Merge branch 'master' into cwivagg/matomo_20220618

2025-03-09 15:40:17 +00:00 · 2022-07-12 09:29:09 -04:00 · 2022-07-12 09:29:09 -04:00 · 14b202d095
commit 14b202d095
parent 594386073a 767ee485ca
148 changed files with 1922 additions and 1442 deletions
--- a/README.md
+++ b/README.md
@ -54,4 +54,4 @@ Install our latest pre-release using the 1-line installer at: [**download.iiab.i
 You can also consider <!--latest Internet-in-a-Box (IIAB)--> earlier official releases at: [github.com/iiab/iiab/releases](https://github.com/iiab/iiab/releases)
-For much older versions, see: [github.com/xsce](http://github.com/xsce), [schoolserver.org](http://schoolserver.org)
+For much older versions, see: [github.com/xsce](https://github.com/xsce), [schoolserver.org](http://schoolserver.org)
--- a/iiab-from-cmdline.yml
+++ b/iiab-from-cmdline.yml
@ -3,10 +3,10 @@
  become: yes
  vars_files:
-  - vars/default_vars.yml
+    - vars/default_vars.yml
-  - vars/{{ ansible_local.local_facts.os_ver }}.yml
+    - vars/{{ ansible_local.local_facts.os_ver }}.yml
-  - /etc/iiab/local_vars.yml
+    - /etc/iiab/local_vars.yml
-  - /etc/iiab/iiab_state.yml
+    - /etc/iiab/iiab_state.yml
  roles:
    - { role: 0-init }
--- a/iiab-from-console.yml
+++ b/iiab-from-console.yml
@ -3,10 +3,10 @@
  become: yes
  vars_files:
-  - vars/default_vars.yml
+    - vars/default_vars.yml
-  - vars/{{ ansible_local.local_facts.os_ver }}.yml
+    - vars/{{ ansible_local.local_facts.os_ver }}.yml
-  - /etc/iiab/local_vars.yml
+    - /etc/iiab/local_vars.yml
-  - /etc/iiab/iiab_state.yml
+    - /etc/iiab/iiab_state.yml
  roles:
    - { role: 0-init }
--- a/88
+++ b/88
@ -1,17 +1,57 @@
 #!/bin/bash -e
 # Running from a git repo
 # Add cmdline options for passing to ansible
 # Todo add proper shift to gobble up --debug --reinstall
 PLAYBOOK=iiab-stages.yml
 INVENTORY=ansible_hosts
 IIAB_STATE_FILE=/etc/iiab/iiab_state.yml
-ARGS=""
+ARGS="--extra-vars {"    # Needs boolean not string so use JSON list.  bash forces {...} to '{...}' for Ansible
 CWD=`pwd`
 OS=`grep ^ID= /etc/os-release | cut -d= -f2`
-OS=${OS//\"/}
+OS=${OS//\"/}    # Remove all '"'
 MIN_RPI_KERN=5.4.0        # Do not use 'rpi-update' unless absolutely necessary: https://github.com/iiab/iiab/issues/1993
-MIN_ANSIBLE_VER=2.11.6    # Ansible 2.8.3 and 2.8.6 had serious bugs, preventing their use with IIAB.
+MIN_ANSIBLE_VER=2.12.7    # Ansible 2.8.3 and 2.8.6 had serious bugs, preventing their use with IIAB.
 REINSTALL=false
 DEBUG=false
 SKIP_ROLE_ON_ERROR=false
 usage() {
    echo -e "\n\e[1mUse './iiab-install' for regular installs, or to continue an install."
    echo -e "Use './iiab-install --risky' to force 'skip_role_on_error: True'"
    echo -e "Use './iiab-install --reinstall' to force running all Stages 0-9, followed by the Network Role."
    echo -e "Use './iiab-install --debug' to run Stage 0, followed by Stages 3-9, followed by the Network Role."
    echo -e "Use './iiab-configure' to run Stage 0, followed by Stages 4-9."
    echo -e "Use './runrole' to run Stage 0, followed by a single Stage or Role."
    echo -e "Use './iiab-network' to run Stage 0, followed by the Network Role.\e[0m\n"
 }
 # https://stackoverflow.com/questions/192249/how-do-i-parse-command-line-arguments-in-bash/14203146#14203146
 while [[ $# -gt 0 ]]; do
    case $1 in
        --reinstall)
            REINSTALL=true
            shift
            ;;
        --debug)
            DEBUG=true
            shift
            ;;
        -r|--risky)
            SKIP_ROLE_ON_ERROR=true
            shift
            ;;
        *)
            usage
            exit 1
            ;;
    esac
 done
 ARGS="$ARGS\"skip_role_on_error\":$SKIP_ROLE_ON_ERROR"    # Needs boolean not
 # string so use JSON list.  Ansible permits these boolean values: (refresher)
 # https://github.com/iiab/iiab/blob/master/roles/0-init/tasks/validate_vars.yml#L19-L43
 if [ ! -f /etc/iiab/local_vars.yml ]; then
@ -27,11 +67,11 @@ if [ ! -f /etc/iiab/local_vars.yml ]; then
    echo -e "\nEXITING: /opt/iiab/iiab/iiab-install REQUIRES /etc/iiab/local_vars.yml\n" >&2
-    echo -e "(1) Please read http://wiki.laptop.org/go/IIAB/local_vars.yml to learn more" >&2
+    echo -e "(1) See http://FAQ.IIAB.IO -> What is local_vars.yml and how do I customize it?" >&2
-    echo -e "(2) MIN/MEDIUM/BIG samples are included in /opt/iiab/iiab/vars" >&2
+    echo -e "(2) SMALL/MEDIUM/LARGE samples are included in /opt/iiab/iiab/vars" >&2
    echo -e "(3) NO TIME FOR DETAILS?  RUN INTERNET-IN-A-BOX'S FRIENDLY 1-LINE INSTALLER:\n" >&2
-    echo -e '    http://download.iiab.io\n' >&2
+    echo -e '    https://download.iiab.io\n' >&2
    exit 1
 fi
@ -57,16 +97,6 @@ if [ ! -f $PLAYBOOK ]; then
    exit 1
 fi
 if [ "$1" != "--debug" ] && [ "$1" != "--reinstall" ] && [ "$1" != "" ]; then
    echo "Use './iiab-install' for regular installs, or to continue an install."
    echo "Use './iiab-install --reinstall' to force running all Stages 0-9, followed by the Network Role."
    echo "Use './iiab-install --debug' to run Stage 0, followed by Stages 3-9, followed by the Network Role."
    echo "Use './iiab-configure' to run Stage 0, followed by Stages 4-9."
    echo "Use './runrole' to run Stage 0, followed by a single Stage or Role."
    echo "Use './iiab-network' to run Stage 0, followed by the Network Role."
    exit 1
 fi
 # Subroutine compares software version numbers.  Generates rare false positives
 # like "1.0 > 1" and "2.4.0 > 2.4".  Avoid risks by structuring conditionals w/
 # a consistent # of decimal points e.g. "if version_gt w.x.y.z a.b.c.d; then"
@ -125,27 +155,23 @@ if [ -f /etc/iiab/iiab.env ]; then
        fi
    fi
-    if [ "$1" == "--reinstall" ]; then
+    if $($REINSTALL); then
        STAGE=0
-        ARGS="$ARGS"" --extra-vars reinstall=True"
+        #ARGS="$ARGS"" --extra-vars reinstall=True"
        ARGS="$ARGS,\"reinstall\":True"    # Needs boolean not string so use JSON list
        sed -i 's/^STAGE=.*/STAGE=0/' /etc/iiab/iiab.env
        echo "Wrote STAGE=0 (counter) to /etc/iiab/iiab.env"
-    elif [ "$STAGE" -ge 2 ] && [ "$1" == "--debug" ]; then
+    elif [ "$STAGE" -ge 2 ] && $($DEBUG); then
        STAGE=2
        sed -i 's/^STAGE=.*/STAGE=2/' /etc/iiab/iiab.env
        echo "Wrote STAGE=2 (counter) to /etc/iiab/iiab.env"
    elif [ "$STAGE" -eq 9 ]; then
-        echo -e "\nEXITING: STAGE (counter) in /etc/iiab/iiab.env shows Stage 9 Is Already Done."
+        echo -e "\n\e[1mEXITING: STAGE (counter) in /etc/iiab/iiab.env shows Stage 9 Is Already Done.\e[0m"
-        echo -e "Use './iiab-install --reinstall' to force running all Stages 0-9, followed by the Network Role."
+        usage
-        echo -e "Use './iiab-install --debug' to run Stage 0, followed by Stages 3-9, followed by the Network Role."
+        exit 0    # Allows rerunning https://download.iiab.io/install.txt
        echo -e "Use './iiab-configure' to run Stage 0, followed by Stages 4-9."
        echo -e "Use './runrole' to run Stage 0, followed by a single Stage or Role."
        echo -e "Use './iiab-network' to run Stage 0, followed by the Network Role.\n\n"
        exit 0    # Allows rerunning http://download.iiab.io/install.txt
    fi
 fi
-if [ "$STAGE" -lt 2 ] && [ "$1" == "--debug" ]; then
+if [ "$STAGE" -lt 2 ] && $($DEBUG); then
    echo -e "\n'--debug' *ignored* as STAGE (counter) < 2."
 fi
@ -168,6 +194,8 @@ export ANSIBLE_LOG_PATH="$CWD""/iiab-install.log"
 ansible -m setup -i $INVENTORY localhost --connection=local | grep python
 ansible -m setup -i $INVENTORY localhost --connection=local >> /dev/null    # So vars are recorded in /opt/iiab/iiab/iiab-install.log
-ansible-playbook -i $INVENTORY $PLAYBOOK ${ARGS} --connection=local
+ARGS="$ARGS}"
 echo -e "\nNOW RUN: ansible-playbook -i $INVENTORY $PLAYBOOK $ARGS --connection=local\n"
 ansible-playbook -i $INVENTORY $PLAYBOOK $ARGS --connection=local
 echo -e "./iiab-install $* COMPLETED IN $CWD\n\n"
--- a/iiab-network.yml
+++ b/iiab-network.yml
@ -3,10 +3,10 @@
  become: yes
  vars_files:
-  - vars/default_vars.yml
+    - vars/default_vars.yml
-  - vars/{{ ansible_local.local_facts.os_ver }}.yml
+    - vars/{{ ansible_local.local_facts.os_ver }}.yml
-  - /etc/iiab/local_vars.yml
+    - /etc/iiab/local_vars.yml
-  - /etc/iiab/iiab_state.yml
+    - /etc/iiab/iiab_state.yml
  roles:
    - { role: 0-init }
--- a/iiab-stages.yml
+++ b/iiab-stages.yml
@ -3,11 +3,11 @@
  become: yes
  vars_files:
-  - roles/0-init/defaults/main.yml
+    - roles/0-init/defaults/main.yml
-  - vars/default_vars.yml
+    - vars/default_vars.yml
-  - vars/{{ ansible_local.local_facts.os_ver }}.yml
+    - vars/{{ ansible_local.local_facts.os_ver }}.yml
-  - /etc/iiab/local_vars.yml
+    - /etc/iiab/local_vars.yml
-  - /etc/iiab/iiab_state.yml
+    - /etc/iiab/iiab_state.yml
  tasks:
--- a/install-support.yml.unused
+++ b/install-support.yml.unused
@ -2,9 +2,9 @@
  become: yes
  vars_files:
-  - vars/default_vars.yml
+    - vars/default_vars.yml
-  - vars/{{ ansible_local.local_facts.os_ver }}.yml
+    - vars/{{ ansible_local.local_facts.os_ver }}.yml
-  - /etc/iiab/local_vars.yml
+    - /etc/iiab/local_vars.yml
  roles:
    - { role: 0-init }
--- a/roles/0-init/defaults/main.yml
+++ b/roles/0-init/defaults/main.yml
@ -23,14 +23,6 @@
 # ...after it is set in 0-init/tasks/main.yml
 first_run: False
 rpi_model: none                 # 2021-07-30: Broadly used!
 #xo_model: none                 # 2021-07-30: No longer used
 # 2021-07-30: Recorded to /etc/iiab/iiab.ini but not used programmatically:
 gw_active: False
 # 2021-07-30: Broadly used, but not in an organized way -- most all IIAB
 # outfitting/provisioning happens online -- in situations where connectivity
 # failures should be reported to the operator, rather than papered over:
 internet_available: False
 discovered_wan_iface: none      # 2021-07-30: Very broadly used!
 # 2021-07-30: Barely used -- for {named, dhcpd, squid} in
 # roles/network/tasks/main.yml -- after being set in 0-init/tasks/network.yml
--- a/roles/0-init/tasks/create_iiab_ini.yml
+++ b/roles/0-init/tasks/create_iiab_ini.yml
@ -29,14 +29,16 @@
      value: "{{ ansible_architecture }}"
    - option: iiab_base_ver
      value: "{{ iiab_base_ver }}"
    - option: iiab_remote_url
      value: "{{ ansible_local.local_facts.iiab_remote_url }}"
    - option: iiab_branch
      value: "{{ ansible_local.local_facts.iiab_branch }}"
    - option: iiab_commit
      value: "{{ ansible_local.local_facts.iiab_commit }}"
    - option: iiab_recent_tag
      value: "{{ ansible_local.local_facts.iiab_recent_tag }}"
    - option: install_date
      value: "{{ ansible_date_time.iso8601 }}"
    #- option: xo_model
    #  value: "{{ xo_model }}"
    - option: rpi_model
      value: "{{ rpi_model }}"
    - option: devicetree_model
--- a/roles/0-init/tasks/hostname.yml
+++ b/roles/0-init/tasks/hostname.yml
@ -1,3 +1,8 @@
 - name: "Set 'iiab_fqdn: {{ iiab_hostname }}.{{ iiab_domain }}'"
  set_fact:
    iiab_fqdn: "{{ iiab_hostname }}.{{ iiab_domain }}"
    FQDN_changed: False
 - name: Does /etc/cloud/cloud.cfg exist e.g. is this Ubuntu Server 18+ ?
  stat:
    path: /etc/cloud/cloud.cfg
@ -17,16 +22,10 @@
  # 2021-08-31: Periods in /etc/hostname fail with some WiFi routers (#2904)
  # command: hostnamectl set-hostname "{{ iiab_hostname }}.{{ iiab_domain }}"
-#- name: Install /etc/sysconfig/network from template (redhat)
+# 2022-07-11: Should the first entry match just hostname and domain move to
-#  template:
+# after localhost?  See PR's #1 & #8 -- with discussion on #3302 -- and also:
-#    src: roles/network/templates/network/sysconfig.network.j2
+# 1. /etc/hosts    -- #1815 solved by PR #1847
-#    dest: /etc/sysconfig/network
+# 2. /etc/hostname -- #2904 solved by PR #2973
 #    owner: root
 #    group: root
 #    mode: 0644
 #  when: is_redhat
 # roles/network/tasks/hosts.yml [no longer in use] ALSO did this:
 - name: 'Put FQDN & hostnames in /etc/hosts: "127.0.0.1 {{ iiab_hostname }}.{{ iiab_domain }} localhost.localdomain localhost {{ iiab_hostname }} box box.lan"'
  lineinfile:
    path: /etc/hosts
@ -36,6 +35,14 @@
    #group: root
    #mode: 0644
 # 2021-07-30: FQDN_changed isn't used as in the past -- its remaining use is
 # for {named, dhcpd, squid} in roles/network/tasks/main.yml -- possibly it
 # should be reconsidered?  See PR #2876: roles/network might become optional?
 - name: "Also set 'FQDN_changed: True' -- if iiab_fqdn != ansible_fqdn ({{ ansible_fqdn }})"
  set_fact:
    FQDN_changed: True
  when: iiab_fqdn != ansible_fqdn
 #- name: Re-configuring httpd - not initial install
 #  include_tasks: roles/httpd/tasks/main.yml
 #  when: iiab_stage|int > 3
--- a/roles/0-init/tasks/main.yml
+++ b/roles/0-init/tasks/main.yml
@ -11,14 +11,8 @@
  set_fact:
    rpi_model: "{{ ansible_local.local_facts.rpi_model }}"
    devicetree_model: "{{ ansible_local.local_facts.devicetree_model }}"
    #xo_model: "{{ ansible_local.local_facts.xo_model }}"
    iiab_stage: "{{ ansible_local.local_facts.stage }}"
 # 2020-10-29: Appears no longer nec (see 3 above ansible_local.local_facts.*)
 #- name: Re-read local_facts.facts from /etc/ansible/facts.d
 #  setup:
 #    filter: ansible_local
 # Initialize /etc/iiab/iiab.ini writing the 'location' and 'version' sections
 # once and only once, to preserve the install date and git hash.
 - name: Create {{ iiab_ini_file }}, if it doesn't exist
@ -27,9 +21,9 @@
 # 2021-07-30: The 'first_run' flag isn't much used anymore.  In theory it's
 # still used in these 2 places:
-#   (1) roles/1-prep/tasks/main.yml for raspberry_pi.yml
+#   (1) roles/1-prep/tasks/hardware.yml for raspberry_pi.yml
 #   (2) roles/network/tasks/named.yml for "Stop named before copying files"
-# In practice however, it's no longer important, and might be reconsidered?
+# This needs to be reworked for 0-init speed, and overall understandability.
