Merge branch 'master' into cwivagg/matomo_20220618

2025-03-09 15:40:17 +00:00 · 2022-07-12 09:29:09 -04:00 · 2022-07-12 09:29:09 -04:00 · 14b202d095
commit 14b202d095
parent 594386073a 767ee485ca
148 changed files with 1922 additions and 1442 deletions
--- a/README.md
+++ b/README.md
@ -54,4 +54,4 @@ Install our latest pre-release using the 1-line installer at: [**download.iiab.i
 You can also consider <!--latest Internet-in-a-Box (IIAB)--> earlier official releases at: [github.com/iiab/iiab/releases](https://github.com/iiab/iiab/releases)
-For much older versions, see: [github.com/xsce](http://github.com/xsce), [schoolserver.org](http://schoolserver.org)
+For much older versions, see: [github.com/xsce](https://github.com/xsce), [schoolserver.org](http://schoolserver.org)
--- a/88
+++ b/88
@ -1,17 +1,57 @@
 #!/bin/bash -e
 # Running from a git repo
 # Add cmdline options for passing to ansible
 # Todo add proper shift to gobble up --debug --reinstall
 PLAYBOOK=iiab-stages.yml
 INVENTORY=ansible_hosts
 IIAB_STATE_FILE=/etc/iiab/iiab_state.yml
-ARGS=""
+ARGS="--extra-vars {"    # Needs boolean not string so use JSON list.  bash forces {...} to '{...}' for Ansible
 CWD=`pwd`
 OS=`grep ^ID= /etc/os-release | cut -d= -f2`
-OS=${OS//\"/}
+OS=${OS//\"/}    # Remove all '"'
 MIN_RPI_KERN=5.4.0        # Do not use 'rpi-update' unless absolutely necessary: https://github.com/iiab/iiab/issues/1993
-MIN_ANSIBLE_VER=2.11.6    # Ansible 2.8.3 and 2.8.6 had serious bugs, preventing their use with IIAB.
+MIN_ANSIBLE_VER=2.12.7    # Ansible 2.8.3 and 2.8.6 had serious bugs, preventing their use with IIAB.
 REINSTALL=false
 DEBUG=false
 SKIP_ROLE_ON_ERROR=false
 usage() {
    echo -e "\n\e[1mUse './iiab-install' for regular installs, or to continue an install."
    echo -e "Use './iiab-install --risky' to force 'skip_role_on_error: True'"
    echo -e "Use './iiab-install --reinstall' to force running all Stages 0-9, followed by the Network Role."
    echo -e "Use './iiab-install --debug' to run Stage 0, followed by Stages 3-9, followed by the Network Role."
    echo -e "Use './iiab-configure' to run Stage 0, followed by Stages 4-9."
    echo -e "Use './runrole' to run Stage 0, followed by a single Stage or Role."
    echo -e "Use './iiab-network' to run Stage 0, followed by the Network Role.\e[0m\n"
 }
 # https://stackoverflow.com/questions/192249/how-do-i-parse-command-line-arguments-in-bash/14203146#14203146
 while [[ $# -gt 0 ]]; do
    case $1 in
        --reinstall)
            REINSTALL=true
            shift
            ;;
        --debug)
            DEBUG=true
            shift
            ;;
        -r|--risky)
            SKIP_ROLE_ON_ERROR=true
            shift
            ;;
        *)
            usage
            exit 1
            ;;
    esac
 done
 ARGS="$ARGS\"skip_role_on_error\":$SKIP_ROLE_ON_ERROR"    # Needs boolean not
 # string so use JSON list.  Ansible permits these boolean values: (refresher)
 # https://github.com/iiab/iiab/blob/master/roles/0-init/tasks/validate_vars.yml#L19-L43
 if [ ! -f /etc/iiab/local_vars.yml ]; then
@ -27,11 +67,11 @@ if [ ! -f /etc/iiab/local_vars.yml ]; then
    echo -e "\nEXITING: /opt/iiab/iiab/iiab-install REQUIRES /etc/iiab/local_vars.yml\n" >&2
-    echo -e "(1) Please read http://wiki.laptop.org/go/IIAB/local_vars.yml to learn more" >&2
+    echo -e "(1) See http://FAQ.IIAB.IO -> What is local_vars.yml and how do I customize it?" >&2
-    echo -e "(2) MIN/MEDIUM/BIG samples are included in /opt/iiab/iiab/vars" >&2
+    echo -e "(2) SMALL/MEDIUM/LARGE samples are included in /opt/iiab/iiab/vars" >&2
    echo -e "(3) NO TIME FOR DETAILS?  RUN INTERNET-IN-A-BOX'S FRIENDLY 1-LINE INSTALLER:\n" >&2
-    echo -e '    http://download.iiab.io\n' >&2
+    echo -e '    https://download.iiab.io\n' >&2
    exit 1
 fi
@ -57,16 +97,6 @@ if [ ! -f $PLAYBOOK ]; then
    exit 1
 fi
 if [ "$1" != "--debug" ] && [ "$1" != "--reinstall" ] && [ "$1" != "" ]; then
    echo "Use './iiab-install' for regular installs, or to continue an install."
    echo "Use './iiab-install --reinstall' to force running all Stages 0-9, followed by the Network Role."
    echo "Use './iiab-install --debug' to run Stage 0, followed by Stages 3-9, followed by the Network Role."
    echo "Use './iiab-configure' to run Stage 0, followed by Stages 4-9."
    echo "Use './runrole' to run Stage 0, followed by a single Stage or Role."
    echo "Use './iiab-network' to run Stage 0, followed by the Network Role."
    exit 1
 fi
 # Subroutine compares software version numbers.  Generates rare false positives
 # like "1.0 > 1" and "2.4.0 > 2.4".  Avoid risks by structuring conditionals w/
 # a consistent # of decimal points e.g. "if version_gt w.x.y.z a.b.c.d; then"
@ -125,27 +155,23 @@ if [ -f /etc/iiab/iiab.env ]; then
        fi
    fi
-    if [ "$1" == "--reinstall" ]; then
+    if $($REINSTALL); then
        STAGE=0
-        ARGS="$ARGS"" --extra-vars reinstall=True"
+        #ARGS="$ARGS"" --extra-vars reinstall=True"
        ARGS="$ARGS,\"reinstall\":True"    # Needs boolean not string so use JSON list
        sed -i 's/^STAGE=.*/STAGE=0/' /etc/iiab/iiab.env
        echo "Wrote STAGE=0 (counter) to /etc/iiab/iiab.env"
-    elif [ "$STAGE" -ge 2 ] && [ "$1" == "--debug" ]; then
+    elif [ "$STAGE" -ge 2 ] && $($DEBUG); then
        STAGE=2
        sed -i 's/^STAGE=.*/STAGE=2/' /etc/iiab/iiab.env
        echo "Wrote STAGE=2 (counter) to /etc/iiab/iiab.env"
    elif [ "$STAGE" -eq 9 ]; then
-        echo -e "\nEXITING: STAGE (counter) in /etc/iiab/iiab.env shows Stage 9 Is Already Done."
+        echo -e "\n\e[1mEXITING: STAGE (counter) in /etc/iiab/iiab.env shows Stage 9 Is Already Done.\e[0m"
-        echo -e "Use './iiab-install --reinstall' to force running all Stages 0-9, followed by the Network Role."
+        usage
-        echo -e "Use './iiab-install --debug' to run Stage 0, followed by Stages 3-9, followed by the Network Role."
+        exit 0    # Allows rerunning https://download.iiab.io/install.txt
        echo -e "Use './iiab-configure' to run Stage 0, followed by Stages 4-9."
        echo -e "Use './runrole' to run Stage 0, followed by a single Stage or Role."
        echo -e "Use './iiab-network' to run Stage 0, followed by the Network Role.\n\n"
        exit 0    # Allows rerunning http://download.iiab.io/install.txt
    fi
 fi
-if [ "$STAGE" -lt 2 ] && [ "$1" == "--debug" ]; then
+if [ "$STAGE" -lt 2 ] && $($DEBUG); then
    echo -e "\n'--debug' *ignored* as STAGE (counter) < 2."
 fi
@ -168,6 +194,8 @@ export ANSIBLE_LOG_PATH="$CWD""/iiab-install.log"
 ansible -m setup -i $INVENTORY localhost --connection=local | grep python
 ansible -m setup -i $INVENTORY localhost --connection=local >> /dev/null    # So vars are recorded in /opt/iiab/iiab/iiab-install.log
-ansible-playbook -i $INVENTORY $PLAYBOOK ${ARGS} --connection=local
+ARGS="$ARGS}"
 echo -e "\nNOW RUN: ansible-playbook -i $INVENTORY $PLAYBOOK $ARGS --connection=local\n"
 ansible-playbook -i $INVENTORY $PLAYBOOK $ARGS --connection=local
 echo -e "./iiab-install $* COMPLETED IN $CWD\n\n"
--- a/install-support.yml.unused
+++ b/install-support.yml.unused
--- a/roles/0-init/defaults/main.yml
+++ b/roles/0-init/defaults/main.yml
@ -23,14 +23,6 @@
 # ...after it is set in 0-init/tasks/main.yml
 first_run: False
 rpi_model: none                 # 2021-07-30: Broadly used!
 #xo_model: none                 # 2021-07-30: No longer used
 # 2021-07-30: Recorded to /etc/iiab/iiab.ini but not used programmatically:
 gw_active: False
 # 2021-07-30: Broadly used, but not in an organized way -- most all IIAB
 # outfitting/provisioning happens online -- in situations where connectivity
 # failures should be reported to the operator, rather than papered over:
 internet_available: False
 discovered_wan_iface: none      # 2021-07-30: Very broadly used!
 # 2021-07-30: Barely used -- for {named, dhcpd, squid} in
 # roles/network/tasks/main.yml -- after being set in 0-init/tasks/network.yml
--- a/roles/0-init/tasks/create_iiab_ini.yml
+++ b/roles/0-init/tasks/create_iiab_ini.yml
@ -29,14 +29,16 @@
      value: "{{ ansible_architecture }}"
    - option: iiab_base_ver
      value: "{{ iiab_base_ver }}"
    - option: iiab_remote_url
      value: "{{ ansible_local.local_facts.iiab_remote_url }}"
    - option: iiab_branch
      value: "{{ ansible_local.local_facts.iiab_branch }}"
    - option: iiab_commit
      value: "{{ ansible_local.local_facts.iiab_commit }}"
    - option: iiab_recent_tag
      value: "{{ ansible_local.local_facts.iiab_recent_tag }}"
    - option: install_date
      value: "{{ ansible_date_time.iso8601 }}"
    #- option: xo_model
    #  value: "{{ xo_model }}"
    - option: rpi_model
      value: "{{ rpi_model }}"
    - option: devicetree_model
--- a/roles/0-init/tasks/hostname.yml
+++ b/roles/0-init/tasks/hostname.yml
@ -1,3 +1,8 @@
 - name: "Set 'iiab_fqdn: {{ iiab_hostname }}.{{ iiab_domain }}'"
  set_fact:
    iiab_fqdn: "{{ iiab_hostname }}.{{ iiab_domain }}"
    FQDN_changed: False
 - name: Does /etc/cloud/cloud.cfg exist e.g. is this Ubuntu Server 18+ ?
  stat:
    path: /etc/cloud/cloud.cfg
@ -17,16 +22,10 @@
  # 2021-08-31: Periods in /etc/hostname fail with some WiFi routers (#2904)
  # command: hostnamectl set-hostname "{{ iiab_hostname }}.{{ iiab_domain }}"
-#- name: Install /etc/sysconfig/network from template (redhat)
+# 2022-07-11: Should the first entry match just hostname and domain move to
-#  template:
+# after localhost?  See PR's #1 & #8 -- with discussion on #3302 -- and also:
-#    src: roles/network/templates/network/sysconfig.network.j2
+# 1. /etc/hosts    -- #1815 solved by PR #1847
-#    dest: /etc/sysconfig/network
+# 2. /etc/hostname -- #2904 solved by PR #2973
 #    owner: root
 #    group: root
 #    mode: 0644
 #  when: is_redhat
 # roles/network/tasks/hosts.yml [no longer in use] ALSO did this:
 - name: 'Put FQDN & hostnames in /etc/hosts: "127.0.0.1 {{ iiab_hostname }}.{{ iiab_domain }} localhost.localdomain localhost {{ iiab_hostname }} box box.lan"'
  lineinfile:
    path: /etc/hosts
@ -36,6 +35,14 @@
    #group: root
    #mode: 0644
 # 2021-07-30: FQDN_changed isn't used as in the past -- its remaining use is
 # for {named, dhcpd, squid} in roles/network/tasks/main.yml -- possibly it
 # should be reconsidered?  See PR #2876: roles/network might become optional?
 - name: "Also set 'FQDN_changed: True' -- if iiab_fqdn != ansible_fqdn ({{ ansible_fqdn }})"
  set_fact:
    FQDN_changed: True
  when: iiab_fqdn != ansible_fqdn
 #- name: Re-configuring httpd - not initial install
 #  include_tasks: roles/httpd/tasks/main.yml
 #  when: iiab_stage|int > 3
--- a/roles/0-init/tasks/main.yml
+++ b/roles/0-init/tasks/main.yml
@ -11,14 +11,8 @@
  set_fact:
    rpi_model: "{{ ansible_local.local_facts.rpi_model }}"
    devicetree_model: "{{ ansible_local.local_facts.devicetree_model }}"
    #xo_model: "{{ ansible_local.local_facts.xo_model }}"
    iiab_stage: "{{ ansible_local.local_facts.stage }}"
 # 2020-10-29: Appears no longer nec (see 3 above ansible_local.local_facts.*)
 #- name: Re-read local_facts.facts from /etc/ansible/facts.d
 #  setup:
 #    filter: ansible_local
 # Initialize /etc/iiab/iiab.ini writing the 'location' and 'version' sections
 # once and only once, to preserve the install date and git hash.
 - name: Create {{ iiab_ini_file }}, if it doesn't exist
@ -27,9 +21,9 @@
 # 2021-07-30: The 'first_run' flag isn't much used anymore.  In theory it's
 # still used in these 2 places:
-#   (1) roles/1-prep/tasks/main.yml for raspberry_pi.yml
+#   (1) roles/1-prep/tasks/hardware.yml for raspberry_pi.yml
 #   (2) roles/network/tasks/named.yml for "Stop named before copying files"
-# In practice however, it's no longer important, and might be reconsidered?
+# This needs to be reworked for 0-init speed, and overall understandability.
