etc/iiab/openvpn_handle
 - name: Install Ncat package (if Debian > 9 or Ubuntu > 18)
@@ -13,17 +18,12 @@
     name: ncat
     state: present
   when: is_debuntu and not (is_debian_8 or is_debian_9 or is_ubuntu_16 or is_ubuntu_17 or is_ubuntu_18)
-  #when: need_ncat | bool
-  #tags:
-  #  - download
 
 - name: Install ssh public keys for remote support (if openvpn_install)
   lineinfile:
     line: "{{ item.pubkey }}"
     regexp: "{{ item.regexp }}"
     path: /root/.ssh/authorized_keys
-    #backup: yes
-  when: openvpn_install | bool
   with_items:
     - regexp: "LvCSAAcfYIdZPR4ePVpVUZ/IbkGjpQSoRMa5HuVjMO3cZNR27ptqjNjq2husJOyhMFCOBTzo4thioGyTpBr4u3s=$" # Tim Moody
       pubkey: "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAhlQIh8ZPx4awdM0O6QNcPbx3qIZ39FHjF2YJ2SX3z7iLnYiz03Ek6Bux9P4HvaVAqlApiz2I68Vq8TfU2s/+LvCSAAcfYIdZPR4ePVpVUZ/IbkGjpQSoRMa5HuVjMO3cZNR27ptqjNjq2husJOyhMFCOBTzo4thioGyTpBr4u3s="
@@ -46,20 +46,16 @@
     regexp: "{{ item }}"
     path: /root/.ssh/authorized_keys
     state: absent
-    #backup: yes
-  when: not openvpn_install
   with_items:
     - "LvCSAAcfYIdZPR4ePVpVUZ/IbkGjpQSoRMa5HuVjMO3cZNR27ptqjNjq2husJOyhMFCOBTzo4thioGyTpBr4u3s=$"
     - "tUM4hl009fbXY4Yy3bAadWL1CquVrZmKfBBWhyhz8zLD6TQ== ghunt@ip-192-168-123-123.ec2.internal$"
     - "heOMXXNU6skxdPh2fcHh0bzQcaCSQ== holt@crank$"
+  when: not openvpn_install
 
 - name: 'Create dirs: /etc/openvpn/keys, /etc/openvpn/scripts'
   file:
     path: "{{ item }}"
     state: directory
-    owner: root
-    group: root
-    mode: 0755
   with_items:
     - /etc/openvpn/keys
     - /etc/openvpn/scripts
@@ -68,8 +64,6 @@
   template:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
-    owner: root
-    group: root
     mode: "{{ item.mode }}"
     backup: yes
   with_items:
@@ -83,14 +77,12 @@
     - { src: 'openvpn_handle.j2', dest: '/etc/iiab/openvpn_handle', mode: '0644' }
     - { src: 'iiab-remote-on.j2', dest: '/usr/bin/iiab-remote-on', mode: '0755' }
     - { src: 'iiab-remote-off', dest: '/usr/bin/iiab-remote-off', mode: '0755' }
-    # 2019-10-09: Not recommended for over a year & no longer in use
-    # - { src: 'iiab-handle.j2', dest: '/usr/bin/iiab-handle', mode: '0755' }
 
 - name: Copy /opt/iiab/iiab/iiab-support to /usr/bin/iiab-support, in case git tree deleted e.g. on a smaller IIAB install
   copy:
     src: "{{ iiab_dir }}/iiab-support"
     dest: /usr/bin/
-    mode: 0755
+    mode: '0755'
 
 - name: Create iiab-support-on (symlink to iiab-support for now)
   file:
@@ -116,6 +108,7 @@
     path: /usr/bin/iiab-vpn-off
     state: link
 
+# TO DO: WRAP COMMENTS + 4 ACTIVE STANZAS BELOW INTO enable.yml...
 
 # FIXED SOMETIME PRIOR TO AUGUST 2018: earlier versions of Ansible had not
 # been working with systemd service names that contained the "@" character.
@@ -198,7 +191,6 @@
 #  ignore_errors: True
 #  when: not openvpn_enabled and not installing
 
-
 - name: Add 'openvpn' variable values to {{ iiab_ini_file }}
   ini_file:
     path: "{{ iiab_ini_file }}"

vars/default_vars.yml

@@ -225,27 +225,27 @@ exFAT_enabled: True
 
 
 # 3-BASE-SERVER
-# Variables for Administrative Console
+
+# 2020-01-13: Both vars unused
 admin_console_install: True
 admin_console_enabled: True
 
-# variables related to introduction of nginx
+# 2019-01-13: IIAB's use of NGINX is still evolving -- please review this
-# apache
+# evolving doc: https://github.com/iiab/iiab/blob/master/roles/nginx/README.md
-apache_install: True
-apache_enabled: False
-apache_port: "8090"
-apache_interface: "127.0.0.1"
-# The following variable, if True, allows Admin Console to poweroff IIAB
-# see below
-#allow_apache_sudo: False
-
-nginx_port: "80"
-nginx_interface: "0.0.0.0"
 nginx_install: True
 nginx_enabled: True
+nginx_port: 80
+nginx_interface: 0.0.0.0
 nginx_config_dir: /etc/nginx/conf.d
+nginx_log_dir: /var/log/nginx
 
 # See also Apache vars {default_language, language_priority} @ top of this file
+apache_install: True
+apache_enabled: False
+#
+# NGINX proxies to Apache for legacy IIAB services, using:
+apache_port: 8090
+apache_interface: 127.0.0.1    # 2020-01-13: Var unused
 #
 # For schools that use WordPress/Nextcloud/Moodle intensively:  iiab/iiab#1147
 apache_high_php_limits: False
@@ -657,6 +657,7 @@ calibreweb_home: "{{ content_base }}/calibre-web"    # /library/calibre-web
 is_debuntu: False    # Covers all 3: Ubuntu, Debian, Raspbian
 
 is_ubuntu: False
+is_ubuntu_20: False
 is_ubuntu_19: False
 is_ubuntu_18: False
 is_ubuntu_17: False

vars/ubuntu-20.yml

@@ -0,0 +1,31 @@
+is_debuntu: True
+is_ubuntu: True
+is_ubuntu_20: True
+
+# 2019-03-23: These apply if-only-if named_install and/or dhcpd_install are True
+# (This is quite rare now that vars/default_vars.yml sets dnsmasq_install: True)
+dns_service: bind9
+dns_user: bind
+dhcp_service: isc-dhcp-server
+
+proxy: squid
+proxy_user: proxy
+apache_service: apache2
+apache_user: www-data
+apache_config_dir: apache2/sites-available
+apache_log_dir: /var/log/apache2
+smb_service: smbd
+nmb_service: nmbd
+systemctl_program: /bin/systemctl
+# issue raised 
+mysql_service: mariadb
+apache_log: /var/log/apache2/access.log
+sshd_package: openssh-server
+sshd_service: ssh
+php_version: 7.3    # 7.4 might be nec for Ubuntu 20.04 later?
+# "postgresql_version: 11.2" failed (too detailed for /etc/systemd/system/postgresql-iiab.service on Ubuntu 19.04)
+postgresql_version: 12
+systemd_location: /lib/systemd/system
+# Upgrade Ubuntu 20.04's Calibre 4.x to very latest...for now?
+calibre_via_debs: False
+calibre_via_python: True