 - name: Set first_run flag
  set_fact:
    first_run: True
@ -38,11 +32,14 @@
 # Copies the latest/known version of iiab-diagnostics into /usr/bin (so it can
 # be run even if local source tree /opt/iiab/iiab is deleted to conserve disk).
- name: Copy /opt/iiab/iiab/scripts/iiab-diagnostics to /usr/bin/iiab-diagnostics
+- name: Copy iiab-summary & iiab-diagnostics from /opt/iiab/iiab/scripts/ to /usr/bin/
  copy:
-    src: "{{ iiab_dir }}/scripts/iiab-diagnostics"
+    src: "{{ iiab_dir }}/scripts/{{ item }}"
    dest: /usr/bin/
    mode: '0755'
  with_items:
    - iiab-summary
    - iiab-diagnostics
 - name: Create globally-writable directory /etc/iiab/diag (0777) so non-root users can run 'iiab-diagnostics'
  file:
@ -57,9 +54,8 @@
 - name: "Time Zone / TZ: Set symlink /etc/localtime to UTC if it doesn't exist?"
  include_tasks: tz.yml
- name: Test Gateway + Test Internet + Set new hostname/domain (hostname.yml) if nec + Set 'gui_port' to 80 or 443 for Admin Console
+- name: Set hostname / domain (etc) in various places
-  include_tasks: network.yml
+  include_tasks: hostname.yml
 - name: Add 'runtime' variable values to {{ iiab_ini_file }}
  ini_file:
@ -74,10 +70,14 @@
      value: "{{ iiab_base_ver }}"
    - option: iiab_revision
      value: "{{ iiab_revision }}"
    - option: iiab_remote_url
      value: "{{ ansible_local.local_facts.iiab_remote_url }}"
    - option: runtime_branch
      value: "{{ ansible_local.local_facts.iiab_branch }}"
    - option: runtime_commit
      value: "{{ ansible_local.local_facts.iiab_commit }}"
    - option: iiab_recent_tag
      value: "{{ ansible_local.local_facts.iiab_recent_tag }}"
    - option: runtime_date
      value: "{{ ansible_date_time.iso8601 }}"
    - option: ansible_version
@ -88,10 +88,6 @@
      value: "{{ ansible_memtotal_mb }}"
    - option: swap_mb
      value: "{{ ansible_swaptotal_mb }}"
    - option: gw_active
      value: "{{ gw_active }}"
    - option: internet_available
      value: "{{ internet_available }}"
    - option: rpi_model
      value: "{{ rpi_model }}"
    - option: devicetree_model
@ -102,10 +98,6 @@
      value: "{{ local_tz }}"
    - option: etc_localtime.stdout    # e.g. 'America/New_York' direct from symlink /etc/localtime -- or '' if /etc/localtime doesn't exist
      value: "{{ etc_localtime.stdout }}"
    #- option: no_NM_reload
    #  value: "{{ no_NM_reload }}"
    #- option: is_F18
    #  value: "{{ is_F18 }}"
    - option: FQDN_changed
      value: "{{ FQDN_changed }}"
--- a/roles/0-init/tasks/network.yml
+++ b/roles/0-init/tasks/network.yml
@ -1,74 +0,0 @@
 - name: Do we have a gateway? If 'ip route' specifies a default route, Ansible parses details here...
  debug:
    var: ansible_default_ipv4
 - name: "If above ansible_default_ipv4.gateway is defined, set WAN candidate 'discovered_wan_iface: {{ ansible_default_ipv4.alias }}' -- using ansible_default_ipv4.alias"
  set_fact:
    discovered_wan_iface: "{{ ansible_default_ipv4.alias }}"
  when: ansible_default_ipv4.gateway is defined
 - name: "Verify gateway active: ping -c4 {{ ansible_default_ipv4.gateway }} -- using ansible_default_ipv4.gateway"
  shell: ping -c4 "{{ ansible_default_ipv4.gateway }}" | grep icmp_seq=4 | wc -l
  register: gw_active_test
  when: discovered_wan_iface != "none"
 - name: "If gateway responded, set 'gw_active: True' and 'iiab_wan_iface: {{ discovered_wan_iface }}' -- using discovered_wan_iface"
  set_fact:
    iiab_wan_iface: "{{ discovered_wan_iface }}"
    gw_active: True
  when: discovered_wan_iface != "none" and gw_active_test.stdout == "1"
 - name: 'Test for Internet access, using: {{ iiab_download_url }}/heart-beat.txt'
  get_url:
    url: "{{ iiab_download_url }}/heart-beat.txt"
    dest: /tmp/heart-beat.txt
    #timeout: "{{ download_timeout }}"
    # @jvonau recommends: 100sec is too much (keep 10sec default)
  ignore_errors: True
  #async: 10
  #poll: 2
  register: internet_access_test
 - name: "Set 'internet_available: True' if above download succeeded AND not disregard_network"
  set_fact:
    internet_available: True    # Initialized to 'False' in 0-init/defaults/main.yml
  when: not internet_access_test.failed and not disregard_network
 - name: Remove downloaded Internet test file /tmp/heart-beat.txt
  file:
    path: /tmp/heart-beat.txt
    state: absent
 - name: "Set 'iiab_fqdn: {{ iiab_hostname }}.{{ iiab_domain }}'"
  set_fact:
    iiab_fqdn: "{{ iiab_hostname }}.{{ iiab_domain }}"
    FQDN_changed: False
 - name: Set hostname / domain (etc) in various places -- if iiab_fqdn != ansible_fqdn ({{ ansible_fqdn }})
  include_tasks: hostname.yml
  when: iiab_fqdn != ansible_fqdn
 # 2021-07-30: FQDN_changed isn't used as in the past -- its remaining use is
 # for {named, dhcpd, squid} in roles/network/tasks/main.yml -- possibly it
 # should be reconsidered?  See PR #2876: roles/network might become optional?
 - name: "Also set 'FQDN_changed: True' -- if iiab_fqdn != ansible_fqdn ({{ ansible_fqdn }})"
  set_fact:
    FQDN_changed: True
  when: iiab_fqdn != ansible_fqdn
 # 2021-08-17: (1) iiab-gen-iptables works better if gui_port is set directly in
 # default_vars.yml and/or local_vars.yml (2) Admin Console's iiab-admin.yml
 # and js-menu.yml set 'adm_cons_force_ssl: False'
 # - name: "Set 'gui_port: 80' for Admin Console if not adm_cons_force_ssl"
 #   set_fact:
 #     gui_port: 80
 #   when: not adm_cons_force_ssl
 # - name: "Set 'gui_port: 443' for Admin Console if adm_cons_force_ssl"
 #   set_fact:
 #     gui_port: 443
 #   when: adm_cons_force_ssl
--- a/roles/0-init/tasks/validate_vars.yml
+++ b/roles/0-init/tasks/validate_vars.yml
@ -63,7 +63,8 @@
 #
 # 2020-11-04: Fix validation of 5 [now 4] core dependencies, for ./runrole etc
- name: Set vars_checklist for 46 + 46 + 42 vars ("XYZ_install" + "XYZ_enabled" + "XYZ_installed") to be checked
+
 - name: Set vars_checklist for 45 + 45 + 41 vars ("XYZ_install" + "XYZ_enabled" + "XYZ_installed") to be checked
  set_fact:
    vars_checklist:
      - hostapd
@ -123,6 +124,7 @@
      - calibreweb
      - calibre
      - pbx
      - network
 - name: Assert that {{ vars_checklist | length }} "XYZ_install" vars are all... defined
  assert:
--- a/roles/1-prep/tasks/hardware.yml
+++ b/roles/1-prep/tasks/hardware.yml
@ -14,7 +14,7 @@
 - name: Download {{ iiab_download_url }}/iwlwifi-8000C-13.ucode to /lib/firmware for built-in WiFi on NUC6
  get_url:
-    url: "{{ iiab_download_url }}/iwlwifi-8000C-13.ucode"    # http://download.iiab.io/packages
+    url: "{{ iiab_download_url }}/iwlwifi-8000C-13.ucode"    # https://download.iiab.io/packages
    dest: /lib/firmware
    timeout: "{{ download_timeout }}"
  when: usb_NUC6.stdout|int > 0
--- a/roles/1-prep/tasks/main.yml
+++ b/roles/1-prep/tasks/main.yml
@ -23,9 +23,15 @@
    name: iiab-admin
  #when: iiab_admin_install    # Flag might be created in future?
- name: Install dnsmasq -- configure LATER in 'network', after Stage 9
+- name: Copy iiab-apps-to-be-installed from {{ iiab_dir }} to /usr/bin/
-  include_tasks: roles/network/tasks/dnsmasq.yml
+  copy:
-  #when: dnsmasq_install    # Flag might be used in future?
+    src: "{{ iiab_dir }}/scripts/iiab-apps-to-be-installed"    # /opt/iiab/iiab
    dest: /usr/bin/
    mode: '0755'
 - name: Install ~12 network/wifi/related packages + Squid if necessary + configure /etc/sysctl.conf -- full configuration LATER in 'network', after Stage 9
  include_tasks: roles/network/tasks/install.yml
  when: network_install and network_installed is undefined
 - include_tasks: uuid.yml
 - include_tasks: ubermix.yml
@ -62,7 +68,10 @@
 #  when: not is_debuntu and selinux_disabled is defined and selinux_disabled.changed
- name: Recording STAGE 1 HAS COMPLETED ============================
+- name: Install {{ iiab_env_file }} from template -- FYI this file can be run as a script if absolutely nec -- e.g. 'source /etc/iiab/iiab.env && echo $WWWROOT'
  template:
    src: roles/1-prep/templates/iiab.env.j2
-    dest: "{{ iiab_env_file }}"    # Can also be run as a script if absolutely nec, e.g. 'source /etc/iiab/iiab.env && echo $WWWROOT'
+    dest: "{{ iiab_env_file }}"
 - name: Recording STAGE 1 HAS COMPLETED ============================
  meta: noop
--- a/roles/2-common/tasks/fl.yml
+++ b/roles/2-common/tasks/fl.yml
@ -1,6 +1,6 @@
 # fl.yml signifies "file layout"
- name: "File Layout - Create directories: 1 in /etc, 1 in {{ py3_dist_path }}, 3 in {{ iiab_base }}, 17 in {{ content_base }}"    # iiab_base: /opt/iiab
+- name: "File Layout - Create directories: 1 in {{ py3_dist_path }}, 2 in {{ iiab_base }}, 17 in {{ content_base }}"    # iiab_base: /opt/iiab
  file:
    path: "{{ item }}"
    # owner: root
@ -8,9 +8,9 @@
    # mode: '0755'
    state: directory
  with_items:
-    - /etc/sysconfig/olpc-scripts/setup.d/installed/
+    #- /etc/sysconfig/olpc-scripts/setup.d/installed/
    - "{{ py3_dist_path }}/iiab"    # /usr/lib/python3/dist-packages
-    - "{{ yum_packages_dir }}"    # /opt/iiab/yum-packages
+    #- "{{ yum_packages_dir }}"    # /opt/iiab/yum-packages
    - "{{ pip_packages_dir }}"    # /opt/iiab/pip-packages
    - "{{ downloads_dir }}"    # /opt/iiab/downloads
    #- "{{ content_base }}/downloads"    # /library/downloads auto-created just below
--- a/roles/2-common/tasks/main.yml
+++ b/roles/2-common/tasks/main.yml
@ -8,8 +8,14 @@
 - include_tasks: packages.yml
- name: Install network packages (including many WiFi tools, and also iptables-persistent for firewall)
+- name: "Use 'sysctl' to set 'kernel.core_uses_pid: 1' in /etc/sysctl.conf"
-  include_tasks: network.yml
+  sysctl:    # Places these settings in /etc/sysctl.conf, to survive reboot
    name: "{{ item.name }}"
    value: "{{ item.value }}"
  with_items:
    #- { name: 'kernel.sysrq', value: '1' }             # OS values differ, Ok?
    - { name: 'kernel.core_uses_pid', value: '1' }
    #- { name: 'kernel.shmmax', value: '268435456' }    # OS values differ, Ok?
 - include_tasks: iiab-startup.yml
--- a/roles/2-common/tasks/packages.yml
+++ b/roles/2-common/tasks/packages.yml
@ -16,12 +16,12 @@
      #- lynx              #  505kB download: Installed by 1-prep's roles/iiab-admin/tasks/main.yml
      #- make              #  376kB download: 2021-07-27: Currently used by roles/pbx and no other roles
      - mlocate            #   92kB download
-      #- ntfs-3g           #  379kB download: RaspiOS installs this regardless -- 2021-07-31: But this should no longer be nec with 5.4+ kernels, similar to exfat packages above -- however, see also this symlink warning: https://superuser.com/questions/1050544/mount-with-kernel-ntfs-and-not-ntfs-3g -- and upcoming kernel 5.15 improvements: https://www.phoronix.com/scan.php?page=news_item&px=New-NTFS-Likely-For-Linux-5.15
+      #- ntfs-3g           #  379kB download: RasPiOS installs this regardless -- 2021-07-31: But this should no longer be nec with 5.4+ kernels, similar to exfat packages above -- however, see also this symlink warning: https://superuser.com/questions/1050544/mount-with-kernel-ntfs-and-not-ntfs-3g -- and upcoming kernel 5.15 improvements: https://www.phoronix.com/scan.php?page=news_item&px=New-NTFS-Likely-For-Linux-5.15
      #- openssh-server    #  318kB download: RasPiOS installs this regardless -- this is also installed by 1-prep's roles/sshd/tasks/main.yml to cover all OS's
      - pandoc             #   19kB download: For /usr/bin/iiab-refresh-wiki-docs
      - pastebinit         #   47kB download: For /usr/bin/iiab-diagnostics
      #- python3-pip       #  337kB download: RasPiOS installs this regardless -- 2021-07-29: And already installed by /opt/iiab/iiab/scripts/ansible -- this auto-installs 'python3-setuptools' and 'python3' etc
-      #- python3-venv      # 1188kB download: RasPiOS installs this regardless -- 2021-07-30: For Ansible module 'pip' used in roles like {calibre-web, jupyterhub, lokole} -- whereas roles/kalite uses (virtual) package 'virtualenv' for Python 2 -- all these 3+1 IIAB roles install 'python3-venv' for themselves.  FYI: Debian 11 auto-installs 'python3-venv' when you install 'python3' -- whereas Ubuntu (e.g. 20.04 & 21.10) and RaspiOS 10 did not.
+      #- python3-venv      # 1188kB download: RasPiOS installs this regardless -- 2021-07-30: For Ansible module 'pip' used in roles like {calibre-web, jupyterhub, lokole} -- whereas roles/kalite uses (virtual) package 'virtualenv' for Python 2 -- all these 3+1 IIAB roles install 'python3-venv' for themselves.  FYI: Debian 11 auto-installs 'python3-venv' when you install 'python3' -- whereas Ubuntu (e.g. 20.04 & 21.10) and RasPiOS 10 did not.
      - rsync              #  351kB download: RasPiOS installs this regardless
      #- screen            #  551kB download: Installed by 1-prep's roles/iiab-admin/tasks/main.yml
      - sqlite3            # 1054kB download
--- a/roles/4-server-options/tasks/main.yml
+++ b/roles/4-server-options/tasks/main.yml
@ -24,23 +24,6 @@
    name: sshd
  when: sshd_install
 # UNMAINTAINED
 - name: Install named / BIND
  include_tasks: roles/network/tasks/named.yml
  when: named_install is defined and named_install
 # UNMAINTAINED
 - name: Install dhcpd
  include_tasks: roles/network/tasks/dhcpd.yml
  when: dhcpd_install is defined and dhcpd_install
 # LESS MAINTAINED
 - name: Install Squid
  include_tasks: roles/network/tasks/squid.yml
  when: squid_install and squid_installed is undefined
 - name: Install Bluetooth - only on Raspberry Pi
  include_role:
    name: bluetooth
--- a/roles/6-generic-apps/tasks/main.yml
+++ b/roles/6-generic-apps/tasks/main.yml
@ -3,6 +3,7 @@
 - name: ...IS BEGINNING ====================================
  meta: noop
 # UNMAINTAINED
 - name: AZURACAST
  include_role:
    name: azuracast
@ -36,10 +37,11 @@
    name: jupyterhub
  when: jupyterhub_install
 # UNMAINTAINED
 - name: LOKOLE
  include_role:
    name: lokole
-  when: lokole_install
+  when: lokole_install is defined and lokole_install
 - name: MEDIAWIKI
  include_role:
--- a/roles/awstats/tasks/main.yml
+++ b/roles/awstats/tasks/main.yml
@ -19,27 +19,34 @@
    quiet: yes
- name: Install AWStats if 'awstats_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
+- block:
  include_tasks: install.yml
  when: awstats_installed is undefined
  - name: Install AWStats if 'awstats_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
    include_tasks: install.yml
    when: awstats_installed is undefined
- name: Enable/Disable/Restart NGINX
+  - name: Enable/Disable/Restart NGINX
-  include_tasks: nginx.yml
+    include_tasks: nginx.yml
  - name: Add 'awstats' variable values to {{ iiab_ini_file }}
    ini_file:
      path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
      section: awstats
      option: "{{ item.option }}"
      value: "{{ item.value | string }}"
    with_items:
      - option: name
        value: AWStats
      - option: description
        value: '"AWStats (originally known as Advanced Web Statistics) is a package written in Perl which generates static or dynamic html summaries based upon web server logs."'
      - option: awstats_install
        value: "{{ awstats_install }}"
      - option: awstats_enabled
        value: "{{ awstats_enabled }}"
- name: Add 'awstats' variable values to {{ iiab_ini_file }}
+  rescue:
-  ini_file:
+
-    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+  - name: 'SEE ERROR ABOVE (skip_role_on_error: {{ skip_role_on_error }})'
-    section: awstats
+    fail:
-    option: "{{ item.option }}"
+      msg: ""
-    value: "{{ item.value | string }}"
+    when: not skip_role_on_error
  with_items:
    - option: name
      value: AWStats
    - option: description
      value: '"AWStats (originally known as Advanced Web Statistics) is a package written in Perl which generates static or dynamic html summaries based upon web server logs."'
    - option: awstats_install
      value: "{{ awstats_install }}"
    - option: awstats_enabled
      value: "{{ awstats_enabled }}"
--- a/roles/awstats/templates/awstats.schoolserver.conf.j2
+++ b/roles/awstats/templates/awstats.schoolserver.conf.j2
@ -261,7 +261,7 @@ AllowToUpdateStatsFromBrowser=1
 #  3 - Possible on CLI and CGI
 # Default: 2
 #
-AllowFullYearView=2
+AllowFullYearView=3
--- a/roles/azuracast/README.rst
+++ b/roles/azuracast/README.rst
@ -1,6 +1,6 @@
-==========
+================
 AzuraCast README
-==========
+================
 This playbook adds `AzuraCast <https://azuracast.com/>`_ to Internet-in-a-Box (IIAB) for network radio station functionality.  With 'AzuraCast' you and your community can schedule podcasts, music, and even do live streaming of audio content.  A variety of streaming formats are supported.
@ -11,7 +11,7 @@ As of 2019-08-04, this will only run on Ubuntu 18.04, and tentatively on Debian
 Using It
 --------
-* Do a normal IIAB install (http://download.iiab.io), making sure to set both variables ``azuracast_install`` and ``azuracast_enabled`` to ``True`` when it prompts you to edit `/etc/iiab/local_vars.yml <http://FAQ.IIAB.IO#What_is_local_vars.yml_and_how_do_I_customize_it.3F>`_, as you begin the installation. 