 - name: Set first_run flag
  set_fact:
    first_run: True
@ -38,11 +32,14 @@
 # Copies the latest/known version of iiab-diagnostics into /usr/bin (so it can
 # be run even if local source tree /opt/iiab/iiab is deleted to conserve disk).
- name: Copy /opt/iiab/iiab/scripts/iiab-diagnostics to /usr/bin/iiab-diagnostics
+- name: Copy iiab-summary & iiab-diagnostics from /opt/iiab/iiab/scripts/ to /usr/bin/
  copy:
-    src: "{{ iiab_dir }}/scripts/iiab-diagnostics"
+    src: "{{ iiab_dir }}/scripts/{{ item }}"
    dest: /usr/bin/
    mode: '0755'
  with_items:
    - iiab-summary
    - iiab-diagnostics
 - name: Create globally-writable directory /etc/iiab/diag (0777) so non-root users can run 'iiab-diagnostics'
  file:
@ -57,9 +54,8 @@
 - name: "Time Zone / TZ: Set symlink /etc/localtime to UTC if it doesn't exist?"
  include_tasks: tz.yml
- name: Test Gateway + Test Internet + Set new hostname/domain (hostname.yml) if nec + Set 'gui_port' to 80 or 443 for Admin Console
+- name: Set hostname / domain (etc) in various places
-  include_tasks: network.yml
+  include_tasks: hostname.yml
 - name: Add 'runtime' variable values to {{ iiab_ini_file }}
  ini_file:
@ -74,10 +70,14 @@
      value: "{{ iiab_base_ver }}"
    - option: iiab_revision
      value: "{{ iiab_revision }}"
    - option: iiab_remote_url
      value: "{{ ansible_local.local_facts.iiab_remote_url }}"
    - option: runtime_branch
      value: "{{ ansible_local.local_facts.iiab_branch }}"
    - option: runtime_commit
      value: "{{ ansible_local.local_facts.iiab_commit }}"
    - option: iiab_recent_tag
      value: "{{ ansible_local.local_facts.iiab_recent_tag }}"
    - option: runtime_date
      value: "{{ ansible_date_time.iso8601 }}"
    - option: ansible_version
@ -88,10 +88,6 @@
      value: "{{ ansible_memtotal_mb }}"
    - option: swap_mb
      value: "{{ ansible_swaptotal_mb }}"
    - option: gw_active
      value: "{{ gw_active }}"
    - option: internet_available
      value: "{{ internet_available }}"
    - option: rpi_model
      value: "{{ rpi_model }}"
    - option: devicetree_model
@ -102,10 +98,6 @@
      value: "{{ local_tz }}"
    - option: etc_localtime.stdout    # e.g. 'America/New_York' direct from symlink /etc/localtime -- or '' if /etc/localtime doesn't exist
      value: "{{ etc_localtime.stdout }}"
    #- option: no_NM_reload
    #  value: "{{ no_NM_reload }}"
    #- option: is_F18
    #  value: "{{ is_F18 }}"
    - option: FQDN_changed
      value: "{{ FQDN_changed }}"
--- a/roles/0-init/tasks/network.yml
+++ b/roles/0-init/tasks/network.yml
@ -1,74 +0,0 @@
 - name: Do we have a gateway? If 'ip route' specifies a default route, Ansible parses details here...
  debug:
    var: ansible_default_ipv4
 - name: "If above ansible_default_ipv4.gateway is defined, set WAN candidate 'discovered_wan_iface: {{ ansible_default_ipv4.alias }}' -- using ansible_default_ipv4.alias"
  set_fact:
    discovered_wan_iface: "{{ ansible_default_ipv4.alias }}"
  when: ansible_default_ipv4.gateway is defined
 - name: "Verify gateway active: ping -c4 {{ ansible_default_ipv4.gateway }} -- using ansible_default_ipv4.gateway"
  shell: ping -c4 "{{ ansible_default_ipv4.gateway }}" | grep icmp_seq=4 | wc -l
  register: gw_active_test
  when: discovered_wan_iface != "none"
 - name: "If gateway responded, set 'gw_active: True' and 'iiab_wan_iface: {{ discovered_wan_iface }}' -- using discovered_wan_iface"
  set_fact:
    iiab_wan_iface: "{{ discovered_wan_iface }}"
    gw_active: True
  when: discovered_wan_iface != "none" and gw_active_test.stdout == "1"
 - name: 'Test for Internet access, using: {{ iiab_download_url }}/heart-beat.txt'
  get_url:
    url: "{{ iiab_download_url }}/heart-beat.txt"
    dest: /tmp/heart-beat.txt
    #timeout: "{{ download_timeout }}"
    # @jvonau recommends: 100sec is too much (keep 10sec default)
  ignore_errors: True
  #async: 10
  #poll: 2
  register: internet_access_test
 - name: "Set 'internet_available: True' if above download succeeded AND not disregard_network"
  set_fact:
    internet_available: True    # Initialized to 'False' in 0-init/defaults/main.yml
  when: not internet_access_test.failed and not disregard_network
 - name: Remove downloaded Internet test file /tmp/heart-beat.txt
  file:
    path: /tmp/heart-beat.txt
    state: absent
 - name: "Set 'iiab_fqdn: {{ iiab_hostname }}.{{ iiab_domain }}'"
  set_fact:
    iiab_fqdn: "{{ iiab_hostname }}.{{ iiab_domain }}"
    FQDN_changed: False
 - name: Set hostname / domain (etc) in various places -- if iiab_fqdn != ansible_fqdn ({{ ansible_fqdn }})
  include_tasks: hostname.yml
  when: iiab_fqdn != ansible_fqdn
 # 2021-07-30: FQDN_changed isn't used as in the past -- its remaining use is
 # for {named, dhcpd, squid} in roles/network/tasks/main.yml -- possibly it
 # should be reconsidered?  See PR #2876: roles/network might become optional?
 - name: "Also set 'FQDN_changed: True' -- if iiab_fqdn != ansible_fqdn ({{ ansible_fqdn }})"
  set_fact:
    FQDN_changed: True
  when: iiab_fqdn != ansible_fqdn
 # 2021-08-17: (1) iiab-gen-iptables works better if gui_port is set directly in
 # default_vars.yml and/or local_vars.yml (2) Admin Console's iiab-admin.yml
 # and js-menu.yml set 'adm_cons_force_ssl: False'
 # - name: "Set 'gui_port: 80' for Admin Console if not adm_cons_force_ssl"
 #   set_fact:
 #     gui_port: 80
 #   when: not adm_cons_force_ssl
 # - name: "Set 'gui_port: 443' for Admin Console if adm_cons_force_ssl"
 #   set_fact:
 #     gui_port: 443
 #   when: adm_cons_force_ssl
--- a/roles/0-init/tasks/validate_vars.yml
+++ b/roles/0-init/tasks/validate_vars.yml
@ -63,7 +63,8 @@
 #
 # 2020-11-04: Fix validation of 5 [now 4] core dependencies, for ./runrole etc
- name: Set vars_checklist for 46 + 46 + 42 vars ("XYZ_install" + "XYZ_enabled" + "XYZ_installed") to be checked
+
 - name: Set vars_checklist for 45 + 45 + 41 vars ("XYZ_install" + "XYZ_enabled" + "XYZ_installed") to be checked
  set_fact:
    vars_checklist:
      - hostapd
@ -123,6 +124,7 @@
      - calibreweb
      - calibre
      - pbx
      - network
 - name: Assert that {{ vars_checklist | length }} "XYZ_install" vars are all... defined
  assert:
--- a/roles/1-prep/tasks/hardware.yml
+++ b/roles/1-prep/tasks/hardware.yml
@ -14,7 +14,7 @@
 - name: Download {{ iiab_download_url }}/iwlwifi-8000C-13.ucode to /lib/firmware for built-in WiFi on NUC6
  get_url:
-    url: "{{ iiab_download_url }}/iwlwifi-8000C-13.ucode"    # http://download.iiab.io/packages
+    url: "{{ iiab_download_url }}/iwlwifi-8000C-13.ucode"    # https://download.iiab.io/packages
    dest: /lib/firmware
    timeout: "{{ download_timeout }}"
  when: usb_NUC6.stdout|int > 0
--- a/roles/1-prep/tasks/main.yml
+++ b/roles/1-prep/tasks/main.yml
@ -23,9 +23,15 @@
    name: iiab-admin
  #when: iiab_admin_install    # Flag might be created in future?
- name: Install dnsmasq -- configure LATER in 'network', after Stage 9
+- name: Copy iiab-apps-to-be-installed from {{ iiab_dir }} to /usr/bin/
-  include_tasks: roles/network/tasks/dnsmasq.yml
+  copy:
-  #when: dnsmasq_install    # Flag might be used in future?
+    src: "{{ iiab_dir }}/scripts/iiab-apps-to-be-installed"    # /opt/iiab/iiab
    dest: /usr/bin/
    mode: '0755'
 - name: Install ~12 network/wifi/related packages + Squid if necessary + configure /etc/sysctl.conf -- full configuration LATER in 'network', after Stage 9
  include_tasks: roles/network/tasks/install.yml
  when: network_install and network_installed is undefined
 - include_tasks: uuid.yml
 - include_tasks: ubermix.yml
@ -62,7 +68,10 @@
 #  when: not is_debuntu and selinux_disabled is defined and selinux_disabled.changed
- name: Recording STAGE 1 HAS COMPLETED ============================
+- name: Install {{ iiab_env_file }} from template -- FYI this file can be run as a script if absolutely nec -- e.g. 'source /etc/iiab/iiab.env && echo $WWWROOT'
  template:
    src: roles/1-prep/templates/iiab.env.j2
-    dest: "{{ iiab_env_file }}"    # Can also be run as a script if absolutely nec, e.g. 'source /etc/iiab/iiab.env && echo $WWWROOT'
+    dest: "{{ iiab_env_file }}"
 - name: Recording STAGE 1 HAS COMPLETED ============================
  meta: noop
--- a/roles/2-common/tasks/fl.yml
+++ b/roles/2-common/tasks/fl.yml
@ -1,6 +1,6 @@
 # fl.yml signifies "file layout"
- name: "File Layout - Create directories: 1 in /etc, 1 in {{ py3_dist_path }}, 3 in {{ iiab_base }}, 17 in {{ content_base }}"    # iiab_base: /opt/iiab
+- name: "File Layout - Create directories: 1 in {{ py3_dist_path }}, 2 in {{ iiab_base }}, 17 in {{ content_base }}"    # iiab_base: /opt/iiab
  file:
    path: "{{ item }}"
    # owner: root
@ -8,9 +8,9 @@
    # mode: '0755'
    state: directory
  with_items:
-    - /etc/sysconfig/olpc-scripts/setup.d/installed/
+    #- /etc/sysconfig/olpc-scripts/setup.d/installed/
    - "{{ py3_dist_path }}/iiab"    # /usr/lib/python3/dist-packages
-    - "{{ yum_packages_dir }}"    # /opt/iiab/yum-packages
+    #- "{{ yum_packages_dir }}"    # /opt/iiab/yum-packages
    - "{{ pip_packages_dir }}"    # /opt/iiab/pip-packages
    - "{{ downloads_dir }}"    # /opt/iiab/downloads
    #- "{{ content_base }}/downloads"    # /library/downloads auto-created just below
--- a/roles/2-common/tasks/main.yml
+++ b/roles/2-common/tasks/main.yml
@ -8,8 +8,14 @@
 - include_tasks: packages.yml
- name: Install network packages (including many WiFi tools, and also iptables-persistent for firewall)
+- name: "Use 'sysctl' to set 'kernel.core_uses_pid: 1' in /etc/sysctl.conf"
-  include_tasks: network.yml
+  sysctl:    # Places these settings in /etc/sysctl.conf, to survive reboot
    name: "{{ item.name }}"
    value: "{{ item.value }}"
  with_items:
    #- { name: 'kernel.sysrq', value: '1' }             # OS values differ, Ok?
    - { name: 'kernel.core_uses_pid', value: '1' }
    #- { name: 'kernel.shmmax', value: '268435456' }    # OS values differ, Ok?
 - include_tasks: iiab-startup.yml
--- a/roles/2-common/tasks/packages.yml
+++ b/roles/2-common/tasks/packages.yml
@ -16,12 +16,12 @@
      #- lynx              #  505kB download: Installed by 1-prep's roles/iiab-admin/tasks/main.yml
      #- make              #  376kB download: 2021-07-27: Currently used by roles/pbx and no other roles
      - mlocate            #   92kB download
-      #- ntfs-3g           #  379kB download: RaspiOS installs this regardless -- 2021-07-31: But this should no longer be nec with 5.4+ kernels, similar to exfat packages above -- however, see also this symlink warning: https://superuser.com/questions/1050544/mount-with-kernel-ntfs-and-not-ntfs-3g -- and upcoming kernel 5.15 improvements: https://www.phoronix.com/scan.php?page=news_item&px=New-NTFS-Likely-For-Linux-5.15
+      #- ntfs-3g           #  379kB download: RasPiOS installs this regardless -- 2021-07-31: But this should no longer be nec with 5.4+ kernels, similar to exfat packages above -- however, see also this symlink warning: https://superuser.com/questions/1050544/mount-with-kernel-ntfs-and-not-ntfs-3g -- and upcoming kernel 5.15 improvements: https://www.phoronix.com/scan.php?page=news_item&px=New-NTFS-Likely-For-Linux-5.15
      #- openssh-server    #  318kB download: RasPiOS installs this regardless -- this is also installed by 1-prep's roles/sshd/tasks/main.yml to cover all OS's
      - pandoc             #   19kB download: For /usr/bin/iiab-refresh-wiki-docs
      - pastebinit         #   47kB download: For /usr/bin/iiab-diagnostics
      #- python3-pip       #  337kB download: RasPiOS installs this regardless -- 2021-07-29: And already installed by /opt/iiab/iiab/scripts/ansible -- this auto-installs 'python3-setuptools' and 'python3' etc
-      #- python3-venv      # 1188kB download: RasPiOS installs this regardless -- 2021-07-30: For Ansible module 'pip' used in roles like {calibre-web, jupyterhub, lokole} -- whereas roles/kalite uses (virtual) package 'virtualenv' for Python 2 -- all these 3+1 IIAB roles install 'python3-venv' for themselves.  FYI: Debian 11 auto-installs 'python3-venv' when you install 'python3' -- whereas Ubuntu (e.g. 20.04 & 21.10) and RaspiOS 10 did not.
+      #- python3-venv      # 1188kB download: RasPiOS installs this regardless -- 2021-07-30: For Ansible module 'pip' used in roles like {calibre-web, jupyterhub, lokole} -- whereas roles/kalite uses (virtual) package 'virtualenv' for Python 2 -- all these 3+1 IIAB roles install 'python3-venv' for themselves.  FYI: Debian 11 auto-installs 'python3-venv' when you install 'python3' -- whereas Ubuntu (e.g. 20.04 & 21.10) and RasPiOS 10 did not.
      - rsync              #  351kB download: RasPiOS installs this regardless
      #- screen            #  551kB download: Installed by 1-prep's roles/iiab-admin/tasks/main.yml
      - sqlite3            # 1054kB download
--- a/roles/4-server-options/tasks/main.yml
+++ b/roles/4-server-options/tasks/main.yml
@ -24,23 +24,6 @@
    name: sshd
  when: sshd_install
 # UNMAINTAINED
 - name: Install named / BIND
  include_tasks: roles/network/tasks/named.yml
  when: named_install is defined and named_install
 # UNMAINTAINED
 - name: Install dhcpd
  include_tasks: roles/network/tasks/dhcpd.yml
  when: dhcpd_install is defined and dhcpd_install
 # LESS MAINTAINED
 - name: Install Squid
  include_tasks: roles/network/tasks/squid.yml
  when: squid_install and squid_installed is undefined
 - name: Install Bluetooth - only on Raspberry Pi
  include_role:
    name: bluetooth
--- a/roles/6-generic-apps/tasks/main.yml
+++ b/roles/6-generic-apps/tasks/main.yml
@ -3,6 +3,7 @@
 - name: ...IS BEGINNING ====================================
  meta: noop
 # UNMAINTAINED
 - name: AZURACAST
  include_role:
    name: azuracast
@ -36,10 +37,11 @@
    name: jupyterhub
  when: jupyterhub_install
 # UNMAINTAINED
 - name: LOKOLE
  include_role:
    name: lokole
-  when: lokole_install
+  when: lokole_install is defined and lokole_install
 - name: MEDIAWIKI
  include_role:
--- a/roles/awstats/tasks/main.yml
+++ b/roles/awstats/tasks/main.yml
@ -19,15 +19,15 @@
    quiet: yes
 - block:
  - name: Install AWStats if 'awstats_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
    include_tasks: install.yml
    when: awstats_installed is undefined
  - name: Enable/Disable/Restart NGINX
    include_tasks: nginx.yml
  - name: Add 'awstats' variable values to {{ iiab_ini_file }}
    ini_file:
      path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
@ -43,3 +43,10 @@
        value: "{{ awstats_install }}"
      - option: awstats_enabled
        value: "{{ awstats_enabled }}"
  rescue:
  - name: 'SEE ERROR ABOVE (skip_role_on_error: {{ skip_role_on_error }})'
    fail:
      msg: ""
    when: not skip_role_on_error
--- a/roles/awstats/templates/awstats.schoolserver.conf.j2
+++ b/roles/awstats/templates/awstats.schoolserver.conf.j2
@ -261,7 +261,7 @@ AllowToUpdateStatsFromBrowser=1
 #  3 - Possible on CLI and CGI
 # Default: 2
 #
-AllowFullYearView=2
+AllowFullYearView=3
--- a/roles/azuracast/README.rst
+++ b/roles/azuracast/README.rst
@ -1,6 +1,6 @@
-==========
+================
 AzuraCast README
-==========
+================
 This playbook adds `AzuraCast <https://azuracast.com/>`_ to Internet-in-a-Box (IIAB) for network radio station functionality.  With 'AzuraCast' you and your community can schedule podcasts, music, and even do live streaming of audio content.  A variety of streaming formats are supported.
@ -11,7 +11,7 @@ As of 2019-08-04, this will only run on Ubuntu 18.04, and tentatively on Debian
 Using It
 --------
-* Do a normal IIAB install (http://download.iiab.io), making sure to set both variables ``azuracast_install`` and ``azuracast_enabled`` to ``True`` when it prompts you to edit `/etc/iiab/local_vars.yml <http://FAQ.IIAB.IO#What_is_local_vars.yml_and_how_do_I_customize_it.3F>`_, as you begin the installation. 
+* Do a normal IIAB install (https://download.iiab.io), making sure to set both variables ``azuracast_install`` and ``azuracast_enabled`` to ``True`` when it prompts you to edit `/etc/iiab/local_vars.yml <http://FAQ.IIAB.IO#What_is_local_vars.yml_and_how_do_I_customize_it.3F>`_, as you begin the installation.
 * When the IIAB software install completes, it will ask you to reboot, and AzuraCast's console will then be available at http://box.lan:10080
 * This console site will prompt you to complete AzuraCast's initial setup: user accounts, managing stations, radio streams, etc.
 * Finally, check out some `how-to videos <https://www.youtube.com/watch?v=b1Rxlu5P804>`_ to learn to manage your own radio station!