+* Do a normal IIAB install (https://download.iiab.io), making sure to set both variables ``azuracast_install`` and ``azuracast_enabled`` to ``True`` when it prompts you to edit `/etc/iiab/local_vars.yml <http://FAQ.IIAB.IO#What_is_local_vars.yml_and_how_do_I_customize_it.3F>`_, as you begin the installation.
 * When the IIAB software install completes, it will ask you to reboot, and AzuraCast's console will then be available at http://box.lan:10080
 * This console site will prompt you to complete AzuraCast's initial setup: user accounts, managing stations, radio streams, etc.
 * Finally, check out some `how-to videos <https://www.youtube.com/watch?v=b1Rxlu5P804>`_ to learn to manage your own radio station!
--- a/roles/calibre-web/tasks/install.yml
+++ b/roles/calibre-web/tasks/install.yml
@ -51,7 +51,7 @@
 # VIRTUALENV EXAMPLE COMMANDS:
 # cd /usr/local/calibre-web-py3
 # source bin/activate
-# python3 -m pip list
+# python3 -m pip list    ('pip list' probably sufficient, likewise below)
 # python3 -m pip freeze > /tmp/requirements.txt
 # python3 -m pip install -r requirements.txt
 # deactivate
--- a/roles/calibre-web/tasks/main.yml
+++ b/roles/calibre-web/tasks/main.yml
@ -19,40 +19,47 @@
    quiet: yes
- name: Install Calibre-Web if 'calibreweb_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
+- block:
  include_tasks: install.yml
  when: calibreweb_installed is undefined
  - name: Install Calibre-Web if 'calibreweb_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
    include_tasks: install.yml
    when: calibreweb_installed is undefined
- include_tasks: enable-or-disable.yml
+  - include_tasks: enable-or-disable.yml
  - name: Add 'calibre-web' variable values to {{ iiab_ini_file }}
    ini_file:
      path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
      section: calibre-web
      option: "{{ item.option }}"
      value: "{{ item.value | string }}"
    with_items:
      - option: name
        value: Calibre-Web
      - option: description
        value: '"Calibre-Web is a web app providing a clean interface for browsing, reading and downloading e-books."'
      - option: calibreweb_install
        value: "{{ calibreweb_install }}"
      - option: calibreweb_enabled
        value: "{{ calibreweb_enabled }}"
      - option: calibreweb_url1
        value: "{{ calibreweb_url1 }}"
      - option: calibreweb_url2
        value: "{{ calibreweb_url2 }}"
      - option: calibreweb_url3
        value: "{{ calibreweb_url3 }}"
      - option: calibreweb_path
        value: "{{ calibreweb_venv_path }}"
      - option: calibreweb_home
        value: "{{ calibreweb_home }}"
      - option: calibreweb_port
        value: "{{ calibreweb_port }}"
      - option: calibreweb_settings_database
        value: "{{ calibreweb_settings_database }}"
- name: Add 'calibre-web' variable values to {{ iiab_ini_file }}
+  rescue:
-  ini_file:
+
-    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+  - name: 'SEE ERROR ABOVE (skip_role_on_error: {{ skip_role_on_error }})'
-    section: calibre-web
+    fail:
-    option: "{{ item.option }}"
+      msg: ""
-    value: "{{ item.value | string }}"
+    when: not skip_role_on_error
  with_items:
    - option: name
      value: Calibre-Web
    - option: description
      value: '"Calibre-Web is a web app providing a clean interface for browsing, reading and downloading e-books."'
    - option: calibreweb_install
      value: "{{ calibreweb_install }}"
    - option: calibreweb_enabled
      value: "{{ calibreweb_enabled }}"
    - option: calibreweb_url1
      value: "{{ calibreweb_url1 }}"
    - option: calibreweb_url2
      value: "{{ calibreweb_url2 }}"
    - option: calibreweb_url3
      value: "{{ calibreweb_url3 }}"
    - option: calibreweb_path
      value: "{{ calibreweb_venv_path }}"
    - option: calibreweb_home
      value: "{{ calibreweb_home }}"
    - option: calibreweb_port
      value: "{{ calibreweb_port }}"
    - option: calibreweb_settings_database
      value: "{{ calibreweb_settings_database }}"
--- a/roles/calibre/defaults/main.yml
+++ b/roles/calibre/defaults/main.yml
@ -34,11 +34,11 @@ calibre_userdb: "{{ calibre_dbpath }}/users.sqlite"
 #   calibre-server --manage-users --userdb /library/calibre/users.sqlite
 calibre_sample_book: "Metamorphosis-jackson.epub"
-# Must be downloadable from http://download.iiab.io/packages
+# Must be downloadable from https://download.iiab.io/packages
 calibre_src_url: "https://raw.githubusercontent.com/kovidgoyal/calibre/master/setup/linux-installer.py"
-calibre_deb_url: "{{ iiab_download_url }}"    # http://download.iiab.io/packages
+calibre_deb_url: "{{ iiab_download_url }}"    # https://download.iiab.io/packages
 # Above URL must offer both .deb files below: (for scripts/calibre-install-pinned-rpi.sh to run)
 calibre_deb_pin_version: 3.33.1+dfsg-1    # for calibre_3.33.1+dfsg-1_all.deb (24M, 2018-10-21)
 calibre_bin_deb_pin_version: "{{ calibre_deb_pin_version }}"    # for calibre-bin_3.33.1+dfsg-1_armhf.deb (706K, 2018-10-23)
--- a/roles/calibre/tasks/enable-or-disable.yml
+++ b/roles/calibre/tasks/enable-or-disable.yml
@ -0,0 +1,29 @@
 # http://box:8080 & http://box:8080/mobile WORK BUT OTHER URL'S LIKE http://box/calibre ARE A MESS (BOOKS RARELY DISPLAY)
 #
 # 2018-08-27 POSSIBLE FIX...CONSIDER THIS ProxyPass / ProxyPassReverse TECHNIQUE:
 # https://github.com/iiab/iiab/tree/master/roles/calibre-web/templates/calibre-web.conf.j2
 #    (anyway this works great for calibre-web, allowing http://box/books
 #    to work even better than http://box:8083 when box == 192.168.0.x !)
 #
 #- name: Attempt to enable http://box/calibre via Apache (UNTESTED)
 #  command: a2ensite calibre.conf
 #  when: apache_installed and calibre_enabled
 #
 #- name: Attempt to disable http://box/calibre via Apache (UNTESTED)
 #  command: a2dissite calibre.conf
 #  when: apache_installed and not calibre_enabled
 - name: Enable & (Re)Start 'calibre-serve' service, if calibre_enabled
  systemd:
    daemon_reload: yes
    name: calibre-serve
    enabled: yes
    state: restarted
  when: calibre_enabled
 - name: Disable & Stop 'calibre-serve' service, if not calibre_enabled
  systemd:
    name: calibre-serve
    enabled: no
    state: stopped
  when: not calibre_enabled
--- a/roles/calibre/tasks/main.yml
+++ b/roles/calibre/tasks/main.yml
@ -19,65 +19,37 @@
    quiet: yes
- name: Install Calibre if 'calibre_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
+- block:
  include_tasks: install.yml
  when: calibre_installed is undefined
-# http://box:8080 & http://box:8080/mobile WORK BUT OTHER URL'S LIKE http://box/calibre ARE A MESS (BOOKS RARELY DISPLAY)
+  - name: Install Calibre if 'calibre_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
-#
+    include_tasks: install.yml
-# 2018-08-27 POSSIBLE FIX...CONSIDER THIS ProxyPass / ProxyPassReverse TECHNIQUE:
+    when: calibre_installed is undefined
 # https://github.com/iiab/iiab/tree/master/roles/calibre-web/templates/calibre-web.conf.j2
 #    (anyway this works great for calibre-web, allowing http://box/books
 #    to work even better than http://box:8083 when box == 192.168.0.x !)
 #
 #- name: Attempt to enable http://box/calibre via Apache (UNTESTED)
 #  command: a2ensite calibre.conf
 #  when: apache_installed and calibre_enabled
 #
 #- name: Attempt to disable http://box/calibre via Apache (UNTESTED)
 #  command: a2dissite calibre.conf
 #  when: apache_installed and not calibre_enabled
- name: Enable & (Re)Start 'calibre-serve' service, if calibre_enabled
+  - include_tasks: enable-or-disable.yml
  systemd:
    daemon_reload: yes
    name: calibre-serve
    enabled: yes
    state: restarted
  when: calibre_enabled
- name: Disable & Stop 'calibre-serve' service, if not calibre_enabled
+  - name: Add 'calibre' variable values to {{ iiab_ini_file }}
-  systemd:
+    ini_file:
-    name: calibre-serve
+      path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
-    enabled: no
+      section: calibre
-    state: stopped
+      option: "{{ item.option }}"
-  when: not calibre_enabled
+      value: "{{ item.value | string }}"
    with_items:
      - option: name
        value: Calibre
      - option: description
        value: '"Calibre is an extremely popular personal library system for e-books."'
      - option: calibre_src_url
        value: "{{ calibre_src_url }}"
      - option: calibre_dbpath
        value: "{{ calibre_dbpath }}"
      - option: calibre_port
        value: "{{ calibre_port }}"
      - option: calibre_enabled
        value: "{{ calibre_enabled }}"
-#- name: Enable/Disable/Restart Apache if primary
+  rescue:
 #  include_tasks: apache.yml
 #  when: not nginx_enabled
 #
 #- name: Enable/Disable/Restart NGINX if primary
 #  include_tasks: nginx.yml
 #  when: nginx_enabled
-
+  - name: 'SEE ERROR ABOVE (skip_role_on_error: {{ skip_role_on_error }})'
- name: Add 'calibre' variable values to {{ iiab_ini_file }}
+    fail:
-  ini_file:
+      msg: ""
-    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+    when: not skip_role_on_error
    section: calibre
    option: "{{ item.option }}"
    value: "{{ item.value | string }}"
  with_items:
    - option: name
      value: Calibre
    - option: description
      value: '"Calibre is an extremely popular personal library system for e-books."'
    - option: calibre_src_url
      value: "{{ calibre_src_url }}"
    - option: calibre_dbpath
      value: "{{ calibre_dbpath }}"
    - option: calibre_port
      value: "{{ calibre_port }}"
    - option: calibre_enabled
      value: "{{ calibre_enabled }}"
--- a/roles/captiveportal/README.md
+++ b/roles/captiveportal/README.md
@ -1,4 +1,4 @@
-_Please Also See: http://FAQ.IIAB.IO > ["Captive Portal Administration: What tips & tricks exist?"](http://wiki.laptop.org/go/IIAB/FAQ#Captive_Portal_Administration:_What_tips_.26_tricks_exist.3F)_
+_Please Also See: http://FAQ.IIAB.IO > ["Captive Portal Administration: What tips & tricks exist?"](https://wiki.iiab.io/go/FAQ#Captive_Portal_Administration:_What_tips_&_tricks_exist%3F)_
 ## Theory of Operation
--- a/roles/captiveportal/tasks/install.yml
+++ b/roles/captiveportal/tasks/install.yml
@ -26,7 +26,7 @@
    mode: "{{ item.mode }}"
  with_items:
    - { src: roles/captiveportal/templates/checkurls, dest: /opt/iiab/captiveportal/, mode: '0644' }
-    - { src: roles/captiveportal/templates/iiab-divert-to-nginx, dest: /usr/sbin/, mode: '0755' }
+    - { src: roles/captiveportal/templates/iiab-divert-to-nginx.j2, dest: /usr/sbin/iiab-divert-to-nginx, mode: '0755' }
    - { src: roles/captiveportal/templates/iiab-make-cp-servers.py, dest: /usr/sbin/, mode: '0755' }
 - name: Install /opt/iiab/captiveportal/capture-wsgi.py from template, mode '0755' (creates the server)
--- a/roles/captiveportal/tasks/main.yml
+++ b/roles/captiveportal/tasks/main.yml
@ -19,27 +19,33 @@
    quiet: yes
- name: Install Captive Portal if 'captiveportal_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
+- block:
  include_tasks: install.yml
  when: captiveportal_installed is undefined
  - name: Install Captive Portal if 'captiveportal_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
    include_tasks: install.yml
    when: captiveportal_installed is undefined
- name: Enable or Disable Captive Portal
+  - include_tasks: enable-or-disable.yml
  include_tasks: enable-or-disable.yml
  - name: Add 'captiveportal' variable values to {{ iiab_ini_file }}
    ini_file:
      path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
      section: captiveportal
      option: "{{ item.option }}"
      value: "{{ item.value | string }}"
    with_items:
      - option: name
        value: Captive Portal
      - option: description
        value: '"Captive Portal tries to open the browser automatically, so users don''t have to type in URL''s like http://box.lan in support of kiosk-like situations, in multilingual and less literate communities."'
      - option: captiveportal_install
        value: "{{ captiveportal_install }}"
      - option: captiveportal_enabled
        value: "{{ captiveportal_enabled }}"
- name: Add 'captiveportal' variable values to {{ iiab_ini_file }}
+  rescue:
-  ini_file:
+
-    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+  - name: 'SEE ERROR ABOVE (skip_role_on_error: {{ skip_role_on_error }})'
-    section: captiveportal
+    fail:
-    option: "{{ item.option }}"
+      msg: ""
-    value: "{{ item.value | string }}"
+    when: not skip_role_on_error
  with_items:
    - option: name
      value: Captive Portal
    - option: description
      value: '"Captive Portal tries to open the browser automatically, so users don''t have to type in URL''s like http://box.lan in support of kiosk-like situations, in multilingual and less literate communities."'
    - option: captiveportal_install
      value: "{{ captiveportal_install }}"
    - option: captiveportal_enabled
      value: "{{ captiveportal_enabled }}"
--- a/roles/captiveportal/templates/iiab-divert-to-nginx.j2
+++ b/roles/captiveportal/templates/iiab-divert-to-nginx.j2
@ -1,4 +1,4 @@
 #!/bin/bash -x
-awk '{print("address=/" $1 "/172.18.96.1")}' /opt/iiab/captiveportal/checkurls > /etc/dnsmasq.d/capture
+awk '{print("address=/" $1 "/{{ lan_ip }}")}' /opt/iiab/captiveportal/checkurls > /etc/dnsmasq.d/capture
 echo "#following tells windows 7 that captive portal is active" >> /etc/dnsmasq.d/capture
 echo "address=/dns.msftncsi.com/131.107.255.255" >> /etc/dnsmasq.d/capture
--- a/roles/cups/README.md
+++ b/roles/cups/README.md
@ -2,7 +2,7 @@
 [CUPS](https://en.wikipedia.org/wiki/CUPS) (also known as the "Common UNIX Printing System") is the standards-based, open source printing system for Linux and macOS.
-It allows your [Internet-in-a-Box (IIAB)](http://internet-in-a-box.org) to act as a print server.
+It allows your [Internet-in-a-Box (IIAB)](https://internet-in-a-box.org) to act as a print server.
 This can be useful if a printer is attached to your IIAB &mdash; so student/teacher print jobs from client computers and phones can be processed &mdash; and then sent to the appropriate printer.
--- a/roles/cups/tasks/install.yml
+++ b/roles/cups/tasks/install.yml
@ -76,14 +76,14 @@
    name: cups
    state: started
-# - name: "Authorize Nearby IP Addresses: Run 'cupsctl --remote-admin --share-printers --user-cancel-any' to enable http://192.168.0.x:631 AND http://172.18.96.1:631 (if cups_enabled) -- REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) -- SO PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf"
+# - name: "Authorize Nearby IP Addresses: Run 'cupsctl --remote-admin --share-printers --user-cancel-any' to enable http://192.168.0.x:631 AND http://{{ lan_ip }}:631 (if cups_enabled) -- REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) -- SO PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf"
 #   command: cupsctl --remote-admin --share-printers --user-cancel-any
 # 2021-07-11: BOTH FLAGS *CANNOT* BE USED TOGETHER -- CHOOSE ONE OR THE OTHER:
 # (1) '--remote-admin' AS ABOVE, OR (2) '--remote-any' AS BELOW.
 # (RUN 'cupsctl' WITHOUT PARAMETERS TO CONFIRM THIS!)
- name: "Authorize All IP Addresses: Run 'cupsctl --remote-any --share-printers --user-cancel-any' to enable http://192.168.0.x:631 AND http://172.18.96.1:631 AND http://10.8.0.y:631 (if cups_enabled) -- REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) -- SO PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf"
+- name: "Authorize All IP Addresses: Run 'cupsctl --remote-any --share-printers --user-cancel-any' to enable http://192.168.0.x:631 AND http://{{ lan_ip }}:631 AND http://10.8.0.y:631 (if cups_enabled) -- REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) -- SO PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf"
  command: cupsctl --remote-any --share-printers --user-cancel-any
 # 2021-07-11: In theory 'cupsctl' stanzas could be put in enable-or-disable.yml
@ -96,7 +96,7 @@
 #   command: cupsctl --no-remote-admin --no-remote-any --no-share-printers --no-user-cancel-any --no-debug-logging
 #   when: not cups_enabled
-# - name: "2021-07-14: EXPERIMENTALLY ADD DIRECTIVES TO /etc/cups/cupsd.conf followed by 'systemctl restart cups'.  As should no longer be nec thanks to NEW cups/templates/cups.conf for /etc/nginx/conf.d/cups.conf (followed by 'systemctl restart nginx').  Which FIXED URL'S LIKE: http://box/print, http://box.lan/print, http://192.168.0.x/print, http://172.18.96.1/print and http://10.8.0.x/print (WITH OR WITHOUT THE TRAILING SLASH!)  RECAP: (1) So be it that these 2 URL'S STILL DON'T WORK: http://box:631, http://box.lan:631 (due to CUPS' internal web server's overly stringent hostname checks, i.e. '400 Bad Request' and 'Request from \"localhost\" using invalid Host: field \"box[.lan]:631\".' in /var/log/cups/error_log) -- (2) While these 2 URL'S STILL DO WORK: http://localhost:631, http://127.0.0.1:631 -- (3) Whereas these 3 URL'S MAY WORK, DEPENDING ON 'cupsctl' COMMAND(S) ABOVE: http://192.168.0.x:631, http://172.18.96.1:631, http://10.8.0.x:631"
+# - name: "2021-07-14: EXPERIMENTALLY ADD DIRECTIVES TO /etc/cups/cupsd.conf followed by 'systemctl restart cups'.  As should no longer be nec thanks to NEW cups/templates/cups.conf for /etc/nginx/conf.d/cups.conf (followed by 'systemctl restart nginx').  Which FIXED URL'S LIKE: http://box/print, http://box.lan/print, http://192.168.0.x/print, http://{{ lan_ip }}/print and http://10.8.0.x/print (WITH OR WITHOUT THE TRAILING SLASH!)  RECAP: (1) So be it that these 2 URL'S STILL DON'T WORK: http://box:631, http://box.lan:631 (due to CUPS' internal web server's overly stringent hostname checks, i.e. '400 Bad Request' and 'Request from \"localhost\" using invalid Host: field \"box[.lan]:631\".' in /var/log/cups/error_log) -- (2) While these 2 URL'S STILL DO WORK: http://localhost:631, http://127.0.0.1:631 -- (3) Whereas these 3 URL'S MAY WORK, DEPENDING ON 'cupsctl' COMMAND(S) ABOVE: http://192.168.0.x:631, http://{{ lan_ip }}:631, http://10.8.0.x:631"
 #   lineinfile:
 #     path: /etc/cups/cupsd.conf
 #     line: "{{ item }}"
@ -105,7 +105,7 @@
 #     - "HostNameLookups On"    # More False Leads: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=530027
 #     - "ServerAlias *"
 #     - "#ServerName {{ iiab_hostname }}.{{ iiab_domain }}"    # box.lan
-#     - "#Listen {{ lan_ip }}:631"    # 172.18.96.1
+#     - "#Listen {{ lan_ip }}:631"    # e.g. 10.10.10.10
 #     - "#Listen 127.0.0.1:631"
 #     - "#Listen 0.0.0.0:631"
 #     - "#Listen *:631"
--- a/roles/cups/templates/cups.conf.j2
+++ b/roles/cups/templates/cups.conf.j2
@ -21,7 +21,7 @@ location ~ ^/print(|/.*)$ {    # '~' -> '~*' for case-insensitive regex
        return 301 http://localhost:631;
    }
-    return 301 http://$host:631;   # For 192.168.0.x, 172.18.96.1, 10.8.0.y ETC
+    return 301 http://$host:631;   # For 192.168.0.x, 10.10.10.10, 172.18.96.1, 10.8.0.y ETC
 }
--- a/roles/firmware/tasks/download.yml
+++ b/roles/firmware/tasks/download.yml
@ -9,19 +9,19 @@
    - brcmfmac43455-sdio.clm_blob
  ignore_errors: yes
- name: Download higher-capacity firmware (for RPi internal WiFi, per https://github.com/iiab/iiab/issues/823#issuecomment-662285202 and https://github.com/iiab/iiab/issues/2853)
+- name: Download higher-capacity firmwares (for RPi internal WiFi, per https://github.com/iiab/iiab/issues/823#issuecomment-662285202 and https://github.com/iiab/iiab/issues/2853)
  get_url:
-    url: "{{ item }}"
+    url: "{{ iiab_download_url }}/{{ item }}"
    dest: /lib/firmware/brcm/
    timeout: "{{ download_timeout }}"
  with_items:
-    - http://d.iiab.io/packages/brcmfmac43455-sdio.bin_2021-11-30_minimal                # 19 -- from https://github.com/RPi-Distro/firmware-nonfree/blob/feeeda21e930c2e182484e8e1269b61cca2a8451/debian/config/brcm80211/cypress/cyfmac43455-sdio-minimal.bin
+    - brcmfmac43455-sdio.bin_2021-11-30_minimal                # 19 -- from https://github.com/RPi-Distro/firmware-nonfree/blob/feeeda21e930c2e182484e8e1269b61cca2a8451/debian/config/brcm80211/cypress/cyfmac43455-sdio-minimal.bin
-    - http://d.iiab.io/packages/brcmfmac43455-sdio.bin_2021-10-05_3rd-trial-minimal      # 24 -- from https://github.com/iiab/iiab/issues/2853#issuecomment-934293015
+    - brcmfmac43455-sdio.bin_2021-10-05_3rd-trial-minimal      # 24 -- from https://github.com/iiab/iiab/issues/2853#issuecomment-934293015
-    - http://d.iiab.io/packages/brcmfmac43455-sdio.clm_blob_2021-11-17_rpi               # Works w/ both above -- from https://github.com/RPi-Distro/firmware-nonfree/blob/dc406650e840705957f8403efeacf71d2d7543b3/debian/config/brcm80211/cypress/cyfmac43455-sdio.clm_blob
+    - brcmfmac43455-sdio.clm_blob_2021-11-17_rpi               # Works w/ both above -- from https://github.com/RPi-Distro/firmware-nonfree/blob/dc406650e840705957f8403efeacf71d2d7543b3/debian/config/brcm80211/cypress/cyfmac43455-sdio.clm_blob
-    - http://d.iiab.io/packages/brcmfmac43455-sdio.bin_2015-03-01_7.45.18.0_ub19.10.1    # 32 -- from https://github.com/iiab/iiab/issues/823#issuecomment-662285202
+    - brcmfmac43455-sdio.bin_2015-03-01_7.45.18.0_ub19.10.1    # 32 -- from https://github.com/iiab/iiab/issues/823#issuecomment-662285202
-    - http://d.iiab.io/packages/brcmfmac43455-sdio.clm_blob_2018-02-26_rpi
+    - brcmfmac43455-sdio.clm_blob_2018-02-26_rpi
-    - http://d.iiab.io/packages/brcmfmac43430-sdio.bin_2018-09-11_7.45.98.65             # 30 -- from https://github.com/iiab/iiab/issues/823#issuecomment-662285202
+    - brcmfmac43430-sdio.bin_2018-09-11_7.45.98.65             # 30 -- from https://github.com/iiab/iiab/issues/823#issuecomment-662285202
-    - http://d.iiab.io/packages/brcmfmac43430-sdio.clm_blob_2018-09-11_7.45.98.65
+    - brcmfmac43430-sdio.clm_blob_2018-09-11_7.45.98.65
 # RECORD firmware AS DOWNLOADED
--- a/roles/gitea/tasks/enable-or-disable.yml
+++ b/roles/gitea/tasks/enable-or-disable.yml
@ -1,3 +1,19 @@
 - name: Enable & Restart 'gitea' systemd service, if gitea_enabled
  systemd:
    name: gitea
    daemon_reload: yes
    enabled: yes
    state: restarted
  when: gitea_enabled
 - name: Disable & Stop 'gitea' systemd service, if not gitea_enabled
  systemd:
    name: gitea
    enabled: no
    state: stopped
  when: not gitea_enabled
 - name: Enable http://box{{ gitea_url }} via NGINX, by installing {{ nginx_conf_dir }}/gitea-nginx.conf from template
  template:
    src: gitea-nginx.conf.j2
--- a/roles/gitea/tasks/main.yml
+++ b/roles/gitea/tasks/main.yml
@ -19,46 +19,37 @@
    quiet: yes
- name: Install Gitea {{ gitea_version }} if 'gitea_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
+- block:
  include_tasks: install.yml
  when: gitea_installed is undefined
  - name: Install Gitea {{ gitea_version }} if 'gitea_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
    include_tasks: install.yml
    when: gitea_installed is undefined
- name: Enable & Restart 'gitea' systemd service, if gitea_enabled
+  - include_tasks: enable-or-disable.yml
  systemd:
    name: gitea
    daemon_reload: yes
    enabled: yes
    state: restarted
  when: gitea_enabled
- name: Disable & Stop 'gitea' systemd service, if not gitea_enabled
+  - name: Add 'gitea' to list of services at {{ iiab_ini_file }}
-  systemd:
+    ini_file:
-    name: gitea
+      path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
-    enabled: no
+      section: gitea
-    state: stopped
+      option: "{{ item.option }}"
-  when: not gitea_enabled
+      value: "{{ item.value | string }}"
    with_items:
      - option: name
        value: Gitea
      - option: description
        value: '"Gitea is like GitHub for more offline communities: Git with a cup of tea"'
      - option: gitea_install
        value: "{{ gitea_install }}"
      - option: gitea_enabled
        value: "{{ gitea_enabled }}"
      - option: gitea_run_directory
        value: "{{ gitea_run_directory }}"
      - option: gitea_url
        value: "{{ gitea_url }}"
- name: Enable/Disable/Restart NGINX
+  rescue:
  include_tasks: nginx.yml
-
+  - name: 'SEE ERROR ABOVE (skip_role_on_error: {{ skip_role_on_error }})'
- name: Add 'gitea' to list of services at {{ iiab_ini_file }}
+    fail:
-  ini_file:
+      msg: ""
-    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+    when: not skip_role_on_error
    section: gitea
    option: "{{ item.option }}"
    value: "{{ item.value | string }}"
  with_items:
    - option: name
      value: Gitea
    - option: description
      value: '"Gitea is like GitHub for more offline communities: Git with a cup of tea"'
    - option: gitea_install
      value: "{{ gitea_install }}"
    - option: gitea_enabled
      value: "{{ gitea_enabled }}"
    - option: gitea_run_directory
      value: "{{ gitea_run_directory }}"
    - option: gitea_url
      value: "{{ gitea_url }}"
--- a/roles/iiab-admin/README.rst
+++ b/roles/iiab-admin/README.rst
@ -13,7 +13,7 @@
 iiab-admin README
 =================
-`Internet-in-a-Box <http://internet-in-a-box.org>`_ (IIAB) encourages you to pay attention to the security of your learning community.
+`Internet-in-a-Box <https://internet-in-a-box.org>`_ (IIAB) encourages you to pay attention to the security of your learning community.
 This Ansible playbook is one of the very first that runs when you install IIAB, and we hope reading this helps you understand your choices:
@ -21,11 +21,11 @@ Configure user 'iiab-admin'
 ---------------------------
 * `admin-user.yml <tasks/admin-user.yml>`_ configures a Linux user that will give you access to IIAB's Admin Console (http://box.lan/admin) after IIAB is installed — and can also help you at the command-line with IIAB community support commands like {iiab-diagnostics, iiab-hotspot-on, iiab-check-firmware, etc}.
-   * If initial creation of the user and password was somehow not already taken care of by IIAB's 1-line installer (http://download.iiab.io) or by your underlying OS, that too will be taken care of here.
+   * If initial creation of the user and password was somehow not already taken care of by IIAB's 1-line installer (https://download.iiab.io) or by your underlying OS, that too will be taken care of here.
 * By default this user is ``iiab-admin`` with password ``g0adm1n``
   * *Do change the default password if you haven't yet, by running:* **sudo passwd iiab-admin**
   * After IIAB is installed, you can also change the password by logging into Admin Console (http://box.lan/admin) > Utilities > Change Password.
-* If you prefer to use a pre-existing user like ``pi`` or ``ubuntu`` (or any other username) customize the variable ``iiab_admin_user`` in your `/etc/iiab/local_vars.yml <http://wiki.laptop.org/go/IIAB/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F>`_ (preferably do this prior to installing IIAB!)
+* If you prefer to use a pre-existing user like ``pi`` or ``ubuntu`` (or any other username) customize the variable ``iiab_admin_user`` in your `/etc/iiab/local_vars.yml <https://wiki.iiab.io/go/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it%3F>`_ (preferably do this prior to installing IIAB!)
   * You can set ``iiab_admin_can_sudo: False`` if you want a strict security lockdown (if you're really sure you won't need IIAB community support commands like `/usr/bin/iiab-diagnostics <../../scripts/iiab-diagnostics.README.md>`_, `/usr/bin/iiab-hotspot-on <../network/templates/network/iiab-hotspot-on>`_, `iiab-check-firmware <../firmware/templates/iiab-check-firmware>`_, etc!)
   * You can also set ``iiab_admin_user_install: False`` if you're sure you know how to do all this `account and sudo configuration <tasks/admin-user.yml>`_ manually.
@ -36,14 +36,14 @@ Security
   #. ``iiab-admin`` (specified by ``admin_console_group`` in `/opt/iiab/iiab/vars/default_vars.yml <../../vars/default_vars.yml>`_ and `/opt/iiab/iiab-admin-console/vars/default_vars.yml <https://github.com/iiab/iiab-admin-console/blob/master/vars/default_vars.yml>`_)
   #. ``sudo``
 * Please read much more about what escalated (root) actions are authorized when you log into IIAB's Admin Console, and how this works: https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md
-* If your IIAB includes OpenVPN, ``/root/.ssh/authorized_keys`` should be installed by `roles/openvpn/tasks/install.yml <../openvpn/tasks/install.yml>`_ to facilitate remote community support.  Feel free to remove this as mentioned here: http://wiki.laptop.org/go/IIAB/Security
+* If your IIAB includes OpenVPN, ``/root/.ssh/authorized_keys`` should be installed by `roles/openvpn/tasks/install.yml <../openvpn/tasks/install.yml>`_ to facilitate remote community support.  Feel free to remove this as mentioned here: https://wiki.iiab.io/go/Security
 * Auto-checking for the default/published password (as specified by ``iiab_admin_published_pwd`` in `/opt/iiab/iiab/vars/default_vars.yml <../../vars/default_vars.yml>`_) is implemented in `/etc/profile.d <templates/sshpwd-profile-iiab.sh>`_ (and `/etc/xdg/lxsession/LXDE-pi <templates/sshpwd-lxde-iiab.sh>`_ when it exists, i.e. on Raspberry Pi OS with desktop).
 Example
 =======
 * If you later change your mind about ``sudo`` privileges for user 'iiab-admin' (as specified by ``iiab_admin_user``) then do this:
-   #. Go ahead and change the value of ``iiab_admin_can_sudo`` (to either True or False) in `/etc/iiab/local_vars.yml <http://wiki.laptop.org/go/IIAB/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F>`_
+   #. Go ahead and change the value of ``iiab_admin_can_sudo`` (to either True or False) in `/etc/iiab/local_vars.yml <https://wiki.iiab.io/go/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it%3F>`_
   #. Make sure that ``iiab_admin_user_install: True`` is also set.
   #. Then re-run this Ansible playbook, by running ``cd /opt/iiab/iiab`` followed by ``sudo ./runrole --reinstall iiab-admin``
--- a/roles/iiab-admin/tasks/main.yml
+++ b/roles/iiab-admin/tasks/main.yml
@ -23,7 +23,7 @@
 # (1) by the OS installer
 # (2) by the OS's graphical desktop tools
 # (3) at the command-line: sudo passwd iiab-admin
-# (4) by IIAB's 1-line installer: http://download.iiab.io
+# (4) by IIAB's 1-line installer: https://download.iiab.io
 # (5) by this role: roles/iiab-admin/tasks/admin-user.yml
 # (6) by IIAB's Admin Console during installation
 # ...and/or...
--- a/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh.j2
+++ b/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh.j2
@ -19,7 +19,7 @@ check_user_pwd() {
    # enough when user does not exist.  Or uncomment to FORCE ERROR CODE 2.
    # Either way, overall bash script still returns exit code 0 ("success")
-    # sudo works below (unlike in sshpwd-profile-iiab.sh) b/c RaspiOS ships w/
+    # sudo works below (unlike in sshpwd-profile-iiab.sh) b/c RasPiOS ships w/
    # /etc/sudoers.d/010_pi-nopasswd containing "pi ALL=(ALL) NOPASSWD: ALL"
    # (read access to /etc/shadow is otherwise restricted to just root and
    # group www-data i.e. Apache, NGINX get special access).  SEE: #2431, #2561
--- a/roles/internetarchive/README.md
+++ b/roles/internetarchive/README.md
@ -8,7 +8,7 @@ Access to our library of millions of books, journals, audio and video recordings
 This Ansible role installs the Internet Archive's dweb-mirror project on
 Internet-in-a-Box (IIAB).  Use this to build up a dynamic offline library
-arising from the materials you can explore at http://dweb.archive.org
+arising from the materials you can explore at https://dweb.archive.org
 The Offline Internet Archive server:
@ -248,7 +248,7 @@ and just checks the content is up to date.
 ## Managing collections on Internet Archive
-You can create and manage your own collections on the [Internet Archive site](http://www.archive.org).  
+You can create and manage your own collections on the [Internet Archive site](https://www.archive.org).  
 Other people can then crawl those collections. 
 First get in touch with Mitra Ardron at `mitra@archive.org`, as processes may have changed since this is written.
--- a/roles/internetarchive/tasks/enable-or-disable.yml
+++ b/roles/internetarchive/tasks/enable-or-disable.yml
@ -1,3 +1,19 @@
 - name: Enable & Restart 'internetarchive' systemd service, if internetarchive_enabled
  systemd:
    name: internetarchive
    daemon_reload: yes
    enabled: yes
    state: restarted
  when: internetarchive_enabled
 - name: Disable & Stop 'internetarchive' systemd service, if not internetarchive_enabled
  systemd:
    name: internetarchive
    enabled: no
    state: stopped
  when: not internetarchive_enabled
 - name: Enable http://box/archive via NGINX, by installing {{ nginx_conf_dir }}/internetarchive-nginx.conf from template
  template:
    src: internetarchive-nginx.conf.j2    # TO DO: roles/internetarchive/templates/internetarchive-nginx.conf.j2
--- a/roles/internetarchive/tasks/main.yml
+++ b/roles/internetarchive/tasks/main.yml
@ -19,76 +19,60 @@
    quiet: yes
-# 2020-02-11: @mitra42 & @holta agree (#2247) that the following 2-stanza
+- block:
 # "UPDATE internetarchive" block should run whenever one isn't installing
 # (or reinstalling) internetarchive, for now.  We're aware this means slowness
 # during "./runrole internetarchive" but that's very intentional for now -- as
 # it leads to more testing of more recent versions of internetarchive, which
 # is strongly desired.  Finally, these current norms can and probably will be
 # changed in future, when broader IIAB norms develop around "./runrole
 # --upgrade internetarchive" or "./runrole --update internetarchive" or such,
 # as may evolve @ https://github.com/iiab/iiab/pull/2238#discussion_r376168178
- block:    # BEGIN 2-STANZA BLOCK
+  # 2020-02-11: @mitra42 & @holta agree (#2247) that the following 2-stanza
  # "UPDATE internetarchive" portion should run whenever one isn't installing
  # (or reinstalling) internetarchive, for now.  We're aware this means slowness
  # during "./runrole internetarchive" but that's very intentional for now -- as
  # it leads to more testing of more recent versions of internetarchive, which
  # is strongly desired.  Finally, these current norms can and probably will be
  # changed in future, when broader IIAB norms develop around "./runrole
  # --upgrade internetarchive" or "./runrole --update internetarchive" or such,
  # as may evolve @ https://github.com/iiab/iiab/pull/2238#discussion_r376168178
  - name: "UPGRADE: Stop 'internetarchive' systemd service, if internetarchive_installed is defined"
    systemd:
      name: internetarchive
      daemon_reload: yes
      state: stopped
    when: internetarchive_installed is defined
  - name: "UPGRADE: Run 'yarn upgrade' in {{ internetarchive_dir }}, if internetarchive_installed is defined"
    shell: yarn config set child-concurrency 1 && yarn install && yarn upgrade
    args:
      chdir: "{{ internetarchive_dir }}"
    when: internetarchive_installed is defined
-  when: internetarchive_installed is defined    # END 2-STANZA BLOCK
+  # "ELSE" INSTALL...