--- a/roles/calibre-web/tasks/install.yml
+++ b/roles/calibre-web/tasks/install.yml
@ -51,7 +51,7 @@
 # VIRTUALENV EXAMPLE COMMANDS:
 # cd /usr/local/calibre-web-py3
 # source bin/activate
-# python3 -m pip list
+# python3 -m pip list    ('pip list' probably sufficient, likewise below)
 # python3 -m pip freeze > /tmp/requirements.txt
 # python3 -m pip install -r requirements.txt
 # deactivate
--- a/roles/calibre-web/tasks/main.yml
+++ b/roles/calibre-web/tasks/main.yml
@ -19,14 +19,14 @@
    quiet: yes
 - block:
  - name: Install Calibre-Web if 'calibreweb_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
    include_tasks: install.yml
    when: calibreweb_installed is undefined
  - include_tasks: enable-or-disable.yml
  - name: Add 'calibre-web' variable values to {{ iiab_ini_file }}
    ini_file:
      path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
@ -56,3 +56,10 @@
        value: "{{ calibreweb_port }}"
      - option: calibreweb_settings_database
        value: "{{ calibreweb_settings_database }}"
  rescue:
  - name: 'SEE ERROR ABOVE (skip_role_on_error: {{ skip_role_on_error }})'
    fail:
      msg: ""
    when: not skip_role_on_error
--- a/roles/calibre/defaults/main.yml
+++ b/roles/calibre/defaults/main.yml
@ -34,11 +34,11 @@ calibre_userdb: "{{ calibre_dbpath }}/users.sqlite"
 #   calibre-server --manage-users --userdb /library/calibre/users.sqlite
 calibre_sample_book: "Metamorphosis-jackson.epub"
-# Must be downloadable from http://download.iiab.io/packages
+# Must be downloadable from https://download.iiab.io/packages
 calibre_src_url: "https://raw.githubusercontent.com/kovidgoyal/calibre/master/setup/linux-installer.py"
-calibre_deb_url: "{{ iiab_download_url }}"    # http://download.iiab.io/packages
+calibre_deb_url: "{{ iiab_download_url }}"    # https://download.iiab.io/packages
 # Above URL must offer both .deb files below: (for scripts/calibre-install-pinned-rpi.sh to run)
 calibre_deb_pin_version: 3.33.1+dfsg-1    # for calibre_3.33.1+dfsg-1_all.deb (24M, 2018-10-21)
 calibre_bin_deb_pin_version: "{{ calibre_deb_pin_version }}"    # for calibre-bin_3.33.1+dfsg-1_armhf.deb (706K, 2018-10-23)
--- a/roles/calibre/tasks/enable-or-disable.yml
+++ b/roles/calibre/tasks/enable-or-disable.yml
@ -0,0 +1,29 @@
 # http://box:8080 & http://box:8080/mobile WORK BUT OTHER URL'S LIKE http://box/calibre ARE A MESS (BOOKS RARELY DISPLAY)
 #
 # 2018-08-27 POSSIBLE FIX...CONSIDER THIS ProxyPass / ProxyPassReverse TECHNIQUE:
 # https://github.com/iiab/iiab/tree/master/roles/calibre-web/templates/calibre-web.conf.j2
 #    (anyway this works great for calibre-web, allowing http://box/books
 #    to work even better than http://box:8083 when box == 192.168.0.x !)
 #
 #- name: Attempt to enable http://box/calibre via Apache (UNTESTED)
 #  command: a2ensite calibre.conf
 #  when: apache_installed and calibre_enabled
 #
 #- name: Attempt to disable http://box/calibre via Apache (UNTESTED)
 #  command: a2dissite calibre.conf
 #  when: apache_installed and not calibre_enabled
 - name: Enable & (Re)Start 'calibre-serve' service, if calibre_enabled
  systemd:
    daemon_reload: yes
    name: calibre-serve
    enabled: yes
    state: restarted
  when: calibre_enabled
 - name: Disable & Stop 'calibre-serve' service, if not calibre_enabled
  systemd:
    name: calibre-serve
    enabled: no
    state: stopped
  when: not calibre_enabled
--- a/roles/calibre/tasks/main.yml
+++ b/roles/calibre/tasks/main.yml
@ -19,48 +19,13 @@
    quiet: yes
 - block:
  - name: Install Calibre if 'calibre_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
    include_tasks: install.yml
    when: calibre_installed is undefined
-# http://box:8080 & http://box:8080/mobile WORK BUT OTHER URL'S LIKE http://box/calibre ARE A MESS (BOOKS RARELY DISPLAY)
+  - include_tasks: enable-or-disable.yml
 #
 # 2018-08-27 POSSIBLE FIX...CONSIDER THIS ProxyPass / ProxyPassReverse TECHNIQUE:
 # https://github.com/iiab/iiab/tree/master/roles/calibre-web/templates/calibre-web.conf.j2
 #    (anyway this works great for calibre-web, allowing http://box/books
 #    to work even better than http://box:8083 when box == 192.168.0.x !)
 #
 #- name: Attempt to enable http://box/calibre via Apache (UNTESTED)
 #  command: a2ensite calibre.conf
 #  when: apache_installed and calibre_enabled
 #
 #- name: Attempt to disable http://box/calibre via Apache (UNTESTED)
 #  command: a2dissite calibre.conf
 #  when: apache_installed and not calibre_enabled
 - name: Enable & (Re)Start 'calibre-serve' service, if calibre_enabled
  systemd:
    daemon_reload: yes
    name: calibre-serve
    enabled: yes
    state: restarted
  when: calibre_enabled
 - name: Disable & Stop 'calibre-serve' service, if not calibre_enabled
  systemd:
    name: calibre-serve
    enabled: no
    state: stopped
  when: not calibre_enabled
 #- name: Enable/Disable/Restart Apache if primary
 #  include_tasks: apache.yml
 #  when: not nginx_enabled
 #
 #- name: Enable/Disable/Restart NGINX if primary
 #  include_tasks: nginx.yml
 #  when: nginx_enabled
  - name: Add 'calibre' variable values to {{ iiab_ini_file }}
    ini_file:
@ -81,3 +46,10 @@
        value: "{{ calibre_port }}"
      - option: calibre_enabled
        value: "{{ calibre_enabled }}"
  rescue:
  - name: 'SEE ERROR ABOVE (skip_role_on_error: {{ skip_role_on_error }})'
    fail:
      msg: ""
    when: not skip_role_on_error
--- a/roles/captiveportal/README.md
+++ b/roles/captiveportal/README.md
@ -1,4 +1,4 @@
-_Please Also See: http://FAQ.IIAB.IO > ["Captive Portal Administration: What tips & tricks exist?"](http://wiki.laptop.org/go/IIAB/FAQ#Captive_Portal_Administration:_What_tips_.26_tricks_exist.3F)_
+_Please Also See: http://FAQ.IIAB.IO > ["Captive Portal Administration: What tips & tricks exist?"](https://wiki.iiab.io/go/FAQ#Captive_Portal_Administration:_What_tips_&_tricks_exist%3F)_
 ## Theory of Operation
--- a/roles/captiveportal/tasks/install.yml
+++ b/roles/captiveportal/tasks/install.yml
@ -26,7 +26,7 @@
    mode: "{{ item.mode }}"
  with_items:
    - { src: roles/captiveportal/templates/checkurls, dest: /opt/iiab/captiveportal/, mode: '0644' }
-    - { src: roles/captiveportal/templates/iiab-divert-to-nginx, dest: /usr/sbin/, mode: '0755' }
+    - { src: roles/captiveportal/templates/iiab-divert-to-nginx.j2, dest: /usr/sbin/iiab-divert-to-nginx, mode: '0755' }
    - { src: roles/captiveportal/templates/iiab-make-cp-servers.py, dest: /usr/sbin/, mode: '0755' }
 - name: Install /opt/iiab/captiveportal/capture-wsgi.py from template, mode '0755' (creates the server)
--- a/roles/captiveportal/tasks/main.yml
+++ b/roles/captiveportal/tasks/main.yml
@ -19,14 +19,13 @@
    quiet: yes
 - block:
  - name: Install Captive Portal if 'captiveportal_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
    include_tasks: install.yml
    when: captiveportal_installed is undefined
-
+  - include_tasks: enable-or-disable.yml
 - name: Enable or Disable Captive Portal
  include_tasks: enable-or-disable.yml
  - name: Add 'captiveportal' variable values to {{ iiab_ini_file }}
    ini_file:
@ -43,3 +42,10 @@
        value: "{{ captiveportal_install }}"
      - option: captiveportal_enabled
        value: "{{ captiveportal_enabled }}"
  rescue:
  - name: 'SEE ERROR ABOVE (skip_role_on_error: {{ skip_role_on_error }})'
    fail:
      msg: ""
    when: not skip_role_on_error
--- a/roles/captiveportal/templates/iiab-divert-to-nginx.j2
+++ b/roles/captiveportal/templates/iiab-divert-to-nginx.j2
@ -1,4 +1,4 @@
 #!/bin/bash -x
-awk '{print("address=/" $1 "/172.18.96.1")}' /opt/iiab/captiveportal/checkurls > /etc/dnsmasq.d/capture
+awk '{print("address=/" $1 "/{{ lan_ip }}")}' /opt/iiab/captiveportal/checkurls > /etc/dnsmasq.d/capture
 echo "#following tells windows 7 that captive portal is active" >> /etc/dnsmasq.d/capture
 echo "address=/dns.msftncsi.com/131.107.255.255" >> /etc/dnsmasq.d/capture
--- a/roles/cups/README.md
+++ b/roles/cups/README.md
@ -2,7 +2,7 @@
 [CUPS](https://en.wikipedia.org/wiki/CUPS) (also known as the "Common UNIX Printing System") is the standards-based, open source printing system for Linux and macOS.
-It allows your [Internet-in-a-Box (IIAB)](http://internet-in-a-box.org) to act as a print server.
+It allows your [Internet-in-a-Box (IIAB)](https://internet-in-a-box.org) to act as a print server.
 This can be useful if a printer is attached to your IIAB &mdash; so student/teacher print jobs from client computers and phones can be processed &mdash; and then sent to the appropriate printer.
--- a/roles/cups/tasks/install.yml
+++ b/roles/cups/tasks/install.yml
@ -76,14 +76,14 @@
    name: cups
    state: started
-# - name: "Authorize Nearby IP Addresses: Run 'cupsctl --remote-admin --share-printers --user-cancel-any' to enable http://192.168.0.x:631 AND http://172.18.96.1:631 (if cups_enabled) -- REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) -- SO PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf"
+# - name: "Authorize Nearby IP Addresses: Run 'cupsctl --remote-admin --share-printers --user-cancel-any' to enable http://192.168.0.x:631 AND http://{{ lan_ip }}:631 (if cups_enabled) -- REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) -- SO PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf"
 #   command: cupsctl --remote-admin --share-printers --user-cancel-any
 # 2021-07-11: BOTH FLAGS *CANNOT* BE USED TOGETHER -- CHOOSE ONE OR THE OTHER:
 # (1) '--remote-admin' AS ABOVE, OR (2) '--remote-any' AS BELOW.
 # (RUN 'cupsctl' WITHOUT PARAMETERS TO CONFIRM THIS!)
- name: "Authorize All IP Addresses: Run 'cupsctl --remote-any --share-printers --user-cancel-any' to enable http://192.168.0.x:631 AND http://172.18.96.1:631 AND http://10.8.0.y:631 (if cups_enabled) -- REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) -- SO PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf"
+- name: "Authorize All IP Addresses: Run 'cupsctl --remote-any --share-printers --user-cancel-any' to enable http://192.168.0.x:631 AND http://{{ lan_ip }}:631 AND http://10.8.0.y:631 (if cups_enabled) -- REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) -- SO PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf"
  command: cupsctl --remote-any --share-printers --user-cancel-any
 # 2021-07-11: In theory 'cupsctl' stanzas could be put in enable-or-disable.yml
@ -96,7 +96,7 @@
 #   command: cupsctl --no-remote-admin --no-remote-any --no-share-printers --no-user-cancel-any --no-debug-logging
 #   when: not cups_enabled
-# - name: "2021-07-14: EXPERIMENTALLY ADD DIRECTIVES TO /etc/cups/cupsd.conf followed by 'systemctl restart cups'.  As should no longer be nec thanks to NEW cups/templates/cups.conf for /etc/nginx/conf.d/cups.conf (followed by 'systemctl restart nginx').  Which FIXED URL'S LIKE: http://box/print, http://box.lan/print, http://192.168.0.x/print, http://172.18.96.1/print and http://10.8.0.x/print (WITH OR WITHOUT THE TRAILING SLASH!)  RECAP: (1) So be it that these 2 URL'S STILL DON'T WORK: http://box:631, http://box.lan:631 (due to CUPS' internal web server's overly stringent hostname checks, i.e. '400 Bad Request' and 'Request from \"localhost\" using invalid Host: field \"box[.lan]:631\".' in /var/log/cups/error_log) -- (2) While these 2 URL'S STILL DO WORK: http://localhost:631, http://127.0.0.1:631 -- (3) Whereas these 3 URL'S MAY WORK, DEPENDING ON 'cupsctl' COMMAND(S) ABOVE: http://192.168.0.x:631, http://172.18.96.1:631, http://10.8.0.x:631"
+# - name: "2021-07-14: EXPERIMENTALLY ADD DIRECTIVES TO /etc/cups/cupsd.conf followed by 'systemctl restart cups'.  As should no longer be nec thanks to NEW cups/templates/cups.conf for /etc/nginx/conf.d/cups.conf (followed by 'systemctl restart nginx').  Which FIXED URL'S LIKE: http://box/print, http://box.lan/print, http://192.168.0.x/print, http://{{ lan_ip }}/print and http://10.8.0.x/print (WITH OR WITHOUT THE TRAILING SLASH!)  RECAP: (1) So be it that these 2 URL'S STILL DON'T WORK: http://box:631, http://box.lan:631 (due to CUPS' internal web server's overly stringent hostname checks, i.e. '400 Bad Request' and 'Request from \"localhost\" using invalid Host: field \"box[.lan]:631\".' in /var/log/cups/error_log) -- (2) While these 2 URL'S STILL DO WORK: http://localhost:631, http://127.0.0.1:631 -- (3) Whereas these 3 URL'S MAY WORK, DEPENDING ON 'cupsctl' COMMAND(S) ABOVE: http://192.168.0.x:631, http://{{ lan_ip }}:631, http://10.8.0.x:631"
 #   lineinfile:
 #     path: /etc/cups/cupsd.conf
 #     line: "{{ item }}"
@ -105,7 +105,7 @@
 #     - "HostNameLookups On"    # More False Leads: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=530027
 #     - "ServerAlias *"
 #     - "#ServerName {{ iiab_hostname }}.{{ iiab_domain }}"    # box.lan
-#     - "#Listen {{ lan_ip }}:631"    # 172.18.96.1
+#     - "#Listen {{ lan_ip }}:631"    # e.g. 10.10.10.10
 #     - "#Listen 127.0.0.1:631"
 #     - "#Listen 0.0.0.0:631"
 #     - "#Listen *:631"
--- a/roles/cups/templates/cups.conf.j2
+++ b/roles/cups/templates/cups.conf.j2
@ -21,7 +21,7 @@ location ~ ^/print(|/.*)$ {    # '~' -> '~*' for case-insensitive regex
        return 301 http://localhost:631;
    }
-    return 301 http://$host:631;   # For 192.168.0.x, 172.18.96.1, 10.8.0.y ETC
+    return 301 http://$host:631;   # For 192.168.0.x, 10.10.10.10, 172.18.96.1, 10.8.0.y ETC
 }
--- a/roles/firmware/tasks/download.yml
+++ b/roles/firmware/tasks/download.yml
@ -9,19 +9,19 @@
    - brcmfmac43455-sdio.clm_blob
  ignore_errors: yes
- name: Download higher-capacity firmware (for RPi internal WiFi, per https://github.com/iiab/iiab/issues/823#issuecomment-662285202 and https://github.com/iiab/iiab/issues/2853)
+- name: Download higher-capacity firmwares (for RPi internal WiFi, per https://github.com/iiab/iiab/issues/823#issuecomment-662285202 and https://github.com/iiab/iiab/issues/2853)
  get_url:
-    url: "{{ item }}"
+    url: "{{ iiab_download_url }}/{{ item }}"
    dest: /lib/firmware/brcm/
    timeout: "{{ download_timeout }}"
  with_items:
-    - http://d.iiab.io/packages/brcmfmac43455-sdio.bin_2021-11-30_minimal                # 19 -- from https://github.com/RPi-Distro/firmware-nonfree/blob/feeeda21e930c2e182484e8e1269b61cca2a8451/debian/config/brcm80211/cypress/cyfmac43455-sdio-minimal.bin
+    - brcmfmac43455-sdio.bin_2021-11-30_minimal                # 19 -- from https://github.com/RPi-Distro/firmware-nonfree/blob/feeeda21e930c2e182484e8e1269b61cca2a8451/debian/config/brcm80211/cypress/cyfmac43455-sdio-minimal.bin
-    - http://d.iiab.io/packages/brcmfmac43455-sdio.bin_2021-10-05_3rd-trial-minimal      # 24 -- from https://github.com/iiab/iiab/issues/2853#issuecomment-934293015
+    - brcmfmac43455-sdio.bin_2021-10-05_3rd-trial-minimal      # 24 -- from https://github.com/iiab/iiab/issues/2853#issuecomment-934293015
-    - http://d.iiab.io/packages/brcmfmac43455-sdio.clm_blob_2021-11-17_rpi               # Works w/ both above -- from https://github.com/RPi-Distro/firmware-nonfree/blob/dc406650e840705957f8403efeacf71d2d7543b3/debian/config/brcm80211/cypress/cyfmac43455-sdio.clm_blob
+    - brcmfmac43455-sdio.clm_blob_2021-11-17_rpi               # Works w/ both above -- from https://github.com/RPi-Distro/firmware-nonfree/blob/dc406650e840705957f8403efeacf71d2d7543b3/debian/config/brcm80211/cypress/cyfmac43455-sdio.clm_blob
-    - http://d.iiab.io/packages/brcmfmac43455-sdio.bin_2015-03-01_7.45.18.0_ub19.10.1    # 32 -- from https://github.com/iiab/iiab/issues/823#issuecomment-662285202
+    - brcmfmac43455-sdio.bin_2015-03-01_7.45.18.0_ub19.10.1    # 32 -- from https://github.com/iiab/iiab/issues/823#issuecomment-662285202
-    - http://d.iiab.io/packages/brcmfmac43455-sdio.clm_blob_2018-02-26_rpi
+    - brcmfmac43455-sdio.clm_blob_2018-02-26_rpi
-    - http://d.iiab.io/packages/brcmfmac43430-sdio.bin_2018-09-11_7.45.98.65             # 30 -- from https://github.com/iiab/iiab/issues/823#issuecomment-662285202
+    - brcmfmac43430-sdio.bin_2018-09-11_7.45.98.65             # 30 -- from https://github.com/iiab/iiab/issues/823#issuecomment-662285202
-    - http://d.iiab.io/packages/brcmfmac43430-sdio.clm_blob_2018-09-11_7.45.98.65
+    - brcmfmac43430-sdio.clm_blob_2018-09-11_7.45.98.65
 # RECORD firmware AS DOWNLOADED
--- a/roles/gitea/tasks/enable-or-disable.yml
+++ b/roles/gitea/tasks/enable-or-disable.yml
@ -1,3 +1,19 @@
 - name: Enable & Restart 'gitea' systemd service, if gitea_enabled
  systemd:
    name: gitea
    daemon_reload: yes
    enabled: yes
    state: restarted
  when: gitea_enabled
 - name: Disable & Stop 'gitea' systemd service, if not gitea_enabled
  systemd:
    name: gitea
    enabled: no
    state: stopped
  when: not gitea_enabled
 - name: Enable http://box{{ gitea_url }} via NGINX, by installing {{ nginx_conf_dir }}/gitea-nginx.conf from template
  template:
    src: gitea-nginx.conf.j2
--- a/roles/gitea/tasks/main.yml
+++ b/roles/gitea/tasks/main.yml
@ -19,29 +19,13 @@
    quiet: yes
 - block:
  - name: Install Gitea {{ gitea_version }} if 'gitea_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
    include_tasks: install.yml
    when: gitea_installed is undefined
-
+  - include_tasks: enable-or-disable.yml
 - name: Enable & Restart 'gitea' systemd service, if gitea_enabled
  systemd:
    name: gitea
    daemon_reload: yes
    enabled: yes
    state: restarted
  when: gitea_enabled
 - name: Disable & Stop 'gitea' systemd service, if not gitea_enabled
  systemd:
    name: gitea
    enabled: no
    state: stopped
  when: not gitea_enabled
 - name: Enable/Disable/Restart NGINX
  include_tasks: nginx.yml
  - name: Add 'gitea' to list of services at {{ iiab_ini_file }}
    ini_file:
@ -62,3 +46,10 @@
        value: "{{ gitea_run_directory }}"
      - option: gitea_url
        value: "{{ gitea_url }}"
  rescue:
  - name: 'SEE ERROR ABOVE (skip_role_on_error: {{ skip_role_on_error }})'
    fail:
      msg: ""
    when: not skip_role_on_error
--- a/roles/iiab-admin/README.rst
+++ b/roles/iiab-admin/README.rst
@ -13,7 +13,7 @@
 iiab-admin README
 =================
-`Internet-in-a-Box <http://internet-in-a-box.org>`_ (IIAB) encourages you to pay attention to the security of your learning community.