-# "ELSE" INSTALL...
+  - name: Install Internet Archive if 'internetarchive_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
-
+    include_tasks: install.yml
- name: Install Internet Archive if 'internetarchive_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
+    when: internetarchive_installed is undefined
  include_tasks: install.yml
  when: internetarchive_installed is undefined
-# ENABLE/DISABLE/RESTART SYSTEMD SERVICE & WEB SERVERS AS NEC ?
+  - include_tasks: enable-or-disable.yml
 - name: Enable & Restart 'internetarchive' systemd service, if internetarchive_enabled
  systemd:
    name: internetarchive
    daemon_reload: yes
    enabled: yes
    state: restarted
  when: internetarchive_enabled
 - name: Disable & Stop 'internetarchive' systemd service, if not internetarchive_enabled
  systemd:
    name: internetarchive
    enabled: no
    state: stopped
  when: not internetarchive_enabled
 # - name: Enable/Disable/Restart Apache if primary
 #   include_tasks: apache.yml
 #   when: apache_installed is defined and not nginx_enabled
 - name: Enable/Disable/Restart NGINX if primary
  include_tasks: nginx.yml
  #when: nginx_enabled
- name: Add 'internetarchive' variable values to {{ iiab_ini_file }}
+  - name: Add 'internetarchive' variable values to {{ iiab_ini_file }}
-  ini_file:
+    ini_file:
-    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+      path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
-    section: internetarchive
+      section: internetarchive
-    option: "{{ item.option }}"
+      option: "{{ item.option }}"
-    value: "{{ item.value | string }}"
+      value: "{{ item.value | string }}"
-  with_items:
+    with_items:
-    - option: name
+      - option: name
-      value: Internet Archive
+        value: Internet Archive
-    - option: description
+      - option: description
-      value: '"Take the Internet Archive experience and materials offline, in a decentralized way!"'
+        value: '"Take the Internet Archive experience and materials offline, in a decentralized way!"'
-    - option: internetarchive_install
+      - option: internetarchive_install
-      value: "{{ internetarchive_install }}"
+        value: "{{ internetarchive_install }}"
-    - option: internetarchive_enabled
+      - option: internetarchive_enabled
-      value: "{{ internetarchive_enabled }}"
+        value: "{{ internetarchive_enabled }}"
  rescue:
  - name: 'SEE ERROR ABOVE (skip_role_on_error: {{ skip_role_on_error }})'
    fail:
      msg: ""
    when: not skip_role_on_error
--- a/roles/jupyterhub/README.md
+++ b/roles/jupyterhub/README.md
@ -74,4 +74,4 @@ _WARNING: If on login users see "500 : Internal Server Error", you may need to r
 While PAWS is a little bit off topic, if you have an interest in Wikipedia, please do see this 23m 42s video ["Intro to PAWS/Jupyter notebooks for Python beginners"](https://www.youtube.com/watch?v=AUZkioRI-aA&list=PLeoTcBlDanyNQXBqI1rVXUqUTSSiuSIXN&index=8) by Chico Venancio, from 2021-06-01.
-He explains PAWS as a "powerful Python execution environment http://paws.wmcloud.org [allowing] ordinary folks to write interactive scripts to work with Wikimedia content."
+He explains PAWS as a "powerful Python execution environment https://paws.wmcloud.org = https://wikitech.wikimedia.org/wiki/PAWS [allowing] ordinary folks to write interactive scripts to work with Wikimedia content."
--- a/roles/jupyterhub/tasks/install.yml
+++ b/roles/jupyterhub/tasks/install.yml
@ -33,21 +33,33 @@
    global: yes
    state: latest
- name: "pip install 7 packages into virtual environment: {{ jupyterhub_venv }} (~217 MB)"
+- name: "pip install 3 packages into virtual environment: {{ jupyterhub_venv }} (~304 MB total, after 2 Ansible calls)"
  pip:
    name:
      - pip
      - wheel
      - ipywidgets
      - jupyterhub
    virtualenv: "{{ jupyterhub_venv }}"    # /opt/iiab/jupyterhub
    virtualenv_site_packages: no
    virtualenv_command: python3 -m venv "{{ jupyterhub_venv }}"    # 2021-07-29: This works on RasPiOS 10, Debian 11, Ubuntu 20.04 and Mint 20 -- however if you absolutely must use the older Debian 10 -- you can work around errors "can't find Rust compiler" and "This package requires Rust >=1.41.0" if you (1) revert this line to 'virtualenv_command: virtualenv' AND (2) uncomment the line just below
    #virtualenv_python: python3    # 2021-07-29: Was needed when above line was 'virtualenv_command: virtualenv' (generally for Python 2)
    extra_args: "--no-cache-dir"    # 2021-11-30, 2022-07-07: The "--pre" flag had earlier been needed, for beta-like pre-releases of JupyterHub 2.0.0
 # 2022-07-07: Attempting to "pip install" all 7 together (3 above + 4 below)
 # fails on OS's like 64-bit RasPiOS (but interestingly works on Ubuntu 22.04!)
 # https://github.com/iiab/iiab/issues/3283
 - name: Break up jupyterhub/jupyterlab pip installs into 2 parts (3 packages above + 4 packages here) due to mutual dependency deadlock on some OS's
  pip:
    name:
      - jupyterlab
      - jupyterhub_firstuseauthenticator
      - jupyterhub-systemdspawner
-    virtualenv: "{{ jupyterhub_venv }}"    # /opt/iiab/jupyterhub
+      - ipywidgets
    virtualenv: "{{ jupyterhub_venv }}"
    virtualenv_site_packages: no
-    virtualenv_command: python3 -m venv "{{ jupyterhub_venv }}"    # 2021-07-29: This works on RaspiOS 10, Debian 11, Ubuntu 20.04 and Mint 20 -- however if you absolutely must use the older Debian 10 -- you can work around errors "can't find Rust compiler" and "This package requires Rust >=1.41.0" if you (1) revert this line to 'virtualenv_command: virtualenv' AND (2) uncomment the line just below
+    virtualenv_command: python3 -m venv "{{ jupyterhub_venv }}"    
-    #virtualenv_python: python3    # 2021-07-29: Was needed when above line was 'virtualenv_command: virtualenv' (generally for Python 2)
+    extra_args: "--no-cache-dir"
    extra_args: "--no-cache-dir --pre"    # 2021-11-30: The "--pre" flag should likely be removed after JupyterHub 2.0.0 is released.
 - name: "Install from template: {{ jupyterhub_venv }}/etc/jupyterhub/jupyterhub_config.py"
  template:
@ -59,20 +71,21 @@
    src: jupyterhub.service.j2
    dest: /etc/systemd/system/jupyterhub.service
- name: Install {{ jupyterhub_venv }}/bin/getsite.py from template, to fetch site_packages path, e.g. {{ jupyterhub_venv }}/lib/python{{ python_ver }}/site-packages
+# 2022-07-07: No longer needed, thx to upstream fixes
-  template:
+# - name: Install {{ jupyterhub_venv }}/bin/getsite.py from template, to fetch site_packages path, e.g. {{ jupyterhub_venv }}/lib/python{{ python_ver }}/site-packages
-    src: getsite.py.j2
+#   template:
-    dest: "{{ jupyterhub_venv }}/bin/getsite.py"
+#     src: getsite.py.j2
-    mode: 0755
+#     dest: "{{ jupyterhub_venv }}/bin/getsite.py"
-
+#     mode: 0755
- name: Install patch_FUA.sh from template -- to (1) fix async password-changing page, and (2) force usernames to lowercase -- patching $SITE_PACKAGES/firstuseauthenticator/firstuseauthenticator.py
+#
-  template:
+# - name: Install patch_FUA.sh from template -- to (1) fix async password-changing page, and (2) force usernames to lowercase -- patching $SITE_PACKAGES/firstuseauthenticator/firstuseauthenticator.py
-    src: patch_FUA.sh.j2
+#   template:
-    dest: "{{ jupyterhub_venv }}/bin/patch_FUA.sh"
+#     src: patch_FUA.sh.j2
-    mode: 0755
+#     dest: "{{ jupyterhub_venv }}/bin/patch_FUA.sh"
-
+#     mode: 0755
- name: "Run the above two, via: {{ jupyterhub_venv }}/bin/patch_FUA.sh"
+#
-  command: "{{ jupyterhub_venv }}/bin/patch_FUA.sh"
+# - name: "Run the above two, via: {{ jupyterhub_venv }}/bin/patch_FUA.sh"
 #   command: "{{ jupyterhub_venv }}/bin/patch_FUA.sh"
 - name: Install patch_http-warning.sh from template, to turn off the warning about http insecurity, in {{ jupyterhub_venv }}/share/jupyterhub/templates/login.html
  template:
--- a/roles/jupyterhub/tasks/main.yml
+++ b/roles/jupyterhub/tasks/main.yml
@ -19,26 +19,33 @@
    quiet: yes
- name: Install Jupyter if jupyterhub_installed not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
+- block:
  include_tasks: install.yml
  when: jupyterhub_installed is undefined
  - name: Install Jupyter if jupyterhub_installed not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
    include_tasks: install.yml
    when: jupyterhub_installed is undefined
- include_tasks: enable-or-disable.yml
+  - include_tasks: enable-or-disable.yml
  - name: Add 'jupyterhub' variable values to {{ iiab_ini_file }}
    ini_file:
      path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
      section: jupyterhub
      option: "{{ item.option }}"
      value: "{{ item.value | string }}"
    with_items:
      - option: name
        value: JupyterHub
      - option: description
        value: '"High Schools may want to consider JupyterHub to integrate coding with dynamic interactive graphing — A New Way to Think About Programming — allowing students to integrate science experiment results and program output within their notebook/document/blog."'
      - option: jupyterhub_install
        value: "{{ jupyterhub_install }}"
      - option: jupyterhub_enabled
        value: "{{ jupyterhub_enabled }}"
- name: Add 'jupyterhub' variable values to {{ iiab_ini_file }}
+  rescue:
-  ini_file:
+
-    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+  - name: 'SEE ERROR ABOVE (skip_role_on_error: {{ skip_role_on_error }})'
-    section: jupyterhub
+    fail:
-    option: "{{ item.option }}"
+      msg: ""
-    value: "{{ item.value | string }}"
+    when: not skip_role_on_error
  with_items:
    - option: name
      value: JupyterHub
    - option: description
      value: '"High Schools may want to consider JupyterHub to integrate coding with dynamic interactive graphing — A New Way to Think About Programming — allowing students to integrate science experiment results and program output within their notebook/document/blog."'
    - option: jupyterhub_install
      value: "{{ jupyterhub_install }}"
    - option: jupyterhub_enabled
      value: "{{ jupyterhub_enabled }}"
--- a/roles/jupyterhub/templates/getsite.py.j2.unused
+++ b/roles/jupyterhub/templates/getsite.py.j2.unused
--- a/roles/jupyterhub/templates/patch_FUA.sh.j2.unused
+++ b/roles/jupyterhub/templates/patch_FUA.sh.j2.unused
--- a/roles/kalite/tasks/enable-or-disable.yml
+++ b/roles/kalite/tasks/enable-or-disable.yml
@ -0,0 +1,14 @@
 - name: Enable & (Re)Start 'kalite-serve' service, if kalite_enabled
  systemd:
    daemon_reload: yes
    name: kalite-serve
    enabled: yes
    state: restarted
  when: kalite_enabled
 - name: Disable & Stop 'kalite-serve' service, if not kalite_enabled
  systemd:
    name: kalite-serve
    enabled: no
    state: stopped
  when: not kalite_enabled
--- a/roles/kalite/tasks/install.yml
+++ b/roles/kalite/tasks/install.yml
@ -65,7 +65,7 @@
    replace: 'a-zA-Z0-9\-'
  when: not (is_debian_9 or is_debian_10 or is_ubuntu_16 or is_ubuntu_17 or is_ubuntu_18 or is_ubuntu_19)
  # 2020-03-31: Testing for {is_raspbian_9, is_raspbian_10} is not currently nec, as testing for {is_debian_9, is_debian_10} covers that already.
-  # JV: why not just is_ubuntu_20? AH: to make this work on Ubuntu 21+ and ideally Debian/RaspiOS 11+ too?
+  # JV: why not just is_ubuntu_20? AH: to make this work on Ubuntu 21+ and ideally Debian/RasPiOS 11+ too?
 - name: Fix KA Lite bug in regex parsing ifconfig output (ifcfg/parser.py) for @m-anish's network names that contain dashes, if Raspbian/Debian < 11 or Ubuntu < 20
  replace:
--- a/roles/kalite/tasks/main.yml
+++ b/roles/kalite/tasks/main.yml
@ -19,43 +19,37 @@
    quiet: yes
- name: Install KA Lite if 'kalite_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
+- block:
  include_tasks: install.yml
  when: kalite_installed is undefined
  - name: Install KA Lite if 'kalite_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
    include_tasks: install.yml
    when: kalite_installed is undefined
- name: Enable & (Re)Start 'kalite-serve' service, if kalite_enabled
+  - include_tasks: enable-or-disable.yml
  systemd:
    daemon_reload: yes
    name: kalite-serve
    enabled: yes
    state: restarted
  when: kalite_enabled
- name: Disable & Stop 'kalite-serve' service, if not kalite_enabled
+  - name: Add 'kalite' variable values to {{ iiab_ini_file }}
-  systemd:
+    ini_file:
-    name: kalite-serve
+      path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
-    enabled: no
+      section: kalite
-    state: stopped
+      option: "{{ item.option }}"
-  when: not kalite_enabled
+      value: "{{ item.value | string }}"
    with_items:
      - option: name
        value: "KA Lite"
      - option: description
        value: '"KA Lite downloads Khan Academy videos for offline use, with exercises and accounts if students want to track their own progress."'
      - option: kalite_install
        value: "{{ kalite_install }}"
      - option: kalite_enabled
        value: "{{ kalite_enabled }}"
      - option: path
        value: "{{ kalite_root }}"
      - option: port
        value: "{{ kalite_server_port }}"
  rescue:
- name: Add 'kalite' variable values to {{ iiab_ini_file }}
+  - name: 'SEE ERROR ABOVE (skip_role_on_error: {{ skip_role_on_error }})'
-  ini_file:
+    fail:
-    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+      msg: ""
-    section: kalite
+    when: not skip_role_on_error
    option: "{{ item.option }}"
    value: "{{ item.value | string }}"
  with_items:
    - option: name
      value: "KA Lite"
    - option: description
      value: '"KA Lite downloads Khan Academy videos for offline use, with exercises and accounts if students want to track their own progress."'
    - option: kalite_install
      value: "{{ kalite_install }}"
    - option: kalite_enabled
      value: "{{ kalite_enabled }}"
    - option: path
      value: "{{ kalite_root }}"
    - option: port
      value: "{{ kalite_server_port }}"
--- a/roles/kiwix/defaults/main.yml
+++ b/roles/kiwix/defaults/main.yml
@ -22,9 +22,9 @@
 kiwix_library_xml: "{{ iiab_zim_path }}/library.xml"
 # 3 lines below specify which version(s) of kiwix-tools to download from...
-# http://download.iiab.io/packages/ ...as originally obtained from...
+# https://download.iiab.io/packages/ ...as originally obtained from...
-# http://download.kiwix.org/release/kiwix-tools/ ...or sometimes...
+# https://download.kiwix.org/release/kiwix-tools/ ...or sometimes...
-# http://download.kiwix.org/nightly/
+# https://download.kiwix.org/nightly/
 kiwix_version_armhf: kiwix-tools_linux-armhf-3.3.0
 kiwix_version_linux64: kiwix-tools_linux-x86_64-3.3.0
--- a/roles/kiwix/tasks/install.yml
+++ b/roles/kiwix/tasks/install.yml
@ -34,7 +34,7 @@
 - name: Download {{ iiab_download_url }}/{{ kiwix_src_file }} to /opt/iiab/downloads
  get_url:
-    url: "{{ iiab_download_url }}/{{ kiwix_src_file }}"    # http://download.iiab.io/packages
+    url: "{{ iiab_download_url }}/{{ kiwix_src_file }}"    # https://download.iiab.io/packages
    dest: "{{ downloads_dir }}/{{ kiwix_src_file }}"    # /opt/iiab/downloads
    timeout: "{{ download_timeout }}"
--- a/roles/kiwix/tasks/main.yml
+++ b/roles/kiwix/tasks/main.yml
@ -19,38 +19,45 @@
    quiet: yes
- name: Install Kiwix if 'kiwix_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
+- block:
  include_tasks: install.yml
  when: kiwix_installed is undefined
  - name: Install Kiwix if 'kiwix_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
    include_tasks: install.yml
    when: kiwix_installed is undefined
- include_tasks: enable-or-disable.yml
+  - include_tasks: enable-or-disable.yml
  - name: Add 'kiwix' variable values to {{ iiab_ini_file }}
    ini_file:
      path: "{{ iiab_ini_file }}"
      section: kiwix
      option: "{{ item.option }}"
      value: "{{ item.value | string }}"
    with_items:
      - option: name
        value: Kiwix
      - option: description
        value: '"Part of https://github.com/kiwix/kiwix-tools/ -- kiwix-serve is the most used web server for ZIM files."'