+`Internet-in-a-Box <https://internet-in-a-box.org>`_ (IIAB) encourages you to pay attention to the security of your learning community.
 This Ansible playbook is one of the very first that runs when you install IIAB, and we hope reading this helps you understand your choices:
@ -21,11 +21,11 @@ Configure user 'iiab-admin'
 ---------------------------
 * `admin-user.yml <tasks/admin-user.yml>`_ configures a Linux user that will give you access to IIAB's Admin Console (http://box.lan/admin) after IIAB is installed — and can also help you at the command-line with IIAB community support commands like {iiab-diagnostics, iiab-hotspot-on, iiab-check-firmware, etc}.
-   * If initial creation of the user and password was somehow not already taken care of by IIAB's 1-line installer (http://download.iiab.io) or by your underlying OS, that too will be taken care of here.
+   * If initial creation of the user and password was somehow not already taken care of by IIAB's 1-line installer (https://download.iiab.io) or by your underlying OS, that too will be taken care of here.
 * By default this user is ``iiab-admin`` with password ``g0adm1n``
   * *Do change the default password if you haven't yet, by running:* **sudo passwd iiab-admin**
   * After IIAB is installed, you can also change the password by logging into Admin Console (http://box.lan/admin) > Utilities > Change Password.
-* If you prefer to use a pre-existing user like ``pi`` or ``ubuntu`` (or any other username) customize the variable ``iiab_admin_user`` in your `/etc/iiab/local_vars.yml <http://wiki.laptop.org/go/IIAB/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F>`_ (preferably do this prior to installing IIAB!)
+* If you prefer to use a pre-existing user like ``pi`` or ``ubuntu`` (or any other username) customize the variable ``iiab_admin_user`` in your `/etc/iiab/local_vars.yml <https://wiki.iiab.io/go/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it%3F>`_ (preferably do this prior to installing IIAB!)
   * You can set ``iiab_admin_can_sudo: False`` if you want a strict security lockdown (if you're really sure you won't need IIAB community support commands like `/usr/bin/iiab-diagnostics <../../scripts/iiab-diagnostics.README.md>`_, `/usr/bin/iiab-hotspot-on <../network/templates/network/iiab-hotspot-on>`_, `iiab-check-firmware <../firmware/templates/iiab-check-firmware>`_, etc!)
   * You can also set ``iiab_admin_user_install: False`` if you're sure you know how to do all this `account and sudo configuration <tasks/admin-user.yml>`_ manually.
@ -36,14 +36,14 @@ Security
   #. ``iiab-admin`` (specified by ``admin_console_group`` in `/opt/iiab/iiab/vars/default_vars.yml <../../vars/default_vars.yml>`_ and `/opt/iiab/iiab-admin-console/vars/default_vars.yml <https://github.com/iiab/iiab-admin-console/blob/master/vars/default_vars.yml>`_)
   #. ``sudo``
 * Please read much more about what escalated (root) actions are authorized when you log into IIAB's Admin Console, and how this works: https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md
-* If your IIAB includes OpenVPN, ``/root/.ssh/authorized_keys`` should be installed by `roles/openvpn/tasks/install.yml <../openvpn/tasks/install.yml>`_ to facilitate remote community support.  Feel free to remove this as mentioned here: http://wiki.laptop.org/go/IIAB/Security
+* If your IIAB includes OpenVPN, ``/root/.ssh/authorized_keys`` should be installed by `roles/openvpn/tasks/install.yml <../openvpn/tasks/install.yml>`_ to facilitate remote community support.  Feel free to remove this as mentioned here: https://wiki.iiab.io/go/Security
 * Auto-checking for the default/published password (as specified by ``iiab_admin_published_pwd`` in `/opt/iiab/iiab/vars/default_vars.yml <../../vars/default_vars.yml>`_) is implemented in `/etc/profile.d <templates/sshpwd-profile-iiab.sh>`_ (and `/etc/xdg/lxsession/LXDE-pi <templates/sshpwd-lxde-iiab.sh>`_ when it exists, i.e. on Raspberry Pi OS with desktop).
 Example
 =======
 * If you later change your mind about ``sudo`` privileges for user 'iiab-admin' (as specified by ``iiab_admin_user``) then do this:
-   #. Go ahead and change the value of ``iiab_admin_can_sudo`` (to either True or False) in `/etc/iiab/local_vars.yml <http://wiki.laptop.org/go/IIAB/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F>`_
+   #. Go ahead and change the value of ``iiab_admin_can_sudo`` (to either True or False) in `/etc/iiab/local_vars.yml <https://wiki.iiab.io/go/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it%3F>`_
   #. Make sure that ``iiab_admin_user_install: True`` is also set.
   #. Then re-run this Ansible playbook, by running ``cd /opt/iiab/iiab`` followed by ``sudo ./runrole --reinstall iiab-admin``
--- a/roles/iiab-admin/tasks/main.yml
+++ b/roles/iiab-admin/tasks/main.yml
@ -23,7 +23,7 @@
 # (1) by the OS installer
 # (2) by the OS's graphical desktop tools
 # (3) at the command-line: sudo passwd iiab-admin
-# (4) by IIAB's 1-line installer: http://download.iiab.io
+# (4) by IIAB's 1-line installer: https://download.iiab.io
 # (5) by this role: roles/iiab-admin/tasks/admin-user.yml
 # (6) by IIAB's Admin Console during installation
 # ...and/or...
--- a/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh.j2
+++ b/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh.j2
@ -19,7 +19,7 @@ check_user_pwd() {
    # enough when user does not exist.  Or uncomment to FORCE ERROR CODE 2.
    # Either way, overall bash script still returns exit code 0 ("success")
-    # sudo works below (unlike in sshpwd-profile-iiab.sh) b/c RaspiOS ships w/
+    # sudo works below (unlike in sshpwd-profile-iiab.sh) b/c RasPiOS ships w/
    # /etc/sudoers.d/010_pi-nopasswd containing "pi ALL=(ALL) NOPASSWD: ALL"
    # (read access to /etc/shadow is otherwise restricted to just root and
    # group www-data i.e. Apache, NGINX get special access).  SEE: #2431, #2561
--- a/roles/internetarchive/README.md
+++ b/roles/internetarchive/README.md
@ -8,7 +8,7 @@ Access to our library of millions of books, journals, audio and video recordings
 This Ansible role installs the Internet Archive's dweb-mirror project on
 Internet-in-a-Box (IIAB).  Use this to build up a dynamic offline library
-arising from the materials you can explore at http://dweb.archive.org
+arising from the materials you can explore at https://dweb.archive.org
 The Offline Internet Archive server:
@ -248,7 +248,7 @@ and just checks the content is up to date.
 ## Managing collections on Internet Archive
-You can create and manage your own collections on the [Internet Archive site](http://www.archive.org).  
+You can create and manage your own collections on the [Internet Archive site](https://www.archive.org).  
 Other people can then crawl those collections. 
 First get in touch with Mitra Ardron at `mitra@archive.org`, as processes may have changed since this is written.
--- a/roles/internetarchive/tasks/enable-or-disable.yml
+++ b/roles/internetarchive/tasks/enable-or-disable.yml
@ -1,3 +1,19 @@
 - name: Enable & Restart 'internetarchive' systemd service, if internetarchive_enabled
  systemd:
    name: internetarchive
    daemon_reload: yes
    enabled: yes
    state: restarted
  when: internetarchive_enabled
 - name: Disable & Stop 'internetarchive' systemd service, if not internetarchive_enabled
  systemd:
    name: internetarchive
    enabled: no
    state: stopped
  when: not internetarchive_enabled
 - name: Enable http://box/archive via NGINX, by installing {{ nginx_conf_dir }}/internetarchive-nginx.conf from template
  template:
    src: internetarchive-nginx.conf.j2    # TO DO: roles/internetarchive/templates/internetarchive-nginx.conf.j2
--- a/roles/internetarchive/tasks/main.yml
+++ b/roles/internetarchive/tasks/main.yml
@ -19,8 +19,10 @@
    quiet: yes
 - block:
  # 2020-02-11: @mitra42 & @holta agree (#2247) that the following 2-stanza
-# "UPDATE internetarchive" block should run whenever one isn't installing
+  # "UPDATE internetarchive" portion should run whenever one isn't installing
  # (or reinstalling) internetarchive, for now.  We're aware this means slowness
  # during "./runrole internetarchive" but that's very intentional for now -- as
  # it leads to more testing of more recent versions of internetarchive, which
@ -29,20 +31,18 @@
  # --upgrade internetarchive" or "./runrole --update internetarchive" or such,
  # as may evolve @ https://github.com/iiab/iiab/pull/2238#discussion_r376168178
 - block:    # BEGIN 2-STANZA BLOCK
  - name: "UPGRADE: Stop 'internetarchive' systemd service, if internetarchive_installed is defined"
    systemd:
      name: internetarchive
      daemon_reload: yes
      state: stopped
    when: internetarchive_installed is defined
  - name: "UPGRADE: Run 'yarn upgrade' in {{ internetarchive_dir }}, if internetarchive_installed is defined"
    shell: yarn config set child-concurrency 1 && yarn install && yarn upgrade
    args:
      chdir: "{{ internetarchive_dir }}"
-
+    when: internetarchive_installed is defined
  when: internetarchive_installed is defined    # END 2-STANZA BLOCK
  # "ELSE" INSTALL...
@ -51,30 +51,7 @@
    when: internetarchive_installed is undefined
-# ENABLE/DISABLE/RESTART SYSTEMD SERVICE & WEB SERVERS AS NEC ?
+  - include_tasks: enable-or-disable.yml
 - name: Enable & Restart 'internetarchive' systemd service, if internetarchive_enabled
  systemd:
    name: internetarchive
    daemon_reload: yes
    enabled: yes
    state: restarted
  when: internetarchive_enabled
 - name: Disable & Stop 'internetarchive' systemd service, if not internetarchive_enabled
  systemd:
    name: internetarchive
    enabled: no
    state: stopped
  when: not internetarchive_enabled
 # - name: Enable/Disable/Restart Apache if primary
 #   include_tasks: apache.yml
 #   when: apache_installed is defined and not nginx_enabled
 - name: Enable/Disable/Restart NGINX if primary
  include_tasks: nginx.yml
  #when: nginx_enabled
  - name: Add 'internetarchive' variable values to {{ iiab_ini_file }}
@ -92,3 +69,10 @@
        value: "{{ internetarchive_install }}"
      - option: internetarchive_enabled
        value: "{{ internetarchive_enabled }}"
  rescue:
  - name: 'SEE ERROR ABOVE (skip_role_on_error: {{ skip_role_on_error }})'
    fail:
      msg: ""
    when: not skip_role_on_error
--- a/roles/jupyterhub/README.md
+++ b/roles/jupyterhub/README.md
@ -74,4 +74,4 @@ _WARNING: If on login users see "500 : Internal Server Error", you may need to r
 While PAWS is a little bit off topic, if you have an interest in Wikipedia, please do see this 23m 42s video ["Intro to PAWS/Jupyter notebooks for Python beginners"](https://www.youtube.com/watch?v=AUZkioRI-aA&list=PLeoTcBlDanyNQXBqI1rVXUqUTSSiuSIXN&index=8) by Chico Venancio, from 2021-06-01.
-He explains PAWS as a "powerful Python execution environment http://paws.wmcloud.org [allowing] ordinary folks to write interactive scripts to work with Wikimedia content."
+He explains PAWS as a "powerful Python execution environment https://paws.wmcloud.org = https://wikitech.wikimedia.org/wiki/PAWS [allowing] ordinary folks to write interactive scripts to work with Wikimedia content."
--- a/roles/jupyterhub/tasks/install.yml
+++ b/roles/jupyterhub/tasks/install.yml
@ -33,21 +33,33 @@
    global: yes
    state: latest
- name: "pip install 7 packages into virtual environment: {{ jupyterhub_venv }} (~217 MB)"
+- name: "pip install 3 packages into virtual environment: {{ jupyterhub_venv }} (~304 MB total, after 2 Ansible calls)"
  pip:
    name:
      - pip
      - wheel
      - ipywidgets
      - jupyterhub
    virtualenv: "{{ jupyterhub_venv }}"    # /opt/iiab/jupyterhub
    virtualenv_site_packages: no
    virtualenv_command: python3 -m venv "{{ jupyterhub_venv }}"    # 2021-07-29: This works on RasPiOS 10, Debian 11, Ubuntu 20.04 and Mint 20 -- however if you absolutely must use the older Debian 10 -- you can work around errors "can't find Rust compiler" and "This package requires Rust >=1.41.0" if you (1) revert this line to 'virtualenv_command: virtualenv' AND (2) uncomment the line just below
    #virtualenv_python: python3    # 2021-07-29: Was needed when above line was 'virtualenv_command: virtualenv' (generally for Python 2)
    extra_args: "--no-cache-dir"    # 2021-11-30, 2022-07-07: The "--pre" flag had earlier been needed, for beta-like pre-releases of JupyterHub 2.0.0
 # 2022-07-07: Attempting to "pip install" all 7 together (3 above + 4 below)
 # fails on OS's like 64-bit RasPiOS (but interestingly works on Ubuntu 22.04!)
 # https://github.com/iiab/iiab/issues/3283
 - name: Break up jupyterhub/jupyterlab pip installs into 2 parts (3 packages above + 4 packages here) due to mutual dependency deadlock on some OS's
  pip:
    name:
      - jupyterlab
      - jupyterhub_firstuseauthenticator
      - jupyterhub-systemdspawner
-    virtualenv: "{{ jupyterhub_venv }}"    # /opt/iiab/jupyterhub
+      - ipywidgets
    virtualenv: "{{ jupyterhub_venv }}"
    virtualenv_site_packages: no
-    virtualenv_command: python3 -m venv "{{ jupyterhub_venv }}"    # 2021-07-29: This works on RaspiOS 10, Debian 11, Ubuntu 20.04 and Mint 20 -- however if you absolutely must use the older Debian 10 -- you can work around errors "can't find Rust compiler" and "This package requires Rust >=1.41.0" if you (1) revert this line to 'virtualenv_command: virtualenv' AND (2) uncomment the line just below
+    virtualenv_command: python3 -m venv "{{ jupyterhub_venv }}"    
-    #virtualenv_python: python3    # 2021-07-29: Was needed when above line was 'virtualenv_command: virtualenv' (generally for Python 2)
+    extra_args: "--no-cache-dir"
    extra_args: "--no-cache-dir --pre"    # 2021-11-30: The "--pre" flag should likely be removed after JupyterHub 2.0.0 is released.
 - name: "Install from template: {{ jupyterhub_venv }}/etc/jupyterhub/jupyterhub_config.py"
  template:
@ -59,20 +71,21 @@
    src: jupyterhub.service.j2
    dest: /etc/systemd/system/jupyterhub.service
- name: Install {{ jupyterhub_venv }}/bin/getsite.py from template, to fetch site_packages path, e.g. {{ jupyterhub_venv }}/lib/python{{ python_ver }}/site-packages
+# 2022-07-07: No longer needed, thx to upstream fixes
-  template:
+# - name: Install {{ jupyterhub_venv }}/bin/getsite.py from template, to fetch site_packages path, e.g. {{ jupyterhub_venv }}/lib/python{{ python_ver }}/site-packages
-    src: getsite.py.j2
+#   template:
-    dest: "{{ jupyterhub_venv }}/bin/getsite.py"
+#     src: getsite.py.j2
-    mode: 0755
+#     dest: "{{ jupyterhub_venv }}/bin/getsite.py"
-
+#     mode: 0755
- name: Install patch_FUA.sh from template -- to (1) fix async password-changing page, and (2) force usernames to lowercase -- patching $SITE_PACKAGES/firstuseauthenticator/firstuseauthenticator.py
+#
-  template:
+# - name: Install patch_FUA.sh from template -- to (1) fix async password-changing page, and (2) force usernames to lowercase -- patching $SITE_PACKAGES/firstuseauthenticator/firstuseauthenticator.py
-    src: patch_FUA.sh.j2
+#   template:
-    dest: "{{ jupyterhub_venv }}/bin/patch_FUA.sh"
+#     src: patch_FUA.sh.j2
-    mode: 0755
+#     dest: "{{ jupyterhub_venv }}/bin/patch_FUA.sh"
-
+#     mode: 0755
- name: "Run the above two, via: {{ jupyterhub_venv }}/bin/patch_FUA.sh"
+#
-  command: "{{ jupyterhub_venv }}/bin/patch_FUA.sh"
+# - name: "Run the above two, via: {{ jupyterhub_venv }}/bin/patch_FUA.sh"
 #   command: "{{ jupyterhub_venv }}/bin/patch_FUA.sh"
 - name: Install patch_http-warning.sh from template, to turn off the warning about http insecurity, in {{ jupyterhub_venv }}/share/jupyterhub/templates/login.html
  template:
--- a/roles/jupyterhub/tasks/main.yml
+++ b/roles/jupyterhub/tasks/main.yml
@ -19,14 +19,14 @@
    quiet: yes
 - block:
  - name: Install Jupyter if jupyterhub_installed not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
    include_tasks: install.yml
    when: jupyterhub_installed is undefined
  - include_tasks: enable-or-disable.yml
  - name: Add 'jupyterhub' variable values to {{ iiab_ini_file }}
    ini_file:
      path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
@ -42,3 +42,10 @@
        value: "{{ jupyterhub_install }}"
      - option: jupyterhub_enabled
        value: "{{ jupyterhub_enabled }}"
  rescue:
  - name: 'SEE ERROR ABOVE (skip_role_on_error: {{ skip_role_on_error }})'
    fail:
      msg: ""
    when: not skip_role_on_error
--- a/roles/jupyterhub/templates/getsite.py.j2.unused
+++ b/roles/jupyterhub/templates/getsite.py.j2.unused
--- a/roles/jupyterhub/templates/patch_FUA.sh.j2.unused
+++ b/roles/jupyterhub/templates/patch_FUA.sh.j2.unused
--- a/roles/kalite/tasks/enable-or-disable.yml
+++ b/roles/kalite/tasks/enable-or-disable.yml
@ -0,0 +1,14 @@
 - name: Enable & (Re)Start 'kalite-serve' service, if kalite_enabled
  systemd:
    daemon_reload: yes
    name: kalite-serve
    enabled: yes
    state: restarted
  when: kalite_enabled
 - name: Disable & Stop 'kalite-serve' service, if not kalite_enabled
  systemd:
    name: kalite-serve
    enabled: no
    state: stopped
  when: not kalite_enabled
--- a/roles/kalite/tasks/install.yml
+++ b/roles/kalite/tasks/install.yml
@ -65,7 +65,7 @@
    replace: 'a-zA-Z0-9\-'
  when: not (is_debian_9 or is_debian_10 or is_ubuntu_16 or is_ubuntu_17 or is_ubuntu_18 or is_ubuntu_19)
  # 2020-03-31: Testing for {is_raspbian_9, is_raspbian_10} is not currently nec, as testing for {is_debian_9, is_debian_10} covers that already.
-  # JV: why not just is_ubuntu_20? AH: to make this work on Ubuntu 21+ and ideally Debian/RaspiOS 11+ too?
+  # JV: why not just is_ubuntu_20? AH: to make this work on Ubuntu 21+ and ideally Debian/RasPiOS 11+ too?
 - name: Fix KA Lite bug in regex parsing ifconfig output (ifcfg/parser.py) for @m-anish's network names that contain dashes, if Raspbian/Debian < 11 or Ubuntu < 20
  replace:
--- a/roles/kalite/tasks/main.yml
+++ b/roles/kalite/tasks/main.yml
@ -19,26 +19,13 @@
    quiet: yes
 - block:
  - name: Install KA Lite if 'kalite_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
    include_tasks: install.yml
    when: kalite_installed is undefined
-
+  - include_tasks: enable-or-disable.yml
 - name: Enable & (Re)Start 'kalite-serve' service, if kalite_enabled
  systemd:
    daemon_reload: yes
    name: kalite-serve
    enabled: yes
    state: restarted
  when: kalite_enabled
 - name: Disable & Stop 'kalite-serve' service, if not kalite_enabled
  systemd:
    name: kalite-serve
    enabled: no
    state: stopped
  when: not kalite_enabled
  - name: Add 'kalite' variable values to {{ iiab_ini_file }}
    ini_file:
@ -59,3 +46,10 @@
        value: "{{ kalite_root }}"
      - option: port
        value: "{{ kalite_server_port }}"
  rescue:
  - name: 'SEE ERROR ABOVE (skip_role_on_error: {{ skip_role_on_error }})'
    fail:
      msg: ""
    when: not skip_role_on_error
--- a/roles/kiwix/defaults/main.yml
+++ b/roles/kiwix/defaults/main.yml
@ -22,9 +22,9 @@
 kiwix_library_xml: "{{ iiab_zim_path }}/library.xml"
 # 3 lines below specify which version(s) of kiwix-tools to download from...
-# http://download.iiab.io/packages/ ...as originally obtained from...
+# https://download.iiab.io/packages/ ...as originally obtained from...
-# http://download.kiwix.org/release/kiwix-tools/ ...or sometimes...
+# https://download.kiwix.org/release/kiwix-tools/ ...or sometimes...
-# http://download.kiwix.org/nightly/
+# https://download.kiwix.org/nightly/
 kiwix_version_armhf: kiwix-tools_linux-armhf-3.3.0
 kiwix_version_linux64: kiwix-tools_linux-x86_64-3.3.0
--- a/roles/kiwix/tasks/install.yml
+++ b/roles/kiwix/tasks/install.yml
@ -34,7 +34,7 @@
 - name: Download {{ iiab_download_url }}/{{ kiwix_src_file }} to /opt/iiab/downloads
  get_url:
-    url: "{{ iiab_download_url }}/{{ kiwix_src_file }}"    # http://download.iiab.io/packages
+    url: "{{ iiab_download_url }}/{{ kiwix_src_file }}"    # https://download.iiab.io/packages
    dest: "{{ downloads_dir }}/{{ kiwix_src_file }}"    # /opt/iiab/downloads
    timeout: "{{ download_timeout }}"
--- a/roles/kiwix/tasks/main.yml
+++ b/roles/kiwix/tasks/main.yml
@ -19,14 +19,14 @@
    quiet: yes
 - block:
  - name: Install Kiwix if 'kiwix_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
    include_tasks: install.yml
    when: kiwix_installed is undefined
  - include_tasks: enable-or-disable.yml
  - name: Add 'kiwix' variable values to {{ iiab_ini_file }}
    ini_file:
      path: "{{ iiab_ini_file }}"
@ -54,3 +54,10 @@
        value: "{{ iiab_zim_path }}"
      - option: kiwix_library_xml
        value: "{{ kiwix_library_xml }}"
  rescue:
  - name: 'SEE ERROR ABOVE (skip_role_on_error: {{ skip_role_on_error }})'
    fail:
      msg: ""
    when: not skip_role_on_error
--- a/roles/kolibri/tasks/main.yml
+++ b/roles/kolibri/tasks/main.yml
@ -19,6 +19,8 @@
    quiet: yes
 - block:
  #- name: "Set 'kolibri_provision: False' for a more lightweight (re)install"
  #  set_fact:
  #    kolibri_provision: False
@ -53,3 +55,10 @@
        value: "{{ kolibri_exec_path }}"
      - option: kolibri_port
        value: "{{ kolibri_http_port }}"
  rescue:
  - name: 'SEE ERROR ABOVE (skip_role_on_error: {{ skip_role_on_error }})'
    fail:
      msg: ""
    when: not skip_role_on_error
--- a/roles/kolibri/templates/kolibri.service.j2
+++ b/roles/kolibri/templates/kolibri.service.j2
@ -10,7 +10,7 @@ Environment=KOLIBRI_HTTP_PORT={{ kolibri_http_port }}
 Environment=KOLIBRI_URL_PATH_PREFIX={{ kolibri_url_without_slash }}
 User={{ kolibri_user }}
 Group={{ apache_user }}
-# 2020-10-03: Kolibri was timing out on RaspiOS & Ubuntu 20 NUC: iiab/iiab#2555
+# 2020-10-03: Kolibri was timing out on RasPiOS & Ubuntu 20 NUC: iiab/iiab#2555
 TimeoutStartSec=1200
 # The following is the systemd default, which is too much for most teachers in
 # low-electricity environments (30-60 sec is about all they can handle before
--- a/roles/lokole/README.rst
+++ b/roles/lokole/README.rst
@ -17,9 +17,9 @@ For an up-to-date list of supported languages, refer to the `Lokole translations
 Using It
 --------
-If your IIAB was `installed <http://wiki.laptop.org/go/IIAB/FAQ#Is_a_quick_installation_possible.3F>`_ with the Lokole web app[*] it can be accessed at http://box/lokole
+If your IIAB was `installed <https://wiki.iiab.io/go/FAQ#Is_a_quick_installation_possible%3F>`_ with the Lokole web app[*] it can be accessed at http://box/lokole
-[*] If you're not sure, verify that your IIAB's `/etc/iiab/local_vars.yml <http://wiki.laptop.org/go/IIAB/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F>`_ contains ``lokole_install: True`` and ``lokole_enabled: True``
+[*] If you're not sure, verify that your IIAB's `/etc/iiab/local_vars.yml <https://wiki.iiab.io/go/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it%3F>`_ contains ``lokole_install: True`` and ``lokole_enabled: True``
 By default in an offline community, ``lokole_sim_type: LocalOnly`` is set (e.g. instead of ``lokole_sim_type: Ethernet``) and email addresses will look like:
@ -85,7 +85,7 @@ The Lokole software can be configured to access the Internet via USB modem, SIM
 If configured to work with a USB modem or other form of Internet connection, Lokole will sync with the cloud server (operated by `Ascoderu <https://ascoderu.ca/>`_) on a nightly basis to deliver and receive emails globally.  *However, arranging this is extremely complicated.*  You would need a compatible form of connection and an Internet expert familiar with modem protocols, MX records, etc.  Ask that person to read the `Lokole software README <https://github.com/ascoderu/lokole/blob/master/README.rst>`_ in its entirety, to help you understand whether this is realistic for your organization.
-Lokole and Internet-in-a-Box would welcome a business plan (whether volunteer-based, grant-based or for-profit) from someone willing to operationalize this — making it relatively hassle-free for schools, clinics, libraries and orphanages around the world — that generally do not have access to technical experts.  Please `contact us <http://wiki.laptop.org/go/IIAB/FAQ#What_are_the_best_places_for_community_support.3F>`_ if you have the capacity to help make such a social enterprise happen.
+Lokole and Internet-in-a-Box would welcome a business plan (whether volunteer-based, grant-based or for-profit) from someone willing to operationalize this — making it relatively hassle-free for schools, clinics, libraries and orphanages around the world — that generally do not have access to technical experts.  Please `contact us <https://wiki.iiab.io/go/FAQ#What_are_the_best_places_for_community_support%3F>`_ if you have the capacity to help make such a social enterprise happen.
 Troubleshooting
 ---------------
--- a/roles/lokole/tasks/main.yml
+++ b/roles/lokole/tasks/main.yml
@ -19,6 +19,8 @@
    quiet: yes
 - block:
  - name: Install Lokole if lokole_installed is not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
    include_tasks: install.yml
    when: lokole_installed is undefined
@ -69,3 +71,10 @@
        value: "{{ lokole_url }}"
      - option: lokole_full_url
        value: "{{ lokole_full_url }}"
  rescue:
  - name: 'SEE ERROR ABOVE (skip_role_on_error: {{ skip_role_on_error }})'
    fail:
      msg: ""
    when: not skip_role_on_error
--- a/roles/mediawiki/defaults/main.yml
+++ b/roles/mediawiki/defaults/main.yml
@ -5,7 +5,7 @@
 # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
 mediawiki_major_version: 1.38    # "1.35" also works
-mediawiki_minor_version: 1
+mediawiki_minor_version: 2
 mediawiki_version: "{{ mediawiki_major_version }}.{{ mediawiki_minor_version }}"
 mediawiki_download_base_url: "https://releases.wikimedia.org/mediawiki/{{ mediawiki_major_version }}"
--- a/roles/mediawiki/tasks/main.yml
+++ b/roles/mediawiki/tasks/main.yml
@ -19,15 +19,15 @@
    quiet: yes
 - block:
  - name: Install MediaWiki {{ mediawiki_version }} if 'mediawiki_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
    include_tasks: install.yml
    when: mediawiki_installed is undefined
  - name: Enable/Disable/Restart NGINX
    include_tasks: nginx.yml
  - name: Add 'mediawiki' variable values to {{ iiab_ini_file }}
    ini_file:
      path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
@ -55,3 +55,10 @@
        value: "{{ mediawiki_url }}"
      - option: mediawiki_full_url
        value: "{{ mediawiki_full_url }}"
  rescue:
  - name: 'SEE ERROR ABOVE (skip_role_on_error: {{ skip_role_on_error }})'
    fail:
      msg: ""
    when: not skip_role_on_error
--- a/roles/minetest/README.rst
+++ b/roles/minetest/README.rst
@ -23,7 +23,7 @@ No password is required.