      - option: kiwix_install
        value: "{{ kiwix_install }}"
      - option: kiwix_enabled
        value: "{{ kiwix_enabled }}"
      - option: kiwix_url
        value: "{{ kiwix_url }}"
      - option: kiwix_url_plus_slash
        value: "{{ kiwix_url_plus_slash }}"
      - option: kiwix_path
        value: "{{ kiwix_path }}"
      - option: kiwix_port
        value: "{{ kiwix_port }}"
      - option: iiab_zim_path
        value: "{{ iiab_zim_path }}"
      - option: kiwix_library_xml
        value: "{{ kiwix_library_xml }}"
- name: Add 'kiwix' variable values to {{ iiab_ini_file }}
+  rescue:
-  ini_file:
+
-    path: "{{ iiab_ini_file }}"
+  - name: 'SEE ERROR ABOVE (skip_role_on_error: {{ skip_role_on_error }})'
-    section: kiwix
+    fail:
-    option: "{{ item.option }}"
+      msg: ""
-    value: "{{ item.value | string }}"
+    when: not skip_role_on_error
  with_items:
    - option: name
      value: Kiwix
    - option: description
      value: '"Part of https://github.com/kiwix/kiwix-tools/ -- kiwix-serve is the most used web server for ZIM files."'
    - option: kiwix_install
      value: "{{ kiwix_install }}"
    - option: kiwix_enabled
      value: "{{ kiwix_enabled }}"
    - option: kiwix_url
      value: "{{ kiwix_url }}"
    - option: kiwix_url_plus_slash
      value: "{{ kiwix_url_plus_slash }}"
    - option: kiwix_path
      value: "{{ kiwix_path }}"
    - option: kiwix_port
      value: "{{ kiwix_port }}"
    - option: iiab_zim_path
      value: "{{ iiab_zim_path }}"
    - option: kiwix_library_xml
      value: "{{ kiwix_library_xml }}"
--- a/roles/kolibri/tasks/main.yml
+++ b/roles/kolibri/tasks/main.yml
@ -19,37 +19,46 @@
    quiet: yes
-#- name: "Set 'kolibri_provision: False' for a more lightweight (re)install"
+- block:
 #  set_fact:
 #    kolibri_provision: False
 #  when: ???
- name: Install Kolibri, if 'kolibri_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
+  #- name: "Set 'kolibri_provision: False' for a more lightweight (re)install"
-  include_tasks: install.yml
+  #  set_fact:
-  when: kolibri_installed is undefined
+  #    kolibri_provision: False
  #  when: ???
  - name: Install Kolibri, if 'kolibri_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
    include_tasks: install.yml
    when: kolibri_installed is undefined
- include_tasks: enable-or-disable.yml
+  - include_tasks: enable-or-disable.yml
- name: Add 'kolibri' variable values to {{ iiab_ini_file }}    # /etc/iiab/iiab.ini
+  - name: Add 'kolibri' variable values to {{ iiab_ini_file }}    # /etc/iiab/iiab.ini
-  ini_file:
+    ini_file:
-    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+      path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
-    section: kolibri
+      section: kolibri
-    option: "{{ item.option }}"
+      option: "{{ item.option }}"
-    value: "{{ item.value | string }}"
+      value: "{{ item.value | string }}"
-  with_items:
+    with_items:
-    - option: name
+      - option: name
-      value: Kolibri
+        value: Kolibri
-    - option: description
+      - option: description
-      value: '"Kolibri is an open-source educational platform specially designed to provide offline access to a wide range of quality, openly licensed educational contents in low-resource contexts like rural schools, refugee camps, orphanages, and also in non-formal school programs."'
+        value: '"Kolibri is an open-source educational platform specially designed to provide offline access to a wide range of quality, openly licensed educational contents in low-resource contexts like rural schools, refugee camps, orphanages, and also in non-formal school programs."'
-    - option: kolibri_install
+      - option: kolibri_install
-      value: "{{ kolibri_install }}"
+        value: "{{ kolibri_install }}"
-    - option: kolibri_enabled
+      - option: kolibri_enabled
-      value: "{{ kolibri_enabled }}"
+        value: "{{ kolibri_enabled }}"
-    - option: kolibri_url
+      - option: kolibri_url
-      value: "{{ kolibri_url }}"
+        value: "{{ kolibri_url }}"
-    - option: kolibri_path
+      - option: kolibri_path
-      value: "{{ kolibri_exec_path }}"
+        value: "{{ kolibri_exec_path }}"
-    - option: kolibri_port
+      - option: kolibri_port
-      value: "{{ kolibri_http_port }}"
+        value: "{{ kolibri_http_port }}"
  rescue:
  - name: 'SEE ERROR ABOVE (skip_role_on_error: {{ skip_role_on_error }})'
    fail:
      msg: ""
    when: not skip_role_on_error
--- a/roles/kolibri/templates/kolibri.service.j2
+++ b/roles/kolibri/templates/kolibri.service.j2
@ -10,7 +10,7 @@ Environment=KOLIBRI_HTTP_PORT={{ kolibri_http_port }}
 Environment=KOLIBRI_URL_PATH_PREFIX={{ kolibri_url_without_slash }}
 User={{ kolibri_user }}
 Group={{ apache_user }}
-# 2020-10-03: Kolibri was timing out on RaspiOS & Ubuntu 20 NUC: iiab/iiab#2555
+# 2020-10-03: Kolibri was timing out on RasPiOS & Ubuntu 20 NUC: iiab/iiab#2555
 TimeoutStartSec=1200
 # The following is the systemd default, which is too much for most teachers in
 # low-electricity environments (30-60 sec is about all they can handle before
--- a/roles/lokole/README.rst
+++ b/roles/lokole/README.rst
@ -17,9 +17,9 @@ For an up-to-date list of supported languages, refer to the `Lokole translations
 Using It
 --------
-If your IIAB was `installed <http://wiki.laptop.org/go/IIAB/FAQ#Is_a_quick_installation_possible.3F>`_ with the Lokole web app[*] it can be accessed at http://box/lokole
+If your IIAB was `installed <https://wiki.iiab.io/go/FAQ#Is_a_quick_installation_possible%3F>`_ with the Lokole web app[*] it can be accessed at http://box/lokole
-[*] If you're not sure, verify that your IIAB's `/etc/iiab/local_vars.yml <http://wiki.laptop.org/go/IIAB/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F>`_ contains ``lokole_install: True`` and ``lokole_enabled: True``
+[*] If you're not sure, verify that your IIAB's `/etc/iiab/local_vars.yml <https://wiki.iiab.io/go/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it%3F>`_ contains ``lokole_install: True`` and ``lokole_enabled: True``
 By default in an offline community, ``lokole_sim_type: LocalOnly`` is set (e.g. instead of ``lokole_sim_type: Ethernet``) and email addresses will look like:
@ -85,7 +85,7 @@ The Lokole software can be configured to access the Internet via USB modem, SIM
 If configured to work with a USB modem or other form of Internet connection, Lokole will sync with the cloud server (operated by `Ascoderu <https://ascoderu.ca/>`_) on a nightly basis to deliver and receive emails globally.  *However, arranging this is extremely complicated.*  You would need a compatible form of connection and an Internet expert familiar with modem protocols, MX records, etc.  Ask that person to read the `Lokole software README <https://github.com/ascoderu/lokole/blob/master/README.rst>`_ in its entirety, to help you understand whether this is realistic for your organization.
-Lokole and Internet-in-a-Box would welcome a business plan (whether volunteer-based, grant-based or for-profit) from someone willing to operationalize this — making it relatively hassle-free for schools, clinics, libraries and orphanages around the world — that generally do not have access to technical experts.  Please `contact us <http://wiki.laptop.org/go/IIAB/FAQ#What_are_the_best_places_for_community_support.3F>`_ if you have the capacity to help make such a social enterprise happen.
+Lokole and Internet-in-a-Box would welcome a business plan (whether volunteer-based, grant-based or for-profit) from someone willing to operationalize this — making it relatively hassle-free for schools, clinics, libraries and orphanages around the world — that generally do not have access to technical experts.  Please `contact us <https://wiki.iiab.io/go/FAQ#What_are_the_best_places_for_community_support%3F>`_ if you have the capacity to help make such a social enterprise happen.
 Troubleshooting
 ---------------
--- a/roles/lokole/tasks/main.yml
+++ b/roles/lokole/tasks/main.yml
@ -19,53 +19,62 @@
    quiet: yes
- name: Install Lokole if lokole_installed is not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
+- block:
-  include_tasks: install.yml
+
-  when: lokole_installed is undefined
+  - name: Install Lokole if lokole_installed is not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
    include_tasks: install.yml
    when: lokole_installed is undefined
- name: Do a 'systemctl daemon-reload'
+  - name: Do a 'systemctl daemon-reload'
-  systemd:
+    systemd:
-    daemon_reload: yes
+      daemon_reload: yes
-  when: lokole_enabled
+    when: lokole_enabled
- name: Enable & Restart supervisor systemd service, if lokole_enabled
+  - name: Enable & Restart supervisor systemd service, if lokole_enabled
-  systemd:
+    systemd:
-    name: supervisor
+      name: supervisor
-    enabled: yes
+      enabled: yes
-    state: restarted
+      state: restarted
-  when: lokole_enabled
+    when: lokole_enabled
- name: Disable & Stop supervisor systemd service, if not lokole_enabled
+  - name: Disable & Stop supervisor systemd service, if not lokole_enabled
-  systemd:
+    systemd:
-    name: supervisor
+      name: supervisor
-    enabled: no
+      enabled: no
-    state: stopped
+      state: stopped
-  when: not lokole_enabled
+    when: not lokole_enabled
- name: Enable/Disable/Restart NGINX
+  - name: Enable/Disable/Restart NGINX
-  include_tasks: nginx.yml
+    include_tasks: nginx.yml
- name: Add 'lokole' variable values to {{ iiab_ini_file }}
+  - name: Add 'lokole' variable values to {{ iiab_ini_file }}
-  ini_file:
+    ini_file:
-    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+      path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
-    section: lokole
+      section: lokole
-    option: "{{ item.option }}"
+      option: "{{ item.option }}"
-    value: "{{ item.value | string }}"
+      value: "{{ item.value | string }}"
-  with_items:
+    with_items:
-    - option: name
+      - option: name
-      value: Lokole
+        value: Lokole
-    - option: description
+      - option: description
-      value: '"Lokole is an email service that works offline, for rural communities.  With a 3G/4G modem, you can arrange to batch-upload / batch-download emails once per night -- for almost no cost at all -- depending on mobile data plans in your country."'
+        value: '"Lokole is an email service that works offline, for rural communities.  With a 3G/4G modem, you can arrange to batch-upload / batch-download emails once per night -- for almost no cost at all -- depending on mobile data plans in your country."'
-      #value: '"Lokole is an email service that works offline, for rural communities.  In some cases, emails can also be transmitted to/from the Internet, taking advantage of discounted mobile data rates."'
+        #value: '"Lokole is an email service that works offline, for rural communities.  In some cases, emails can also be transmitted to/from the Internet, taking advantage of discounted mobile data rates."'
-    - option: lokole_install
+      - option: lokole_install
-      value: "{{ lokole_install }}"
+        value: "{{ lokole_install }}"
-    - option: lokole_enabled
+      - option: lokole_enabled
-      value: "{{ lokole_enabled }}"
+        value: "{{ lokole_enabled }}"
-    - option: lokole_settings
+      - option: lokole_settings
-      value: "{{ lokole_settings }}"
+        value: "{{ lokole_settings }}"
-    - option: lokole_url
+      - option: lokole_url
-      value: "{{ lokole_url }}"
+        value: "{{ lokole_url }}"
-    - option: lokole_full_url
+      - option: lokole_full_url
-      value: "{{ lokole_full_url }}"
+        value: "{{ lokole_full_url }}"
  rescue:
  - name: 'SEE ERROR ABOVE (skip_role_on_error: {{ skip_role_on_error }})'
    fail:
      msg: ""
    when: not skip_role_on_error
--- a/roles/mediawiki/defaults/main.yml
+++ b/roles/mediawiki/defaults/main.yml
@ -5,7 +5,7 @@
 # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
 mediawiki_major_version: 1.38    # "1.35" also works
-mediawiki_minor_version: 1
+mediawiki_minor_version: 2
 mediawiki_version: "{{ mediawiki_major_version }}.{{ mediawiki_minor_version }}"
 mediawiki_download_base_url: "https://releases.wikimedia.org/mediawiki/{{ mediawiki_major_version }}"
--- a/roles/mediawiki/tasks/main.yml
+++ b/roles/mediawiki/tasks/main.yml
@ -19,39 +19,46 @@
    quiet: yes
- name: Install MediaWiki {{ mediawiki_version }} if 'mediawiki_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
+- block:
  include_tasks: install.yml
  when: mediawiki_installed is undefined
  - name: Install MediaWiki {{ mediawiki_version }} if 'mediawiki_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
    include_tasks: install.yml
    when: mediawiki_installed is undefined
- name: Enable/Disable/Restart NGINX
+  - name: Enable/Disable/Restart NGINX
-  include_tasks: nginx.yml
+    include_tasks: nginx.yml
  - name: Add 'mediawiki' variable values to {{ iiab_ini_file }}
    ini_file:
      path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
      section: mediawiki
      option: "{{ item.option }}"
      value: "{{ item.value | string }}"
    with_items:
      - option: name
        value: MediaWiki
      - option: description
        value: '"MediaWiki is a blog and web site management application, from the people who create Wikipedia."'
      - option: mediawiki_install
        value: "{{ mediawiki_install }}"
      - option: mediawiki_enabled
        value: "{{ mediawiki_enabled }}"
      - option: mediawiki_src
        value: "{{ mediawiki_src }}"
      - option: mediawiki_abs_path
        value: "{{ mediawiki_abs_path }}"
      - option: mediawiki_db_name
        value: "{{ mediawiki_db_name }}"
      - option: mediawiki_db_user
        value: "{{ mediawiki_db_user }}"
      - option: mediawiki_url
        value: "{{ mediawiki_url }}"
      - option: mediawiki_full_url
        value: "{{ mediawiki_full_url }}"
- name: Add 'mediawiki' variable values to {{ iiab_ini_file }}
+  rescue:
-  ini_file:
+
-    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+  - name: 'SEE ERROR ABOVE (skip_role_on_error: {{ skip_role_on_error }})'
-    section: mediawiki
+    fail:
-    option: "{{ item.option }}"
+      msg: ""
-    value: "{{ item.value | string }}"
+    when: not skip_role_on_error
  with_items:
    - option: name
      value: MediaWiki
    - option: description
      value: '"MediaWiki is a blog and web site management application, from the people who create Wikipedia."'
    - option: mediawiki_install
      value: "{{ mediawiki_install }}"
    - option: mediawiki_enabled
      value: "{{ mediawiki_enabled }}"
    - option: mediawiki_src
      value: "{{ mediawiki_src }}"
    - option: mediawiki_abs_path
      value: "{{ mediawiki_abs_path }}"
    - option: mediawiki_db_name
      value: "{{ mediawiki_db_name }}"
    - option: mediawiki_db_user
      value: "{{ mediawiki_db_user }}"
    - option: mediawiki_url
      value: "{{ mediawiki_url }}"
    - option: mediawiki_full_url
      value: "{{ mediawiki_full_url }}"
--- a/roles/minetest/README.rst
+++ b/roles/minetest/README.rst
@ -23,7 +23,7 @@ No password is required.
 Configurable Parameters
 -----------------------
-If changes are necessary, please edit `/etc/iiab/local_vars.yml <http://wiki.laptop.org/go/IIAB/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F>`_ (adding any variables that you need) prior to installation if possible:
+If changes are necessary, please edit `/etc/iiab/local_vars.yml <https://wiki.iiab.io/go/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it%3F>`_ (adding any variables that you need) prior to installation if possible:
 - ``minetest_install:`` set Minetest up to install; default is False
 - ``minetest_enabled:`` set Minetest up to be enabled; default is False
--- a/roles/minetest/tasks/main.yml
+++ b/roles/minetest/tasks/main.yml
@ -19,32 +19,39 @@
    quiet: yes
- name: Install Minetest if 'minetest_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
+- block:
  include_tasks: provision.yml    # i.e. install.yml in other roles
  when: minetest_installed is undefined
  - name: Install Minetest if 'minetest_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
    include_tasks: provision.yml    # i.e. install.yml in other roles
    when: minetest_installed is undefined
- include_tasks: enable-or-disable.yml
+  - include_tasks: enable-or-disable.yml
  - name: Add 'minetest' variable values to {{ iiab_ini_file }}
    ini_file:
      path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
      section: minetest
      option: "{{ item.option }}"
      value: "{{ item.value | string }}"
    with_items:
      - option: name
        value: Minetest Server
      - option: description
        value: '"Minetest is an open source clone of the Minecraft building blocks game."'
      - option: minetest_install
        value: "{{ minetest_install }}"
      - option: minetest_enabled
        value: "{{ minetest_enabled }}"
      - option: minetest_world_dir
        value: "{{ minetest_world_dir }}"
      - option: minetest_port
        value: "{{ minetest_port }}"
      - option: minetest_world_dir
        value: "{{ minetest_world_dir }}"
- name: Add 'minetest' variable values to {{ iiab_ini_file }}
+  rescue:
-  ini_file:
+
-    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+  - name: 'SEE ERROR ABOVE (skip_role_on_error: {{ skip_role_on_error }})'
-    section: minetest
+    fail:
-    option: "{{ item.option }}"
+      msg: ""
-    value: "{{ item.value | string }}"
+    when: not skip_role_on_error
  with_items:
    - option: name
      value: Minetest Server
    - option: description
      value: '"Minetest is an open source clone of the Minecraft building blocks game."'