 Configurable Parameters
 -----------------------
-If changes are necessary, please edit `/etc/iiab/local_vars.yml <http://wiki.laptop.org/go/IIAB/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F>`_ (adding any variables that you need) prior to installation if possible:
+If changes are necessary, please edit `/etc/iiab/local_vars.yml <https://wiki.iiab.io/go/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it%3F>`_ (adding any variables that you need) prior to installation if possible:
 - ``minetest_install:`` set Minetest up to install; default is False
 - ``minetest_enabled:`` set Minetest up to be enabled; default is False
--- a/roles/minetest/tasks/main.yml
+++ b/roles/minetest/tasks/main.yml
@ -19,14 +19,14 @@
    quiet: yes
 - block:
  - name: Install Minetest if 'minetest_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
    include_tasks: provision.yml    # i.e. install.yml in other roles
    when: minetest_installed is undefined
  - include_tasks: enable-or-disable.yml
  - name: Add 'minetest' variable values to {{ iiab_ini_file }}
    ini_file:
      path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
@ -48,3 +48,10 @@
        value: "{{ minetest_port }}"
      - option: minetest_world_dir
        value: "{{ minetest_world_dir }}"
  rescue:
  - name: 'SEE ERROR ABOVE (skip_role_on_error: {{ skip_role_on_error }})'
    fail:
      msg: ""
    when: not skip_role_on_error
--- a/roles/mongodb/tasks/enable-or-disable.yml
+++ b/roles/mongodb/tasks/enable-or-disable.yml
@ -1,6 +1,7 @@
 - name: Enable & (Re)Start 'mongodb.service' if mongodb_enabled
  systemd:
    name: mongodb
    daemon_reload: yes
    enabled: yes
    state: restarted
  when: mongodb_enabled
--- a/roles/mongodb/tasks/install.yml
+++ b/roles/mongodb/tasks/install.yml
@ -10,7 +10,7 @@
 # being used on Raspbian, all I found! (Raspbian's apt pkg is MongoDB 2.4.14)
 #
 # mongodb_stretch_3_0_14_core.zip (20M) & mongodb_stretch_3_0_14_tools.zip (15M)
-# were backed up from andyfelong.com to http://download.iiab.io/packages/
+# were backed up from andyfelong.com to https://download.iiab.io/packages/
 #
 # CLARIF: mongodb_stretch_3_0_14_core.zip IS IN FACT 3.0.14 (core) BUT...
 #         mongodb_stretch_3_0_14_tools.zip IS REALLY 3.0.15 (tools)
@ -21,16 +21,16 @@
      path: /tmp/mongodb-3.0.1x
      state: directory
-  - name: Download & unzip 20MB http://download.iiab.io/packages/mongodb_stretch_3_0_14_core.zip to /tmp/mongodb-3.0.1x (aarch32)
+  - name: Download & unzip 20MB https://download.iiab.io/packages/mongodb_stretch_3_0_14_core.zip to /tmp/mongodb-3.0.1x (aarch32)
    unarchive:
      remote_src: yes
-      src: "{{ iiab_download_url }}/mongodb_stretch_3_0_14_core.zip"    # http://download.iiab.io/packages
+      src: "{{ iiab_download_url }}/mongodb_stretch_3_0_14_core.zip"    # https://download.iiab.io/packages
      dest: /tmp/mongodb-3.0.1x
  - name: Install (move) its 3 CORE binaries from /tmp/mongodb-3.0.1x/core to /usr/bin (aarch32)
    shell: mv /tmp/mongodb-3.0.1x/core/* /usr/bin
-  - name: Download & unzip 15MB http://download.iiab.io/packages/mongodb_stretch_3_0_14_tools.zip [IN FACT THIS ONE'S 3.0.15] to /tmp/mongodb-3.0.1x (aarch32)
+  - name: Download & unzip 15MB https://download.iiab.io/packages/mongodb_stretch_3_0_14_tools.zip [IN FACT THIS ONE'S 3.0.15] to /tmp/mongodb-3.0.1x (aarch32)
    unarchive:
      remote_src: yes
      src: "{{ iiab_download_url }}/mongodb_stretch_3_0_14_tools.zip"
@ -85,11 +85,11 @@
  - name: Install mongodb-org's Debian buster source/repo (we only use x86_64 i.e. arm64) for MongoDB version {{ mongodb_64bit_version }}
    apt_repository:
-      # 2020-10-28 and 2022-06-09: http://repo.mongodb.org/apt/debian/dists/
+      # 2020-10-28 and 2022-06-09: https://repo.mongodb.org/apt/debian/dists/
      # supports only {Buster 10, Stretch 9, Jessie 8, Wheezy 7}.  So Bullseye
      # 11 and Bookworm 12 (testing branch) revert to buster for now:
-      repo: deb http://repo.mongodb.org/apt/debian buster/mongodb-org/{{ mongodb_64bit_version }} main
+      repo: deb https://repo.mongodb.org/apt/debian buster/mongodb-org/{{ mongodb_64bit_version }} main
-      #repo: deb http://repo.mongodb.org/apt/debian {{ ansible_distribution_release }}/mongodb-org/4.4 main
+      #repo: deb https://repo.mongodb.org/apt/debian {{ ansible_distribution_release }}/mongodb-org/4.4 main
      state: present
      filename: mongodb-org
    when: is_debian and ansible_architecture == "x86_64"
--- a/roles/mongodb/tasks/main.yml
+++ b/roles/mongodb/tasks/main.yml
@ -44,16 +44,16 @@
 # ELSE...
 - block:
  - name: Install MongoDB if 'mongodb_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
    include_tasks: install.yml
    when: mongodb_installed is undefined
    # when: mongodb_installed is undefined and not (ansible_architecture == "aarch64" and is_debian_10 and not is_raspbian)
-
+  - name: Enable or Disable MongoDB (FYI sugarizer.service auto-starts MongoDB as nec, so doesn't need this or care what happens here!)
 - name: Enable or Disable MongoDB, if mongodb_installed is defined (sugarizer.service auto-starts MongoDB as nec, so doesn't need this or care what happens here!)
    include_tasks: enable-or-disable.yml
  when: mongodb_installed is defined
  - name: Add 'mongodb' variable values to {{ iiab_ini_file }}
    ini_file:
@ -70,3 +70,10 @@
        value: "{{ mongodb_install }}"
      - option: mongodb_enabled
        value: "{{ mongodb_enabled }}"
  rescue:
  - name: 'SEE ERROR ABOVE (skip_role_on_error: {{ skip_role_on_error }})'
    fail:
      msg: ""
    when: not skip_role_on_error
--- a/roles/monit/tasks/main.yml
+++ b/roles/monit/tasks/main.yml
@ -19,6 +19,8 @@
    quiet: yes
 - block:
  # 2019-07-06: The 'monit' package was suddenly removed from Debian 10.0.0
  # "Buster" during the very final days prior to release, as confirmed by the
  # sudden disappearance of these 2 pages:
@ -59,3 +61,10 @@
        value: '"Monit is a background service monitor which can correct problems, send email, restart services."'
      - option: enabled
        value: "{{ monit_enabled }}"
  rescue:
  - name: 'SEE ERROR ABOVE (skip_role_on_error: {{ skip_role_on_error }})'
    fail:
      msg: ""
    when: not skip_role_on_error
--- a/roles/monit/templates/monitrc.unused
+++ b/roles/monit/templates/monitrc.unused
@ -65,7 +65,7 @@ set daemon  300              # check services at 5-minute intervals
 #
 #
 ## Send status and events to M/Monit (for more informations about M/Monit 
-## see http://mmonit.com/). By default Monit registers credentials with 
+## see https://mmonit.com/). By default Monit registers credentials with 
 ## M/Monit so M/Monit can smoothly communicate back to Monit and you don't
 ## have to register Monit credentials manually in M/Monit. It is possible to
 ## disable credential registration using the commented out option below. 
--- a/roles/moodle/tasks/main.yml
+++ b/roles/moodle/tasks/main.yml
@ -19,14 +19,14 @@
    quiet: yes
 - block:
  - name: Install Moodle if 'moodle_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
    include_tasks: install.yml
    when: moodle_installed is undefined
  - include_tasks: enable-or-disable.yml
  - name: Add 'moodle' variable values to {{ iiab_ini_file }}
    ini_file:
      path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
@ -44,3 +44,10 @@
        value: "{{ moodle_enabled }}"
      - option: moodle_base
        value: "{{ moodle_base }}"
  rescue:
  - name: 'SEE ERROR ABOVE (skip_role_on_error: {{ skip_role_on_error }})'
    fail:
      msg: ""
    when: not skip_role_on_error
--- a/roles/mosquitto/README.rst
+++ b/roles/mosquitto/README.rst
@ -9,7 +9,7 @@ Roughly follows this guide: https://www.digitalocean.com/community/tutorials/how
 Using It
 --------
-Prior to installing IIAB, make sure your `/etc/iiab/local_vars.yml <http://wiki.laptop.org/go/IIAB/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F>`_ contains::
+Prior to installing IIAB, make sure your `/etc/iiab/local_vars.yml <https://wiki.iiab.io/go/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it%3F>`_ contains::
  mosquitto_install: True
  mosquitto_enabled: True
--- a/roles/mosquitto/tasks/main.yml
+++ b/roles/mosquitto/tasks/main.yml
@ -19,14 +19,14 @@
    quiet: yes
 - block:
  - name: Install Mosquitto if 'mosquitto_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
    include_tasks: install.yml
    when: mosquitto_installed is undefined
  - include_tasks: enable-or-disable.yml
  - name: Add 'mosquitto' variable values to {{ iiab_ini_file }}
    ini_file:
      path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
@ -42,3 +42,10 @@
        value: "{{ mosquitto_install }}"
      - option: mosquitto_enabled
        value: "{{ mosquitto_enabled }}"
  rescue:
  - name: 'SEE ERROR ABOVE (skip_role_on_error: {{ skip_role_on_error }})'
    fail:
      msg: ""
    when: not skip_role_on_error
--- a/roles/munin/tasks/enable-or-disable.yml
+++ b/roles/munin/tasks/enable-or-disable.yml
@ -1,3 +1,19 @@
 - name: Enable & Start 'munin-node' systemd service
  systemd:
    name: munin-node
    daemon_reload: yes
    enabled: yes
    state: started
  when: munin_enabled
 - name: Disable & Stop 'munin-node' systemd service
  systemd:
    name: munin-node
    enabled: no
    state: stopped
  when: not munin_enabled
 - name: Enable http://box/munin via NGINX, by installing {{ nginx_conf_dir }}/munin24-nginx.conf from template
  template:
    src: munin24-nginx.conf.j2
--- a/roles/munin/tasks/main.yml
+++ b/roles/munin/tasks/main.yml
@ -19,29 +19,13 @@
    quiet: yes
 - block:
  - name: Install Munin if 'munin_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
    include_tasks: install.yml
    when: munin_installed is undefined
-
+  - include_tasks: enable-or-disable.yml
 - name: Enable & Start 'munin-node' systemd service
  systemd:
    name: munin-node
    daemon_reload: yes
    enabled: yes
    state: started
  when: munin_enabled
 - name: Disable & Stop 'munin-node' systemd service
  systemd:
    name: munin-node
    enabled: no
    state: stopped
  when: not munin_enabled
 - name: Enable/Disable/Restart NGINX
  include_tasks: nginx.yml
  - name: Add 'munin' variable values to {{ iiab_ini_file }}
    ini_file:
@ -58,3 +42,10 @@
        value: "{{ munin_install }}"
      - option: munin_enabled
        value: "{{ munin_enabled }}"
  rescue:
  - name: 'SEE ERROR ABOVE (skip_role_on_error: {{ skip_role_on_error }})'
    fail:
      msg: ""
    when: not skip_role_on_error
--- a/roles/network/README.rst
+++ b/roles/network/README.rst
@ -2,7 +2,7 @@
 Network README
 ==============
-This is run by `Ansible <http://wiki.laptop.org/go/IIAB/FAQ#What_is_Ansible_and_what_version_should_I_use.3F>`_ after it has installed the core (`Stages 0-to-9 <https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide#ansible>`_) of `Internet-in-a-Box (IIAB) <https://internet-in-a-box.org>`_ and its apps/services.
+This is run by `Ansible <https://wiki.iiab.io/go/FAQ#What_is_Ansible_and_what_version_should_I_use%3F>`_ after it has installed the core (`Stages 0-to-9 <https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide#ansible>`_) of `Internet-in-a-Box (IIAB) <https://internet-in-a-box.org>`_ and its apps/services.
 Specifically, this 'network' role is run...
--- a/roles/network/defaults/main.yml
+++ b/roles/network/defaults/main.yml
@ -27,6 +27,7 @@
 # hostapd_enabled: True
 # Above set in /opt/iiab/iiab/vars/default_vars.yml
 hostapd_wait: 10
 host_wireless_n: False
 driver_name: nl80211
@ -63,7 +64,8 @@ can_be_ap: False
 exclude_devices: none
 device_gw: none
 prior_gw_device: unset
-
+# 2022-06-29: Legacy vars no longer used by roles/0-init
 discovered_wan_iface: none      # 2021-07-30: Very broadly used!
 iiab_wan_iface: none
 iiab_lan_iface: none
 discovered_lan_iface: none
--- a/roles/network/tasks/computed_network.yml
+++ b/roles/network/tasks/computed_network.yml
@ -172,3 +172,5 @@
      value: "{{ iiab_lan_iface }}"
    - option: iiab_network_mode
      value: "{{ iiab_network_mode }}"
    - option: network_enabled
      value: "{{ network_enabled }}"
--- a/roles/network/tasks/detected_network.yml
+++ b/roles/network/tasks/detected_network.yml
@ -1,3 +1,13 @@
 # Similar code block in roles/vnstat/tasks/install.yml
 - name: Do we have a gateway? If 'ip route' specifies a default route, Ansible parses details here...
  debug:
    var: ansible_default_ipv4
 - name: "If above ansible_default_ipv4.gateway is defined, set WAN candidate 'discovered_wan_iface: {{ ansible_default_ipv4.alias }}' -- using ansible_default_ipv4.alias"
  set_fact:
    discovered_wan_iface: "{{ ansible_default_ipv4.alias }}"
  when: ansible_default_ipv4.gateway is defined
 # so this works
 - name: Interface count
  shell: ls /sys/class/net | grep -v {{ virtual_network_devices }} | wc | awk '{print $1}'
--- a/roles/network/tasks/enable_services.yml
+++ b/roles/network/tasks/enable_services.yml
@ -32,8 +32,8 @@
    # mode: "{{ item.mode }}"
  with_items:
   - { src: 'named/named-iiab.conf.j2', dest: '/etc/named-iiab.conf' }
-   - { src: 'named/school.local.zone.db', dest: '/var/named-iiab/' }
+   - { src: 'named/school.local.zone.db.j2', dest: '/var/named-iiab/school.local.zone.db' }
-   - { src: 'named/school.internal.zone.db', dest: '/var/named-iiab/' }
+   - { src: 'named/school.internal.zone.db.j2', dest: '/var/named-iiab/school.internal.zone.db' }
  when: named_install and named_enabled
 - name: Enable named service ({{ dns_service }}) if named_enabled
--- a/roles/network/tasks/hostapd.yml
+++ b/roles/network/tasks/hostapd.yml
@ -50,21 +50,8 @@
    mode: 0644
  when: not wifi_up_down and can_be_ap
- name: Create /usr/bin/iiab-hotspot-on from template
+# 2022-07-11: Install of iiab-hotspot-on|off moved to network/tasks/main.yml
-  template:
+# as required for Admin Console
    src: hostapd/iiab-hotspot-on
    dest: /usr/bin/iiab-hotspot-on
    owner: root
    group: root
    mode: 0755
 - name: Create /usr/bin/iiab-hotspot-off from template
  template:
    src: hostapd/iiab-hotspot-off
    dest: /usr/bin/iiab-hotspot-off
    owner: root
    group: root
    mode: 0755
 - name: Create dhcpcd hook for hostapd and ap0 when wifi_up_down True
  template:
--- a/roles/2-common/tasks/network.yml
+++ b/roles/2-common/tasks/network.yml
@ -1,6 +1,9 @@
 # 2022-03-16: 'apt show <pkg> | grep Size' revealed download sizes, on 64-bit RasPiOS with desktop.
- name: Install package networkd-dispatcher (OS's other than RaspiOS)
+- name: Install dnsmasq -- configure LATER in 'network', after Stage 9
  include_tasks: roles/network/tasks/dnsmasq.yml
 - name: Install package networkd-dispatcher (OS's other than RasPiOS)
  package:
    name: networkd-dispatcher    # 15kB download: Dispatcher service for systemd-networkd connection status changes
    state: present
@ -16,19 +19,19 @@
 # total download size) and they can help IIAB field operators with BOTH
 # (1) internal WiFi AND (2) USB WiFi devices inserted anytime/later.
- name: 'Install 11 network packages: avahi-daemon, hostapd, iproute2, iptables-persistent, iw, libnss-mdns, netmask, net-tools, rfkill, wpasupplicant, wpasupplicant -- later used by https://github.com/iiab/iiab/tree/master/roles/network'
+- name: 'Install 11 network packages: avahi-daemon, hostapd, iproute2, iptables-persistent, iw, libnss-mdns, netmask, net-tools, rfkill, wireless-tools, wpasupplicant -- later used by https://github.com/iiab/iiab/tree/master/roles/network'
  package:
    name:
-      - avahi-daemon           #   97kB download: RaspiOS (and package libnss-mnds, below) install this regardless -- holdover from the XO days and used to advertise ssh/admin-console being available via avahi-daemon -- used with https://github.com/iiab/iiab/blob/master/roles/network/tasks/avahi.yml
+      - avahi-daemon           #   97kB download: RasPiOS (and package libnss-mnds, below) install this regardless -- holdover from the XO days and used to advertise ssh/admin-console being available via avahi-daemon -- used with https://github.com/iiab/iiab/blob/master/roles/network/tasks/avahi.yml
      #- avahi-discover        #   46kB download: 2021-07-27: Commented out long ago
      - hostapd                #  764kB download: IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator -- has its service masked out of the box, and only used when IIAB's network roles detects the presence of WiFi and an AP is desired
      #- inetutils-syslogd     #  240kB download: 2021-07-27: Error logging facility -- holdover from the XO days, journalctl has replaced this in newer distros
-      - iproute2               #  902kB download: RaspiOS installs this regardless -- the new networking and traffic control tools, meant to replace net-tools
+      - iproute2               #  902kB download: RasPiOS installs this regardless -- the new networking and traffic control tools, meant to replace net-tools
      - iptables-persistent    #   12kB download: Boot-time loader for netfilter rules, iptables (firewall) plugin -- however Netfilter / nftables is ever moving forward so keep an eye on it!
      - iw                     #   97kB download: RasPiOS installs this regardless -- configure Linux wireless devices -- hard dependence for ap0 creation, SEE https://github.com/iiab/iiab/blob/master/roles/network/templates/hostapd/iiab-clone-wifi.service.j2
-      - libnss-mdns            #   27kB download: RaspiOS (and package avahi-daemon, above) install this regardless -- client-side library -- provides name resolution via mDNS (Multicast DNS) using Zeroconf/Bonjour e.g. Avahi
+      - libnss-mdns            #   27kB download: RasPiOS (and package avahi-daemon, above) install this regardless -- client-side library -- provides name resolution via mDNS (Multicast DNS) using Zeroconf/Bonjour e.g. Avahi
      - netmask                #   25kB download: Handy utility -- helps determine network masks
-      - net-tools              #  248kB download: RaspiOS installs this regardless -- @jvonau suggests possibly deleting this...unless oldtimers really want these older commands in iiab-diagnostics output?
+      - net-tools              #  248kB download: RasPiOS installs this regardless -- @jvonau suggests possibly deleting this...unless oldtimers really want these older commands in iiab-diagnostics output?
      - rfkill                 #   87kB download: RasPiOS installs this regardless -- enable & disable wireless devices
      - wireless-tools         #  112kB download: RasPiOS installs this regardless -- manipulate Linux Wireless Extensions
      - wpasupplicant          # 1188kB download: RasPiOS installs this regardless -- client library for connections to a WiFi AP
@ -44,7 +47,7 @@
 # Ongoing rework (e.g. PR #2652) arising from ansible.posix collection changes:
- name: "Use 'sysctl' to set 'kernel.core_uses_pid: 1' + 4 network settings in /etc/sysctl.conf -- e.g. disabling IPv6 (this might be overkill, as IPv6 should really only be disabled on the LAN side, i.e. br0)"
+- name: "4 network settings in /etc/sysctl.conf -- e.g. disabling IPv6 (this might be overkill, as IPv6 should really only be disabled on the LAN side, i.e. br0)"
  sysctl:    # Places these settings in /etc/sysctl.conf, to survive reboot
    name: "{{ item.name }}"
    value: "{{ item.value }}"
@ -52,10 +55,34 @@
    - { name: 'net.ipv4.ip_forward', value: '1' }  # Masquerading LAN->Internet
    - { name: 'net.ipv4.conf.default.rp_filter', value: '1' }
    - { name: 'net.ipv4.conf.default.accept_source_route', value: '0' }
    #- { name: 'kernel.sysrq', value: '1' }             # OS values differ, Ok?
    - { name: 'kernel.core_uses_pid', value: '1' }
    #- { name: 'net.ipv4.tcp_syncookies', value: '1' }  # Very standard in 2020
    #- { name: 'kernel.shmmax', value: '268435456' }    # OS values differ, Ok?
    - { name: 'net.ipv6.conf.all.disable_ipv6', value: '1' }    # IPv6 disabled
    #- { name: 'net.ipv6.conf.default.disable_ipv6', value: '1' }    # AUTO-SET
    #- { name: 'net.ipv6.conf.lo.disable_ipv6', value: '1' }         # BY ABOVE
 # UNMAINTAINED
 - name: Install named / BIND
  include_tasks: roles/network/tasks/named.yml
  when: named_install is defined and named_install
 # UNMAINTAINED
 - name: Install dhcpd
  include_tasks: roles/network/tasks/dhcpd.yml
  when: dhcpd_install is defined and dhcpd_install
 # LESS MAINTAINED
 - name: Install Squid
  include_tasks: roles/network/tasks/squid.yml
  when: squid_install and squid_installed is undefined
 - name: "Set 'network_installed: True'"
  set_fact:
    network_installed: True
 - name: "Add 'network_installed: True' to {{ iiab_state_file }}"
  lineinfile:
    path: "{{ iiab_state_file }}"    # /etc/iiab/iiab_state.yml
    regexp: '^network_installed'
    line: 'network_installed: True'
--- a/roles/network/tasks/main.yml
+++ b/roles/network/tasks/main.yml
@ -21,6 +21,28 @@
 - name: computed_network
  include_tasks: computed_network.yml
 - name: Install network packages (including many WiFi tools, and also iptables-persistent for firewall)
  include_tasks: install.yml
  when: network_install and network_installed is undefined
 - name: Create /usr/bin/iiab-hotspot-on from template
  template:
    src: hostapd/iiab-hotspot-on
    dest: /usr/bin/iiab-hotspot-on
    owner: root
    group: root
    mode: 0755
 - name: Create /usr/bin/iiab-hotspot-off from template
  template:
    src: hostapd/iiab-hotspot-off
    dest: /usr/bin/iiab-hotspot-off
    owner: root
    group: root
    mode: 0755
 - name: Configuring Network if enabled
  block:
  # - name: Configure wondershaper
  #   include_tasks: wondershaper.yml
  #   when: wondershaper_install or wondershaper_installed is defined
@ -77,3 +99,5 @@
  - name: Restart services
    include_tasks: restart.yml
  # end block
  when: network_installed is defined and network_enabled
--- a/roles/network/tasks/named.yml
+++ b/roles/network/tasks/named.yml
@ -58,8 +58,8 @@
    - { src: 'roles/network/templates/named/school.internal.zone.32.in-addr.db.j2', dest: '/var/named-iiab/school.internal.zone.32.in-addr.db', owner: "{{ dns_user }}", mode: '0644' }
    - { src: 'roles/network/templates/named/school.internal.zone.48.in-addr.db.j2', dest: '/var/named-iiab/school.internal.zone.48.in-addr.db', owner: "{{ dns_user }}", mode: '0644' }
 # the following two files are not writeable by named, but bind 9.4 cannot discover that fact correctly
-    - { src: 'roles/network/templates/named/school.internal.zone.db', dest: '/var/named-iiab/school.internal.zone.db', owner: "root", mode: '0644' }
+    - { src: 'roles/network/templates/named/school.internal.zone.db.j2', dest: '/var/named-iiab/school.internal.zone.db', owner: "root", mode: '0644' }
-    - { src: 'roles/network/templates/named/school.local.zone.db', dest: '/var/named-iiab/school.local.zone.db', owner: "root", mode: '0644' }
+    - { src: 'roles/network/templates/named/school.local.zone.db.j2', dest: '/var/named-iiab/school.local.zone.db', owner: "root", mode: '0644' }
    - { src: 'roles/network/templates/named/school.internal.zone.in-addr.db.j2', dest: '/var/named-iiab/school.internal.zone.in-addr.db', owner: "{{ dns_user }}", mode: '0644' }
    - { src: 'roles/network/templates/named/dummy', dest: '/var/named-iiab/data/dummy', owner: "{{ dns_user }}", mode: '0644' }
    - { src: 'roles/network/templates/named/named.blackhole', dest: '/var/named-iiab/named.blackhole', owner: "{{ dns_user }}", mode: '0644' }
--- a/roles/network/tasks/netplan.yml
+++ b/roles/network/tasks/netplan.yml
@ -59,14 +59,22 @@
  with_items:
    - "{{ netplan.stdout_lines }}"
- name: Replace networkd-dispatcher #2585 for "groovy"
+# 2022-06-30: Ubuntu Groovy (20.10) is ancient history but this code might now
-  get_url:
+# help Linux Mint ?
-    url: https://gitlab.com/craftyguy/networkd-dispatcher/-/raw/2.1/networkd-dispatcher
+#
-    dest: /usr/bin/networkd-dispatcher
+# 2022-05-29: @jvonau wrote on #3106 "networkd-dispatcher has a traceback,
-    timeout: "{{ download_timeout }}"
+# I suspect the cause is the same as found #2645, need to confirm the package
-  when: internet_available and fix_dispatcher and ansible_distribution_release == "groovy"
+# version installed with apt list networkd-dispatcher before suggesting the
-  # 2021-08-29 context from @jvonau: Fix is 'Groovy' specific, 21.04 and later
+# workaround be extended to LinuxMint"
-  # should have the fix baked into a newer apt package installed by default.
+#
 # - name: Replace networkd-dispatcher #2585 for "groovy"
 #   get_url:
 #     url: https://gitlab.com/craftyguy/networkd-dispatcher/-/raw/2.1/networkd-dispatcher
 #     dest: /usr/bin/networkd-dispatcher
 #     timeout: "{{ download_timeout }}"
 #   when: iiab_stage|int < 9 and fix_dispatcher and ansible_distribution_release == "groovy"
 #   # 2021-08-29 context from @jvonau: Fix is 'Groovy' specific, 21.04 and later
 #   # should have the fix baked into a newer apt package installed by default.
 #- name: Supply netplan template
 #  template:
--- a/roles/network/templates/dhcp/dhcpd-iiab.conf.j2
+++ b/roles/network/templates/dhcp/dhcpd-iiab.conf.j2
@ -5,15 +5,17 @@ ddns-update-style interim;
 #ignore client-updates;
 option domain-name "{{ iiab_domain }}";
-option domain-name-servers      172.18.96.1;
+option domain-name-servers      {{ lan_ip }};
-option ntp-servers		172.18.96.1;
+option ntp-servers              {{ lan_ip }};
 {% if network_172 %}
 subnet 172.18.96.0 netmask 255.255.224.0 {
    {% if iiab_network_mode == "Gateway" %}
-	option routers			172.18.96.1;
+    option routers               {{ lan_ip }};
    {% endif %}
    option subnet-mask           255.255.224.0;
    option broadcast-address     172.18.127.255;
    # Description of network allocations in old OLPC school server
    # this is the whole range we have available - 8K addresses
    # range                      172.18.96.2 172.18.127.254;
    # instead, we'll save 510 addresses for later.
@ -29,3 +31,18 @@ subnet 172.18.96.0 netmask 255.255.224.0 {
    default-lease-time      10800;
    max-lease-time          21600;
 }
 {% else %}
 subnet 10.10.10.0 netmask 255.255.255.0 {
    {% if iiab_network_mode == "Gateway" %}
    option routers               {{ lan_ip }};
    {% endif %}
    option subnet-mask           255.255.255.0;
    option broadcast-address     10.10.10.255;
    range                        10.10.10.11 10.10.10.254;
    # As this subnet is wired or wifi a/b/g, these lease
    #    times are on the long side
    default-lease-time      10800;
    max-lease-time          21600;
 }
 {% endif %}
--- a/roles/network/templates/gateway/iiab-gen-iptables
+++ b/roles/network/templates/gateway/iiab-gen-iptables
@ -64,7 +64,7 @@ echo "iiab_gateway_enabled: $iiab_gateway_enabled"
 echo
 #network_mode=`grep iiab_network_mode_applied /etc/iiab/iiab.ini | gawk '{print $3}'`
 #echo -e "Network Mode: $network_mode\n"
-lan_ip=$(iiab_var_value lan_ip)    # 172.18.96.1
+lan_ip=$(iiab_var_value lan_ip)    # e.g. 10.10.10.10
 ports_externally_visible=$(iiab_var_value ports_externally_visible)
 gw_block_https=$(iiab_var_value gw_block_https)
--- a/roles/network/templates/named/school.internal.zone.db
+++ b/roles/network/templates/named/school.internal.zone.db
@ -1,27 +0,0 @@
@ in soa localhost. root 1 3H 15M 1W 1D
  ns localhost.
 {{ iiab_hostname }}	IN	A	172.18.96.1
 schoolserver	IN	A	172.18.96.1
 school		IN	A	172.18.96.1
 www		IN	A	172.18.96.1
 ntp		IN	A	172.18.96.1
 time		IN	A	172.18.96.1
 presence	IN	A	172.18.96.1
 xs		IN	A	172.18.96.1
 library		IN	A	172.18.96.1
 box		IN	A	172.18.96.1
 conference.schoolserver	IN	A	172.18.96.1
 ; translations of school - in plain latin script
 ; or un punycode of the utf-8 representation
 ; es - escuela
 escuela         IN      CNAME       school
 ; de - schule
 schule          IN      CNAME       school
--- a/roles/network/templates/named/school.internal.zone.db.j2
+++ b/roles/network/templates/named/school.internal.zone.db.j2
@ -0,0 +1,27 @@
@ in soa localhost. root 1 3H 15M 1W 1D
  ns localhost.
 {{ iiab_hostname }}	IN	A	{{ lan_ip }}
 schoolserver	IN	A	{{ lan_ip }}
 school		IN	A	{{ lan_ip }}
 www		IN	A	{{ lan_ip }}
 ntp		IN	A	{{ lan_ip }}
 time		IN	A	{{ lan_ip }}
 presence	IN	A	{{ lan_ip }}
 xs		IN	A	{{ lan_ip }}
 library		IN	A	{{ lan_ip }}
 box		IN	A	{{ lan_ip }}
 conference.schoolserver	IN	A	{{ lan_ip }}
 ; translations of school - in plain latin script
 ; or un punycode of the utf-8 representation
 ; es - escuela
 escuela         IN      CNAME       school
 ; de - schule
 schule          IN      CNAME       school
--- a/roles/network/templates/named/school.local.zone.db.j2
+++ b/roles/network/templates/named/school.local.zone.db.j2
@ -3,18 +3,18 @@
@ in soa localhost. root 1 3H 15M 1W 1D
  ns localhost.
-{{ iiab_hostname }}	IN	A	172.18.96.1
+{{ iiab_hostname }}	IN	A	{{ lan_ip }}
-schoolserver	IN	A	172.18.96.1
+schoolserver	IN	A	{{ lan_ip }}
-school		IN	A	172.18.96.1
+school		IN	A	{{ lan_ip }}
-www		IN	A	172.18.96.1
+www		IN	A	{{ lan_ip }}
-ntp		IN	A	172.18.96.1
+ntp		IN	A	{{ lan_ip }}
-time		IN	A	172.18.96.1
+time		IN	A	{{ lan_ip }}
-presence	IN	A	172.18.96.1
+presence	IN	A	{{ lan_ip }}
-xs		IN	A	172.18.96.1
+xs		IN	A	{{ lan_ip }}
-library		IN	A	172.18.96.1
+library		IN	A	{{ lan_ip }}
-box		IN	A	172.18.96.1
+box		IN	A	{{ lan_ip }}
-conference.schoolserver	IN	A	172.18.96.1
+conference.schoolserver	IN	A	{{ lan_ip }}
 ; translations of school - in plain latin script
--- a/roles/network/templates/network/bridge-br0
+++ b/roles/network/templates/network/bridge-br0
@ -6,7 +6,11 @@ interface-name=br0
 permissions=
 [ipv4]
 {% if network_172 %}
 address1={{ lan_ip }}/19
 {% else %}
 address1={{ lan_ip }}/24
 {% endif %}
 dns-search={{ iiab_domain }}
 method=manual
--- a/roles/network/templates/network/dhcpcd.conf.j2
+++ b/roles/network/templates/network/dhcpcd.conf.j2
@ -58,7 +58,11 @@ denyinterfaces {{ iiab_wired_lan_iface }}
 {% if dhcpcd_result == "enabled" and iiab_lan_iface != "none" %}
 interface {{ iiab_lan_iface }}
 {% if network_172 %}
 static ip_address={{ lan_ip }}/19
 {% else %}
 static ip_address={{ lan_ip }}/24
 {% endif %}
 static domain_name_servers=127.0.0.1
 {% endif %}
--- a/roles/network/templates/network/dnsmasq.conf.j2
+++ b/roles/network/templates/network/dnsmasq.conf.j2
@ -18,7 +18,12 @@ addn-hosts=/etc/hosts.dnsmasq
 expand-hosts
 # Specify the range of IP addresses the DHCP server will lease out to devices, and the duration of the lease
 {% if network_172 %}
 dhcp-range=172.18.100.1,172.18.126.254,1h
 {% else %}
 dhcp-range=10.10.10.11,10.10.10.254,1h
 {% endif %}
 # Specify the default route
 dhcp-option=3,{{ lan_ip }}
 # Specify the DNS server address
--- a/roles/network/templates/network/systemd-br0-network.j2
+++ b/roles/network/templates/network/systemd-br0-network.j2
@ -3,7 +3,11 @@
 Name=br0
 [Network]
 {% if network_172 %}
 Address={{ lan_ip }}/19
 {% else %}
 Address={{ lan_ip }}/24
 {% endif %}
 LinkLocalAddressing=no
 ConfigureWithoutCarrier=yes
 RequiredForOnline=degraded-carrier
--- a/roles/nextcloud/README.md
+++ b/roles/nextcloud/README.md
@ -1,6 +1,6 @@
 # Nextcloud README
-Students and teachers can store their documents, calendars, contacts and photos locally within [Nextcloud](https://nextcloud.com), which is much like having a (local) version of Dropbox or Google Drive on your very own [Internet-in-a-Box](http://internet-in-a-box.org).