    - option: minetest_install
      value: "{{ minetest_install }}"
    - option: minetest_enabled
      value: "{{ minetest_enabled }}"
    - option: minetest_world_dir
      value: "{{ minetest_world_dir }}"
    - option: minetest_port
      value: "{{ minetest_port }}"
    - option: minetest_world_dir
      value: "{{ minetest_world_dir }}"
--- a/roles/mongodb/tasks/enable-or-disable.yml
+++ b/roles/mongodb/tasks/enable-or-disable.yml
@ -1,6 +1,7 @@
 - name: Enable & (Re)Start 'mongodb.service' if mongodb_enabled
  systemd:
    name: mongodb
    daemon_reload: yes
    enabled: yes
    state: restarted
  when: mongodb_enabled
--- a/roles/mongodb/tasks/install.yml
+++ b/roles/mongodb/tasks/install.yml
@ -10,7 +10,7 @@
 # being used on Raspbian, all I found! (Raspbian's apt pkg is MongoDB 2.4.14)
 #
 # mongodb_stretch_3_0_14_core.zip (20M) & mongodb_stretch_3_0_14_tools.zip (15M)
-# were backed up from andyfelong.com to http://download.iiab.io/packages/
+# were backed up from andyfelong.com to https://download.iiab.io/packages/
 #
 # CLARIF: mongodb_stretch_3_0_14_core.zip IS IN FACT 3.0.14 (core) BUT...
 #         mongodb_stretch_3_0_14_tools.zip IS REALLY 3.0.15 (tools)
@ -21,16 +21,16 @@
      path: /tmp/mongodb-3.0.1x
      state: directory
-  - name: Download & unzip 20MB http://download.iiab.io/packages/mongodb_stretch_3_0_14_core.zip to /tmp/mongodb-3.0.1x (aarch32)
+  - name: Download & unzip 20MB https://download.iiab.io/packages/mongodb_stretch_3_0_14_core.zip to /tmp/mongodb-3.0.1x (aarch32)
    unarchive:
      remote_src: yes
-      src: "{{ iiab_download_url }}/mongodb_stretch_3_0_14_core.zip"    # http://download.iiab.io/packages
+      src: "{{ iiab_download_url }}/mongodb_stretch_3_0_14_core.zip"    # https://download.iiab.io/packages
      dest: /tmp/mongodb-3.0.1x
  - name: Install (move) its 3 CORE binaries from /tmp/mongodb-3.0.1x/core to /usr/bin (aarch32)
    shell: mv /tmp/mongodb-3.0.1x/core/* /usr/bin
-  - name: Download & unzip 15MB http://download.iiab.io/packages/mongodb_stretch_3_0_14_tools.zip [IN FACT THIS ONE'S 3.0.15] to /tmp/mongodb-3.0.1x (aarch32)
+  - name: Download & unzip 15MB https://download.iiab.io/packages/mongodb_stretch_3_0_14_tools.zip [IN FACT THIS ONE'S 3.0.15] to /tmp/mongodb-3.0.1x (aarch32)
    unarchive:
      remote_src: yes
      src: "{{ iiab_download_url }}/mongodb_stretch_3_0_14_tools.zip"
@ -85,11 +85,11 @@
  - name: Install mongodb-org's Debian buster source/repo (we only use x86_64 i.e. arm64) for MongoDB version {{ mongodb_64bit_version }}
    apt_repository:
-      # 2020-10-28 and 2022-06-09: http://repo.mongodb.org/apt/debian/dists/
+      # 2020-10-28 and 2022-06-09: https://repo.mongodb.org/apt/debian/dists/
      # supports only {Buster 10, Stretch 9, Jessie 8, Wheezy 7}.  So Bullseye
      # 11 and Bookworm 12 (testing branch) revert to buster for now:
-      repo: deb http://repo.mongodb.org/apt/debian buster/mongodb-org/{{ mongodb_64bit_version }} main
+      repo: deb https://repo.mongodb.org/apt/debian buster/mongodb-org/{{ mongodb_64bit_version }} main
-      #repo: deb http://repo.mongodb.org/apt/debian {{ ansible_distribution_release }}/mongodb-org/4.4 main
+      #repo: deb https://repo.mongodb.org/apt/debian {{ ansible_distribution_release }}/mongodb-org/4.4 main
      state: present
      filename: mongodb-org
    when: is_debian and ansible_architecture == "x86_64"
--- a/roles/mongodb/tasks/main.yml
+++ b/roles/mongodb/tasks/main.yml
@ -44,29 +44,36 @@
 # ELSE...
 - name: Install MongoDB if 'mongodb_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
  include_tasks: install.yml
  when: mongodb_installed is undefined
  # when: mongodb_installed is undefined and not (ansible_architecture == "aarch64" and is_debian_10 and not is_raspbian)
 - block:
- name: Enable or Disable MongoDB, if mongodb_installed is defined (sugarizer.service auto-starts MongoDB as nec, so doesn't need this or care what happens here!)
+  - name: Install MongoDB if 'mongodb_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
-  include_tasks: enable-or-disable.yml
+    include_tasks: install.yml
-  when: mongodb_installed is defined
+    when: mongodb_installed is undefined
    # when: mongodb_installed is undefined and not (ansible_architecture == "aarch64" and is_debian_10 and not is_raspbian)
  - name: Enable or Disable MongoDB (FYI sugarizer.service auto-starts MongoDB as nec, so doesn't need this or care what happens here!)
    include_tasks: enable-or-disable.yml
- name: Add 'mongodb' variable values to {{ iiab_ini_file }}
+  - name: Add 'mongodb' variable values to {{ iiab_ini_file }}
-  ini_file:
+    ini_file:
-    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+      path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
-    section: mongodb
+      section: mongodb
-    option: "{{ item.option }}"
+      option: "{{ item.option }}"
-    value: "{{ item.value | string }}"
+      value: "{{ item.value | string }}"
-  with_items:
+    with_items:
-    - option: name
+      - option: name
-      value: MongoDB
+        value: MongoDB
-    - option: description
+      - option: description
-      value: '"MongoDB is an open-source document database that provides high performance, high availability, and automatic scaling."'
+        value: '"MongoDB is an open-source document database that provides high performance, high availability, and automatic scaling."'
-    - option: mongodb_install
+      - option: mongodb_install
-      value: "{{ mongodb_install }}"
+        value: "{{ mongodb_install }}"
-    - option: mongodb_enabled
+      - option: mongodb_enabled
-      value: "{{ mongodb_enabled }}"
+        value: "{{ mongodb_enabled }}"
  rescue:
  - name: 'SEE ERROR ABOVE (skip_role_on_error: {{ skip_role_on_error }})'
    fail:
      msg: ""
    when: not skip_role_on_error
--- a/roles/monit/tasks/main.yml
+++ b/roles/monit/tasks/main.yml
@ -19,43 +19,52 @@
    quiet: yes
-# 2019-07-06: The 'monit' package was suddenly removed from Debian 10.0.0
+- block:
 # "Buster" during the very final days prior to release, as confirmed by the
 # sudden disappearance of these 2 pages:
 #
 #   https://packages.debian.org/buster/monit
 #   https://packages.debian.org/source/buster/monit
 #
 # And yet Raspbian Buster (is_raspbian_10, which confusingly IIAB declares to
 # be is_debian_10 in vars/raspbian-10.yml for now!) still provides 'monit' via
 # apt -- so eliminating "Debian 10+" requires this funky conditional:
-# 2020-09-21: The 'monit' package appears to be returning to Debian 11, per:
+  # 2019-07-06: The 'monit' package was suddenly removed from Debian 10.0.0
-#
+  # "Buster" during the very final days prior to release, as confirmed by the
-#   https://packages.debian.org/bullseye/monit
+  # sudden disappearance of these 2 pages:
-#   https://packages.debian.org/source/bullseye/monit
+  #
-#
+  #   https://packages.debian.org/buster/monit
-# SEE iiab/iiab#1849 re: "Debian 10 Buster no longer includes Monit" etc.
+  #   https://packages.debian.org/source/buster/monit
  #
  # And yet Raspbian Buster (is_raspbian_10, which confusingly IIAB declares to
  # be is_debian_10 in vars/raspbian-10.yml for now!) still provides 'monit' via
  # apt -- so eliminating "Debian 10+" requires this funky conditional:
- name: Install Monit if 'monit_installed' not defined, e.g. in {{ iiab_state_file }} AND not Debian 10    # /etc/iiab/iiab_state.yml
+  # 2020-09-21: The 'monit' package appears to be returning to Debian 11, per:
-  include_tasks: install.yml
+  #
-  when: monit_installed is undefined and not (is_debian_10 and not is_raspbian)
+  #   https://packages.debian.org/bullseye/monit
-  #when: monit_installed is undefined and not ((is_debian and not is_raspbian) and (not is_debian_8) and (not is_debian_9))
+  #   https://packages.debian.org/source/bullseye/monit
  #
  # SEE iiab/iiab#1849 re: "Debian 10 Buster no longer includes Monit" etc.
  - name: Install Monit if 'monit_installed' not defined, e.g. in {{ iiab_state_file }} AND not Debian 10    # /etc/iiab/iiab_state.yml
    include_tasks: install.yml
    when: monit_installed is undefined and not (is_debian_10 and not is_raspbian)
    #when: monit_installed is undefined and not ((is_debian and not is_raspbian) and (not is_debian_8) and (not is_debian_9))
- include_tasks: enable-or-disable.yml
+  - include_tasks: enable-or-disable.yml
- name: Add 'monit' variable values to {{ iiab_ini_file }}
+  - name: Add 'monit' variable values to {{ iiab_ini_file }}
-  ini_file:
+    ini_file:
-    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+      path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
-    section: monit
+      section: monit
-    option: "{{ item.option }}"
+      option: "{{ item.option }}"
-    value: "{{ item.value | string }}"
+      value: "{{ item.value | string }}"
-  with_items:
+    with_items:
-    - option: name
+      - option: name
-      value: Monit
+        value: Monit
-    - option: description
+      - option: description
-      value: '"Monit is a background service monitor which can correct problems, send email, restart services."'
+        value: '"Monit is a background service monitor which can correct problems, send email, restart services."'
-    - option: enabled
+      - option: enabled
-      value: "{{ monit_enabled }}"
+        value: "{{ monit_enabled }}"
  rescue:
  - name: 'SEE ERROR ABOVE (skip_role_on_error: {{ skip_role_on_error }})'
    fail:
      msg: ""
    when: not skip_role_on_error
--- a/roles/monit/templates/monitrc.unused
+++ b/roles/monit/templates/monitrc.unused
@ -65,7 +65,7 @@ set daemon  300              # check services at 5-minute intervals
 #
 #
 ## Send status and events to M/Monit (for more informations about M/Monit 
-## see http://mmonit.com/). By default Monit registers credentials with 
+## see https://mmonit.com/). By default Monit registers credentials with 
 ## M/Monit so M/Monit can smoothly communicate back to Monit and you don't
 ## have to register Monit credentials manually in M/Monit. It is possible to
 ## disable credential registration using the commented out option below. 
--- a/roles/moodle/tasks/main.yml
+++ b/roles/moodle/tasks/main.yml
@ -19,28 +19,35 @@
    quiet: yes
- name: Install Moodle if 'moodle_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
+- block:
  include_tasks: install.yml
  when: moodle_installed is undefined
  - name: Install Moodle if 'moodle_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
    include_tasks: install.yml
    when: moodle_installed is undefined
- include_tasks: enable-or-disable.yml
+  - include_tasks: enable-or-disable.yml
  - name: Add 'moodle' variable values to {{ iiab_ini_file }}
    ini_file:
      path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
      section: moodle
      option: "{{ item.option }}"
      value: "{{ item.value | string }}"
    with_items:
      - option: name
        value: Moodle
      - option: description
        value: '"Access the Moodle learning management system."'
      - option: moodle_install
        value: "{{ moodle_install }}"
      - option: moodle_enabled
        value: "{{ moodle_enabled }}"
      - option: moodle_base
        value: "{{ moodle_base }}"
- name: Add 'moodle' variable values to {{ iiab_ini_file }}
+  rescue:
-  ini_file:
+
-    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+  - name: 'SEE ERROR ABOVE (skip_role_on_error: {{ skip_role_on_error }})'
-    section: moodle
+    fail:
-    option: "{{ item.option }}"
+      msg: ""
-    value: "{{ item.value | string }}"
+    when: not skip_role_on_error
  with_items:
    - option: name
      value: Moodle
    - option: description
      value: '"Access the Moodle learning management system."'
    - option: moodle_install
      value: "{{ moodle_install }}"
    - option: moodle_enabled
      value: "{{ moodle_enabled }}"
    - option: moodle_base
      value: "{{ moodle_base }}"
--- a/roles/mosquitto/README.rst
+++ b/roles/mosquitto/README.rst
@ -9,7 +9,7 @@ Roughly follows this guide: https://www.digitalocean.com/community/tutorials/how
 Using It
 --------
-Prior to installing IIAB, make sure your `/etc/iiab/local_vars.yml <http://wiki.laptop.org/go/IIAB/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F>`_ contains::
+Prior to installing IIAB, make sure your `/etc/iiab/local_vars.yml <https://wiki.iiab.io/go/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it%3F>`_ contains::
  mosquitto_install: True
  mosquitto_enabled: True
--- a/roles/mosquitto/tasks/main.yml
+++ b/roles/mosquitto/tasks/main.yml
@ -19,26 +19,33 @@
    quiet: yes
- name: Install Mosquitto if 'mosquitto_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
+- block:
  include_tasks: install.yml
  when: mosquitto_installed is undefined
  - name: Install Mosquitto if 'mosquitto_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
    include_tasks: install.yml
    when: mosquitto_installed is undefined
- include_tasks: enable-or-disable.yml
+  - include_tasks: enable-or-disable.yml
  - name: Add 'mosquitto' variable values to {{ iiab_ini_file }}
    ini_file:
      path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
      section: mosquitto
      option: "{{ item.option }}"
      value: "{{ item.value | string }}"
    with_items:
      - option: name
        value: Mosquitto service
      - option: description
        value: '"Mosquitto (uses the MQTT protocol) is a pub-sub broker for electronics projects and educational Internet of Things (IoT) experiments.  It''s designed for TCP/IP with remote locations where a ''small code footprint'' is required or bandwidth is limited.  See also: Node-RED"'
      - option: mosquitto_install
        value: "{{ mosquitto_install }}"
      - option: mosquitto_enabled
        value: "{{ mosquitto_enabled }}"
- name: Add 'mosquitto' variable values to {{ iiab_ini_file }}
+  rescue:
-  ini_file:
+
-    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+  - name: 'SEE ERROR ABOVE (skip_role_on_error: {{ skip_role_on_error }})'
-    section: mosquitto
+    fail:
-    option: "{{ item.option }}"
+      msg: ""
-    value: "{{ item.value | string }}"
+    when: not skip_role_on_error
  with_items:
    - option: name
      value: Mosquitto service
    - option: description
      value: '"Mosquitto (uses the MQTT protocol) is a pub-sub broker for electronics projects and educational Internet of Things (IoT) experiments.  It''s designed for TCP/IP with remote locations where a ''small code footprint'' is required or bandwidth is limited.  See also: Node-RED"'
    - option: mosquitto_install
      value: "{{ mosquitto_install }}"
    - option: mosquitto_enabled
      value: "{{ mosquitto_enabled }}"
--- a/roles/munin/tasks/enable-or-disable.yml
+++ b/roles/munin/tasks/enable-or-disable.yml
@ -1,3 +1,19 @@
 - name: Enable & Start 'munin-node' systemd service
  systemd:
    name: munin-node
    daemon_reload: yes
    enabled: yes
    state: started
  when: munin_enabled
 - name: Disable & Stop 'munin-node' systemd service
  systemd:
    name: munin-node
    enabled: no
    state: stopped
  when: not munin_enabled
 - name: Enable http://box/munin via NGINX, by installing {{ nginx_conf_dir }}/munin24-nginx.conf from template
  template:
    src: munin24-nginx.conf.j2
--- a/roles/munin/tasks/main.yml
+++ b/roles/munin/tasks/main.yml
@ -19,42 +19,33 @@
    quiet: yes
- name: Install Munin if 'munin_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
+- block:
  include_tasks: install.yml
  when: munin_installed is undefined
  - name: Install Munin if 'munin_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
    include_tasks: install.yml
    when: munin_installed is undefined
- name: Enable & Start 'munin-node' systemd service
+  - include_tasks: enable-or-disable.yml
  systemd:
    name: munin-node
    daemon_reload: yes
    enabled: yes
    state: started
  when: munin_enabled
- name: Disable & Stop 'munin-node' systemd service
+  - name: Add 'munin' variable values to {{ iiab_ini_file }}
-  systemd:
+    ini_file:
-    name: munin-node
+      path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
-    enabled: no
+      section: munin
-    state: stopped
+      option: "{{ item.option }}"
-  when: not munin_enabled
+      value: "{{ item.value | string }}"
    with_items:
      - option: name
        value: Munin
      - option: description
        value: '"Munin is a networked resource monitoring tool that can help analyze resource trends and ''what just happened to kill our performance?'' problems."'
      - option: munin_install
        value: "{{ munin_install }}"
      - option: munin_enabled
        value: "{{ munin_enabled }}"
- name: Enable/Disable/Restart NGINX
+  rescue:
  include_tasks: nginx.yml
-
+  - name: 'SEE ERROR ABOVE (skip_role_on_error: {{ skip_role_on_error }})'
- name: Add 'munin' variable values to {{ iiab_ini_file }}
+    fail:
-  ini_file:
+      msg: ""
-    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+    when: not skip_role_on_error
    section: munin
    option: "{{ item.option }}"
    value: "{{ item.value | string }}"
  with_items:
    - option: name
      value: Munin
    - option: description
      value: '"Munin is a networked resource monitoring tool that can help analyze resource trends and ''what just happened to kill our performance?'' problems."'
    - option: munin_install
      value: "{{ munin_install }}"
    - option: munin_enabled
      value: "{{ munin_enabled }}"
--- a/roles/network/README.rst
+++ b/roles/network/README.rst
@ -2,7 +2,7 @@
 Network README
 ==============
-This is run by `Ansible <http://wiki.laptop.org/go/IIAB/FAQ#What_is_Ansible_and_what_version_should_I_use.3F>`_ after it has installed the core (`Stages 0-to-9 <https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide#ansible>`_) of `Internet-in-a-Box (IIAB) <https://internet-in-a-box.org>`_ and its apps/services.
+This is run by `Ansible <https://wiki.iiab.io/go/FAQ#What_is_Ansible_and_what_version_should_I_use%3F>`_ after it has installed the core (`Stages 0-to-9 <https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide#ansible>`_) of `Internet-in-a-Box (IIAB) <https://internet-in-a-box.org>`_ and its apps/services.
 Specifically, this 'network' role is run...