+Students and teachers can store their documents, calendars, contacts and photos locally within [Nextcloud](https://nextcloud.com), which is much like having a (local) version of Dropbox or Google Drive on your very own [Internet-in-a-Box](https://internet-in-a-box.org).
 This Ansible playbook was derived from an earlier ownCloud playbook thanks to [Josh Dennis](https://github.com/floydianslips) in 2016/2017.
@ -43,7 +43,7 @@ Useful PHP recommendations for these settings (while largely tailored to WordPre
 ## Using It
-Log in to Nextcloud at http://box/nextcloud, http://box.lan/nextcloud, http://172.18.96.1/nextcloud (or similar) using:
+Log in to Nextcloud at http://box/nextcloud, http://box.lan/nextcloud, http://10.10.10.10/nextcloud (or similar) using:
    Username: Admin
    Password: changeme
--- a/roles/nextcloud/defaults/main.yml
+++ b/roles/nextcloud/defaults/main.yml
@ -14,7 +14,7 @@
 # 2020-01-07: If installing IIAB often, download.nextcloud.com may throttle
 # you to ~100 kbit/sec, delaying your IIAB install by an hour or more (#2112).
 # The following line can avoid that: (but might install an older Nextcloud!)
-# nextcloud_dl_url: http://d.iiab.io/packages/latest.tar.bz2
+# nextcloud_dl_url: https://d.iiab.io/packages/latest.tar.bz2
 nextcloud_dl_url: https://download.nextcloud.com/server/releases/latest.tar.bz2
 nextcloud_url: /nextcloud
--- a/roles/nextcloud/tasks/main.yml
+++ b/roles/nextcloud/tasks/main.yml
@ -19,15 +19,15 @@
    quiet: yes
 - block:
  - name: Install Nextcloud if 'nextcloud_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
    include_tasks: install.yml
    when: nextcloud_installed is undefined
  - name: Enable/Disable/Restart NGINX
    include_tasks: nginx.yml
  - name: Add 'nextcloud' variable values to {{ iiab_ini_file }}
    ini_file:
      path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
@ -53,3 +53,10 @@
        value: "{{ nextcloud_root_dir }}"
      - option: nextcloud_data_dir
        value: "{{ nextcloud_data_dir }}"
  rescue:
  - name: 'SEE ERROR ABOVE (skip_role_on_error: {{ skip_role_on_error }})'
    fail:
      msg: ""
    when: not skip_role_on_error
--- a/roles/nginx/README.md
+++ b/roles/nginx/README.md
@ -35,7 +35,7 @@
      * usb_lib
      * wordpress
-   2. These support "Native" NGINX ***AND*** Apache, a.k.a. "dual support" for legacy testing (if suitable "Shims" from *Section iii.* below are preserved!)  Both "Native" NGINX and "Shim" proxying from NGINX to Apache port 8090 *cannot be enabled simultaneously* for these IIAB Apps/Service:<!--But if you want to attempt their "Shim" proxying legacy testing mode, try setting your *primary web server* to Apache using `apache_install: True` and `apache_enabled: True` (and `nginx_enabled: False` to disable NGINX) in [/etc/iiab/local_vars.yml](http://wiki.laptop.org/go/IIAB/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F) before you install IIAB.  You may also need to run `cd /opt/iiab/iiab; ./runrole httpd` since this has been removed from [roles/3-base-server/tasks/main.yml](https://github.com/iiab/iiab/blob/master/roles/3-base-server/tasks/main.yml)-->
+   2. These support "Native" NGINX ***AND*** Apache, a.k.a. "dual support" for legacy testing (if suitable "Shims" from *Section iii.* below are preserved!)  Both "Native" NGINX and "Shim" proxying from NGINX to Apache port 8090 *cannot be enabled simultaneously* for these IIAB Apps/Service:<!--But if you want to attempt their "Shim" proxying legacy testing mode, try setting your *primary web server* to Apache using `apache_install: True` and `apache_enabled: True` (and `nginx_enabled: False` to disable NGINX) in [/etc/iiab/local_vars.yml](https://wiki.iiab.io/go/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it%3F) before you install IIAB.  You may also need to run `cd /opt/iiab/iiab; ./runrole httpd` since this has been removed from [roles/3-base-server/tasks/main.yml](https://github.com/iiab/iiab/blob/master/roles/3-base-server/tasks/main.yml)-->
      * **NONE: Apache support is now fully REMOVED as of 2021-08-08** ([PR #2850](https://github.com/iiab/iiab/pull/2850))
--- a/roles/nodejs/tasks/main.yml
+++ b/roles/nodejs/tasks/main.yml
@ -35,11 +35,12 @@
    var: nodejs_installed
 - block:
  - name: Install Node.js if 'nodejs_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
    include_tasks: install.yml
    when: nodejs_installed is undefined
  - name: Add 'nodejs' variable values to {{ iiab_ini_file }}
    ini_file:
      path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
@ -55,3 +56,10 @@
        value: "{{ nodejs_install }}"
      - option: nodejs_enabled
        value: "{{ nodejs_enabled }}"
  rescue:
  - name: 'SEE ERROR ABOVE (skip_role_on_error: {{ skip_role_on_error }})'
    fail:
      msg: ""
    when: not skip_role_on_error
--- a/roles/nodered/tasks/main.yml
+++ b/roles/nodered/tasks/main.yml
@ -19,14 +19,14 @@
    quiet: yes
 - block:
  - name: Install Node-RED if nodered_installed is not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
    include_tasks: install.yml
    when: nodered_installed is undefined
  - include_tasks: enable-or-disable.yml
  - name: Add 'nodered' variable values to {{ iiab_ini_file }}
    ini_file:
      path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
@ -42,3 +42,10 @@
        value: "{{ nodered_install }}"
      - option: nodered_enabled
        value: "{{ nodered_enabled }}"
  rescue:
  - name: 'SEE ERROR ABOVE (skip_role_on_error: {{ skip_role_on_error }})'
    fail:
      msg: ""
    when: not skip_role_on_error
--- a/roles/osm-vector-maps/defaults/main.yml
+++ b/roles/osm-vector-maps/defaults/main.yml
@ -15,8 +15,8 @@ maps_branch: master    # Quotes not required
 #maps_branch: maps7.3
 # 2022-04-30 -- Bluehost (timmoody.com) has become extremely slow!
-#map_installer_url: http://timmoody.com/iiab-files/maps
+#map_installer_url: https://timmoody.com/iiab-files/maps
-map_installer_url: http://download.iiab.io/content/OSM/vector-tiles
+map_installer_url: https://download.iiab.io/content/OSM/vector-tiles
 installer_planet: planet_z0-z6_2020.mbtiles
 installer_satellite: satellite_z0-z6_2020.mbtiles
@ -29,4 +29,4 @@ archive_org_url: https://archive.org/download
 # 2022-04-30 -- Unused, but URL illustrates legacy approach:
-#iiab_map_url: http://download.iiab.io/content/OSM/vector-tiles/maplist/hidden
+#iiab_map_url: https://download.iiab.io/content/OSM/vector-tiles/maplist/hidden
--- a/roles/osm-vector-maps/tasks/install.yml
+++ b/roles/osm-vector-maps/tasks/install.yml
@ -79,7 +79,7 @@
 - name: Download 48MB {{ map_installer_url }}/{{ installer_planet }} to {{ vector_map_path }}/installer/ -- for map installer
  get_url:
-    url: "{{ map_installer_url }}/{{ installer_planet }}"    # e.g. http://download.iiab.io/content/OSM/vector-tiles + / + planet_z0-z6_2020.mbtiles
+    url: "{{ map_installer_url }}/{{ installer_planet }}"    # e.g. https://download.iiab.io/content/OSM/vector-tiles + / + planet_z0-z6_2020.mbtiles
    dest: "{{ vector_map_path }}/installer/"
    timeout: "{{ download_timeout }}"
--- a/roles/osm-vector-maps/tasks/main.yml
+++ b/roles/osm-vector-maps/tasks/main.yml
@ -11,15 +11,14 @@
    quiet: yes
 - block:
  - name: Install OSM Vector Maps if 'osm_vector_maps_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
    include_tasks: install.yml
    when: osm_vector_maps_installed is undefined
  - name: Enable/Disable/Reload NGINX for OSM, if nginx_enabled
    include_tasks: nginx.yml
  #when: nginx_enabled    # NGINX is mandatory starting with IIAB 7.2
  - name: Add 'osm-vector-maps' variable values to {{ iiab_ini_file }}
    ini_file:
@ -36,3 +35,10 @@
        value: "{{ osm_vector_maps_install }}"
      - option: osm_vector_maps_enabled
        value: "{{ osm_vector_maps_enabled }}"
  rescue:
  - name: 'SEE ERROR ABOVE (skip_role_on_error: {{ skip_role_on_error }})'
    fail:
      msg: ""
    when: not skip_role_on_error
--- a/roles/pbx/README.adoc
+++ b/roles/pbx/README.adoc
@ -28,7 +28,7 @@ https://en.wikipedia.org/wiki/FreePBX[FreePBX] is a web-based open source GUI (g
 == Install it
-. As you begin installing Internet-in-a-Box (IIAB) from http://download.iiab.io[download.iiab.io], it will prompt you:
+. As you begin installing Internet-in-a-Box (IIAB) from https://download.iiab.io[download.iiab.io], it will prompt you:
 +
 ----
 Edit /etc/iiab/local_vars.yml to customize your Internet-in-a-Box? [Y/n]
@ -293,7 +293,7 @@ _If there's a bug or serious problem with IIAB, please do https://internet-in-a-
 +
 If not, the link:tasks/freepbx.yml#L175-L187[configuration of /var/lib/php/asterisk_sessions/] might be made conditional upon `when: not pbx_use_apache`
-. The link:tasks/freepbx.yml#L214-L221[installation of /etc/odbc.ini] for CDR (Call Detail Records) database `asteriskcdrdb` might benefit from compiling the ODBC driver for aarch64, per http://mghadam.blogspot.com/2021/03/install-asterisk-18-freepbx-15-on.html ?
+. The link:tasks/freepbx.yml#L214-L221[installation of /etc/odbc.ini] for CDR (Call Detail Records) database `asteriskcdrdb` might benefit from compiling the ODBC driver for aarch64, per https://mghadam.blogspot.com/2021/03/install-asterisk-18-freepbx-15-on.html ?
 +
 See the output of `asterisk -rx "cdr show status"` as mentioned at https://github.com/iiab/iiab/pull/2938#issuecomment-898693126[#2938] and https://github.com/iiab/iiab/pull/2942[PR #2942].
@ -318,7 +318,7 @@ In February 2019, this https://github.com/iiab/iiab/tree/master/roles/pbx[roles/
 In August 2021 it was overhauled, with thanks to these 3 sources especially:
 * "Official" recipe: https://wiki.freepbx.org/display/FOP/Installing+FreePBX+16+on+Debian+10.9
-* Comprehensive & recent recipe for Raspberry Pi: http://mghadam.blogspot.com/2021/03/install-asterisk-18-freepbx-15-on.html
+* Comprehensive & recent recipe for Raspberry Pi: https://mghadam.blogspot.com/2021/03/install-asterisk-18-freepbx-15-on.html
 * Popular but dated recipe: https://computingforgeeks.com/how-to-install-asterisk-16-with-freepbx-15-on-ubuntu-debian/
 In May 2022, installation of FreePBX was made more resilient in https://github.com/iiab/iiab/pull/3229[PR #3229] thanks to:
--- a/roles/pbx/defaults/main.yml
+++ b/roles/pbx/defaults/main.yml
@ -21,11 +21,11 @@
 # All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml
 # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
-asterisk_url: http://downloads.asterisk.org/pub/telephony/asterisk
+asterisk_url: https://downloads.asterisk.org/pub/telephony/asterisk
 asterisk_src_file: asterisk-19-current.tar.gz
 asterisk_src_dir: "{{ iiab_base }}/asterisk"    # /opt/iiab
-# freepbx_url: http://mirror.freepbx.org/modules/packages/freepbx/7.4
+# freepbx_url: https://mirror.freepbx.org/modules/packages/freepbx/7.4
 # freepbx_src_file: freepbx-16.0-latest.tgz    # 2022-05-25 #3228: Filename has become bogus (as it's not really the latest!)  Manually unpacking the latest .tar.gz for FreePBX 16.x from https://github.com/FreePBX/framework/tags to /opt/iiab/freepbx can work if absolutely nec.
 freepbx_git_url: https://github.com/FreePBX/framework
 freepbx_git_branch: release/16.0    # EMERGING OPTION AS OF MAY 2022: https://github.com/FreePBX/framework/tree/release/17.0
--- a/roles/pbx/tasks/chan_dongle.yml
+++ b/roles/pbx/tasks/chan_dongle.yml
@ -1,4 +1,4 @@
-# RPi: http://mghadam.blogspot.com/2021/03/install-asterisk-18-freepbx-15-on.html
+# RPi: https://mghadam.blogspot.com/2021/03/install-asterisk-18-freepbx-15-on.html
 - name: chan_dongle - Download {{ chan_dongle_url }}/{{ chan_dongle_src_file }} to {{ downloads_dir }}
  get_url:
--- a/Show more
+++ b/Show more
`@ -54,4 +54,4 @@ Install our latest pre-release using the 1-line installer at: [**download.iiab.i`

	`You can also consider <!--latest Internet-in-a-Box (IIAB)--> earlier official releases at: [github.com/iiab/iiab/releases](https://github.com/iiab/iiab/releases)`	`You can also consider <!--latest Internet-in-a-Box (IIAB)--> earlier official releases at: [github.com/iiab/iiab/releases](https://github.com/iiab/iiab/releases)`

	`For much older versions, see: [github.com/xsce](http://github.com/xsce), [schoolserver.org](http://schoolserver.org)`	`For much older versions, see: [github.com/xsce](https://github.com/xsce), [schoolserver.org](http://schoolserver.org)`
`@ -1,4 +1,4 @@`
	`_Please Also See: http://FAQ.IIAB.IO > ["Captive Portal Administration: What tips & tricks exist?"](http://wiki.laptop.org/go/IIAB/FAQ#Captive_Portal_Administration:_What_tips_.26_tricks_exist.3F)_`	`_Please Also See: http://FAQ.IIAB.IO > ["Captive Portal Administration: What tips & tricks exist?"](https://wiki.iiab.io/go/FAQ#Captive_Portal_Administration:_What_tips_&_tricks_exist%3F)_`

	`## Theory of Operation`	`## Theory of Operation`
`@ -74,4 +74,4 @@ _WARNING: If on login users see "500 : Internal Server Error", you may need to r`

	`While PAWS is a little bit off topic, if you have an interest in Wikipedia, please do see this 23m 42s video ["Intro to PAWS/Jupyter notebooks for Python beginners"](https://www.youtube.com/watch?v=AUZkioRI-aA&list=PLeoTcBlDanyNQXBqI1rVXUqUTSSiuSIXN&index=8) by Chico Venancio, from 2021-06-01.`	`While PAWS is a little bit off topic, if you have an interest in Wikipedia, please do see this 23m 42s video ["Intro to PAWS/Jupyter notebooks for Python beginners"](https://www.youtube.com/watch?v=AUZkioRI-aA&list=PLeoTcBlDanyNQXBqI1rVXUqUTSSiuSIXN&index=8) by Chico Venancio, from 2021-06-01.`

	`He explains PAWS as a "powerful Python execution environment http://paws.wmcloud.org [allowing] ordinary folks to write interactive scripts to work with Wikimedia content."`	`He explains PAWS as a "powerful Python execution environment https://paws.wmcloud.org = https://wikitech.wikimedia.org/wiki/PAWS [allowing] ordinary folks to write interactive scripts to work with Wikimedia content."`