--- a/roles/network/defaults/main.yml
+++ b/roles/network/defaults/main.yml
@ -27,6 +27,7 @@
 # hostapd_enabled: True
 # Above set in /opt/iiab/iiab/vars/default_vars.yml
 hostapd_wait: 10
 host_wireless_n: False
 driver_name: nl80211
@ -63,7 +64,8 @@ can_be_ap: False
 exclude_devices: none
 device_gw: none
 prior_gw_device: unset
-
+# 2022-06-29: Legacy vars no longer used by roles/0-init
 discovered_wan_iface: none      # 2021-07-30: Very broadly used!
 iiab_wan_iface: none
 iiab_lan_iface: none
 discovered_lan_iface: none
--- a/roles/network/tasks/computed_network.yml
+++ b/roles/network/tasks/computed_network.yml
@ -172,3 +172,5 @@
      value: "{{ iiab_lan_iface }}"
    - option: iiab_network_mode
      value: "{{ iiab_network_mode }}"
    - option: network_enabled
      value: "{{ network_enabled }}"
--- a/roles/network/tasks/detected_network.yml
+++ b/roles/network/tasks/detected_network.yml
@ -1,3 +1,13 @@
 # Similar code block in roles/vnstat/tasks/install.yml
 - name: Do we have a gateway? If 'ip route' specifies a default route, Ansible parses details here...
  debug:
    var: ansible_default_ipv4
 - name: "If above ansible_default_ipv4.gateway is defined, set WAN candidate 'discovered_wan_iface: {{ ansible_default_ipv4.alias }}' -- using ansible_default_ipv4.alias"
  set_fact:
    discovered_wan_iface: "{{ ansible_default_ipv4.alias }}"
  when: ansible_default_ipv4.gateway is defined
 # so this works
 - name: Interface count
  shell: ls /sys/class/net | grep -v {{ virtual_network_devices }} | wc | awk '{print $1}'
--- a/roles/network/tasks/enable_services.yml
+++ b/roles/network/tasks/enable_services.yml
@ -32,8 +32,8 @@
    # mode: "{{ item.mode }}"
  with_items:
   - { src: 'named/named-iiab.conf.j2', dest: '/etc/named-iiab.conf' }
-   - { src: 'named/school.local.zone.db', dest: '/var/named-iiab/' }
+   - { src: 'named/school.local.zone.db.j2', dest: '/var/named-iiab/school.local.zone.db' }
-   - { src: 'named/school.internal.zone.db', dest: '/var/named-iiab/' }
+   - { src: 'named/school.internal.zone.db.j2', dest: '/var/named-iiab/school.internal.zone.db' }
  when: named_install and named_enabled
 - name: Enable named service ({{ dns_service }}) if named_enabled
--- a/roles/network/tasks/hostapd.yml
+++ b/roles/network/tasks/hostapd.yml
@ -50,21 +50,8 @@
    mode: 0644
  when: not wifi_up_down and can_be_ap
- name: Create /usr/bin/iiab-hotspot-on from template
+# 2022-07-11: Install of iiab-hotspot-on|off moved to network/tasks/main.yml
-  template:
+# as required for Admin Console
    src: hostapd/iiab-hotspot-on
    dest: /usr/bin/iiab-hotspot-on
    owner: root
    group: root
    mode: 0755
 - name: Create /usr/bin/iiab-hotspot-off from template
  template:
    src: hostapd/iiab-hotspot-off
    dest: /usr/bin/iiab-hotspot-off
    owner: root
    group: root
    mode: 0755
 - name: Create dhcpcd hook for hostapd and ap0 when wifi_up_down True
  template:
--- a/roles/2-common/tasks/network.yml
+++ b/roles/2-common/tasks/network.yml
@ -1,6 +1,9 @@
 # 2022-03-16: 'apt show <pkg> | grep Size' revealed download sizes, on 64-bit RasPiOS with desktop.
- name: Install package networkd-dispatcher (OS's other than RaspiOS)
+- name: Install dnsmasq -- configure LATER in 'network', after Stage 9
  include_tasks: roles/network/tasks/dnsmasq.yml
 - name: Install package networkd-dispatcher (OS's other than RasPiOS)
  package:
    name: networkd-dispatcher    # 15kB download: Dispatcher service for systemd-networkd connection status changes
    state: present
@ -16,19 +19,19 @@
 # total download size) and they can help IIAB field operators with BOTH
 # (1) internal WiFi AND (2) USB WiFi devices inserted anytime/later.
- name: 'Install 11 network packages: avahi-daemon, hostapd, iproute2, iptables-persistent, iw, libnss-mdns, netmask, net-tools, rfkill, wpasupplicant, wpasupplicant -- later used by https://github.com/iiab/iiab/tree/master/roles/network'
+- name: 'Install 11 network packages: avahi-daemon, hostapd, iproute2, iptables-persistent, iw, libnss-mdns, netmask, net-tools, rfkill, wireless-tools, wpasupplicant -- later used by https://github.com/iiab/iiab/tree/master/roles/network'
  package:
    name:
-      - avahi-daemon           #   97kB download: RaspiOS (and package libnss-mnds, below) install this regardless -- holdover from the XO days and used to advertise ssh/admin-console being available via avahi-daemon -- used with https://github.com/iiab/iiab/blob/master/roles/network/tasks/avahi.yml
+      - avahi-daemon           #   97kB download: RasPiOS (and package libnss-mnds, below) install this regardless -- holdover from the XO days and used to advertise ssh/admin-console being available via avahi-daemon -- used with https://github.com/iiab/iiab/blob/master/roles/network/tasks/avahi.yml
      #- avahi-discover        #   46kB download: 2021-07-27: Commented out long ago
      - hostapd                #  764kB download: IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator -- has its service masked out of the box, and only used when IIAB's network roles detects the presence of WiFi and an AP is desired
      #- inetutils-syslogd     #  240kB download: 2021-07-27: Error logging facility -- holdover from the XO days, journalctl has replaced this in newer distros
-      - iproute2               #  902kB download: RaspiOS installs this regardless -- the new networking and traffic control tools, meant to replace net-tools
+      - iproute2               #  902kB download: RasPiOS installs this regardless -- the new networking and traffic control tools, meant to replace net-tools
      - iptables-persistent    #   12kB download: Boot-time loader for netfilter rules, iptables (firewall) plugin -- however Netfilter / nftables is ever moving forward so keep an eye on it!
      - iw                     #   97kB download: RasPiOS installs this regardless -- configure Linux wireless devices -- hard dependence for ap0 creation, SEE https://github.com/iiab/iiab/blob/master/roles/network/templates/hostapd/iiab-clone-wifi.service.j2
-      - libnss-mdns            #   27kB download: RaspiOS (and package avahi-daemon, above) install this regardless -- client-side library -- provides name resolution via mDNS (Multicast DNS) using Zeroconf/Bonjour e.g. Avahi
+      - libnss-mdns            #   27kB download: RasPiOS (and package avahi-daemon, above) install this regardless -- client-side library -- provides name resolution via mDNS (Multicast DNS) using Zeroconf/Bonjour e.g. Avahi
      - netmask                #   25kB download: Handy utility -- helps determine network masks
-      - net-tools              #  248kB download: RaspiOS installs this regardless -- @jvonau suggests possibly deleting this...unless oldtimers really want these older commands in iiab-diagnostics output?
+      - net-tools              #  248kB download: RasPiOS installs this regardless -- @jvonau suggests possibly deleting this...unless oldtimers really want these older commands in iiab-diagnostics output?
      - rfkill                 #   87kB download: RasPiOS installs this regardless -- enable & disable wireless devices
      - wireless-tools         #  112kB download: RasPiOS installs this regardless -- manipulate Linux Wireless Extensions
      - wpasupplicant          # 1188kB download: RasPiOS installs this regardless -- client library for connections to a WiFi AP
@ -44,7 +47,7 @@
 # Ongoing rework (e.g. PR #2652) arising from ansible.posix collection changes:
- name: "Use 'sysctl' to set 'kernel.core_uses_pid: 1' + 4 network settings in /etc/sysctl.conf -- e.g. disabling IPv6 (this might be overkill, as IPv6 should really only be disabled on the LAN side, i.e. br0)"
+- name: "4 network settings in /etc/sysctl.conf -- e.g. disabling IPv6 (this might be overkill, as IPv6 should really only be disabled on the LAN side, i.e. br0)"
  sysctl:    # Places these settings in /etc/sysctl.conf, to survive reboot
    name: "{{ item.name }}"
    value: "{{ item.value }}"
@ -52,10 +55,34 @@
    - { name: 'net.ipv4.ip_forward', value: '1' }  # Masquerading LAN->Internet
    - { name: 'net.ipv4.conf.default.rp_filter', value: '1' }
    - { name: 'net.ipv4.conf.default.accept_source_route', value: '0' }
    #- { name: 'kernel.sysrq', value: '1' }             # OS values differ, Ok?
    - { name: 'kernel.core_uses_pid', value: '1' }
    #- { name: 'net.ipv4.tcp_syncookies', value: '1' }  # Very standard in 2020
    #- { name: 'kernel.shmmax', value: '268435456' }    # OS values differ, Ok?
    - { name: 'net.ipv6.conf.all.disable_ipv6', value: '1' }    # IPv6 disabled
    #- { name: 'net.ipv6.conf.default.disable_ipv6', value: '1' }    # AUTO-SET
    #- { name: 'net.ipv6.conf.lo.disable_ipv6', value: '1' }         # BY ABOVE
 # UNMAINTAINED
 - name: Install named / BIND
  include_tasks: roles/network/tasks/named.yml
  when: named_install is defined and named_install
 # UNMAINTAINED
 - name: Install dhcpd
  include_tasks: roles/network/tasks/dhcpd.yml
  when: dhcpd_install is defined and dhcpd_install
 # LESS MAINTAINED
 - name: Install Squid
  include_tasks: roles/network/tasks/squid.yml
  when: squid_install and squid_installed is undefined
 - name: "Set 'network_installed: True'"
  set_fact:
    network_installed: True
 - name: "Add 'network_installed: True' to {{ iiab_state_file }}"
  lineinfile:
    path: "{{ iiab_state_file }}"    # /etc/iiab/iiab_state.yml
    regexp: '^network_installed'
    line: 'network_installed: True'
--- a/roles/network/tasks/main.yml
+++ b/roles/network/tasks/main.yml
@ -21,59 +21,83 @@
 - name: computed_network
  include_tasks: computed_network.yml
-# - name: Configure wondershaper
+- name: Install network packages (including many WiFi tools, and also iptables-persistent for firewall)
-#   include_tasks: wondershaper.yml
+  include_tasks: install.yml
-#   when: wondershaper_install or wondershaper_installed is defined
+  when: network_install and network_installed is undefined
- name: (Re)Install named
+- name: Create /usr/bin/iiab-hotspot-on from template
-  include_tasks: named.yml
+  template:
-  when: named_install and FQDN_changed and iiab_stage|int == 9
+    src: hostapd/iiab-hotspot-on
    dest: /usr/bin/iiab-hotspot-on
    owner: root
    group: root
    mode: 0755
- name: (Re)Install dhcpd
+- name: Create /usr/bin/iiab-hotspot-off from template
-  include_tasks: dhcpd.yml
+  template:
-  when: dhcpd_install and FQDN_changed and iiab_stage|int == 9
+    src: hostapd/iiab-hotspot-off
    dest: /usr/bin/iiab-hotspot-off
    owner: root
    group: root
    mode: 0755
- name: (Re)Install Squid
+- name: Configuring Network if enabled
-  include_tasks: squid.yml
+  block:
-  when: squid_install and FQDN_changed and iiab_stage|int == 9
+  # - name: Configure wondershaper
  #   include_tasks: wondershaper.yml
  #   when: wondershaper_install or wondershaper_installed is defined
-#preprep for backends
+  - name: (Re)Install named
- name: Netplan in use on Ubuntu 18.04+
+    include_tasks: named.yml
-  include_tasks: netplan.yml
+    when: named_install and FQDN_changed and iiab_stage|int == 9
  when: is_ubuntu and not is_ubuntu_16
-#### Start services
+  - name: (Re)Install dhcpd
- name: avahi
+    include_tasks: dhcpd.yml
-  include_tasks: avahi.yml
+    when: dhcpd_install and FQDN_changed and iiab_stage|int == 9
 - name: hostapd
  include_tasks: hostapd.yml
 - name: computed_services
  include_tasks: computed_services.yml
 - name: enable_services
  include_tasks: enable_services.yml
 #### End services
-#### Start network layout
+  - name: (Re)Install Squid
-#- name: Redhat networking
+    include_tasks: squid.yml
-#  include_tasks: ifcfg_mods.yml
+    when: squid_install and FQDN_changed and iiab_stage|int == 9
 #  when: is_redhat
- name: NetworkManager in use
+  #preprep for backends
-  include_tasks: NM-debian.yml
+  - name: Netplan in use on Ubuntu 18.04+
-  when: is_debuntu and network_manager_active
+    include_tasks: netplan.yml
    when: is_ubuntu and not is_ubuntu_16
- name: systemd-networkd in use
+  #### Start services
-  include_tasks: sysd-netd-debian.yml
+  - name: avahi
-  when: is_debuntu and systemd_networkd_active
+    include_tasks: avahi.yml
  - name: hostapd
    include_tasks: hostapd.yml
  - name: computed_services
    include_tasks: computed_services.yml
  - name: enable_services
    include_tasks: enable_services.yml
  #### End services
- name: Raspbian uses dhcpcd only with no N-M or SYS-NETD active
+  #### Start network layout
-  include_tasks: rpi_debian.yml
+  #- name: Redhat networking
-  when: is_raspbian
+  #  include_tasks: ifcfg_mods.yml
  #  when: is_redhat
- name: Not RPi, Not NetworkManager, Not systemd-networkd in use
+  - name: NetworkManager in use
-  include_tasks: debian.yml
+    include_tasks: NM-debian.yml
-  when: (not is_raspbian and not network_manager_active and not systemd_networkd_active and is_debuntu) or is_ubuntu_16
+    when: is_debuntu and network_manager_active
 #### end network layout
- name: Restart services
+  - name: systemd-networkd in use
-  include_tasks: restart.yml
+    include_tasks: sysd-netd-debian.yml
    when: is_debuntu and systemd_networkd_active
  - name: Raspbian uses dhcpcd only with no N-M or SYS-NETD active
    include_tasks: rpi_debian.yml
    when: is_raspbian
  - name: Not RPi, Not NetworkManager, Not systemd-networkd in use
    include_tasks: debian.yml
    when: (not is_raspbian and not network_manager_active and not systemd_networkd_active and is_debuntu) or is_ubuntu_16
  #### end network layout
  - name: Restart services
    include_tasks: restart.yml
  # end block
  when: network_installed is defined and network_enabled
--- a/roles/network/tasks/named.yml
+++ b/roles/network/tasks/named.yml
@ -58,8 +58,8 @@
    - { src: 'roles/network/templates/named/school.internal.zone.32.in-addr.db.j2', dest: '/var/named-iiab/school.internal.zone.32.in-addr.db', owner: "{{ dns_user }}", mode: '0644' }
    - { src: 'roles/network/templates/named/school.internal.zone.48.in-addr.db.j2', dest: '/var/named-iiab/school.internal.zone.48.in-addr.db', owner: "{{ dns_user }}", mode: '0644' }
 # the following two files are not writeable by named, but bind 9.4 cannot discover that fact correctly
-    - { src: 'roles/network/templates/named/school.internal.zone.db', dest: '/var/named-iiab/school.internal.zone.db', owner: "root", mode: '0644' }
+    - { src: 'roles/network/templates/named/school.internal.zone.db.j2', dest: '/var/named-iiab/school.internal.zone.db', owner: "root", mode: '0644' }
-    - { src: 'roles/network/templates/named/school.local.zone.db', dest: '/var/named-iiab/school.local.zone.db', owner: "root", mode: '0644' }
+    - { src: 'roles/network/templates/named/school.local.zone.db.j2', dest: '/var/named-iiab/school.local.zone.db', owner: "root", mode: '0644' }
    - { src: 'roles/network/templates/named/school.internal.zone.in-addr.db.j2', dest: '/var/named-iiab/school.internal.zone.in-addr.db', owner: "{{ dns_user }}", mode: '0644' }
    - { src: 'roles/network/templates/named/dummy', dest: '/var/named-iiab/data/dummy', owner: "{{ dns_user }}", mode: '0644' }
    - { src: 'roles/network/templates/named/named.blackhole', dest: '/var/named-iiab/named.blackhole', owner: "{{ dns_user }}", mode: '0644' }
--- a/roles/network/tasks/netplan.yml
+++ b/roles/network/tasks/netplan.yml
@ -59,14 +59,22 @@
  with_items:
    - "{{ netplan.stdout_lines }}"
- name: Replace networkd-dispatcher #2585 for "groovy"
+# 2022-06-30: Ubuntu Groovy (20.10) is ancient history but this code might now
-  get_url:
+# help Linux Mint ?
-    url: https://gitlab.com/craftyguy/networkd-dispatcher/-/raw/2.1/networkd-dispatcher
+#
-    dest: /usr/bin/networkd-dispatcher
+# 2022-05-29: @jvonau wrote on #3106 "networkd-dispatcher has a traceback,
-    timeout: "{{ download_timeout }}"
+# I suspect the cause is the same as found #2645, need to confirm the package
-  when: internet_available and fix_dispatcher and ansible_distribution_release == "groovy"
+# version installed with apt list networkd-dispatcher before suggesting the
-  # 2021-08-29 context from @jvonau: Fix is 'Groovy' specific, 21.04 and later
+# workaround be extended to LinuxMint"
-  # should have the fix baked into a newer apt package installed by default.
+#
 # - name: Replace networkd-dispatcher #2585 for "groovy"
 #   get_url:
 #     url: https://gitlab.com/craftyguy/networkd-dispatcher/-/raw/2.1/networkd-dispatcher
 #     dest: /usr/bin/networkd-dispatcher
 #     timeout: "{{ download_timeout }}"
 #   when: iiab_stage|int < 9 and fix_dispatcher and ansible_distribution_release == "groovy"
 #   # 2021-08-29 context from @jvonau: Fix is 'Groovy' specific, 21.04 and later
 #   # should have the fix baked into a newer apt package installed by default.
 #- name: Supply netplan template
 #  template:
--- a/roles/network/templates/dhcp/dhcpd-iiab.conf.j2
+++ b/roles/network/templates/dhcp/dhcpd-iiab.conf.j2
@ -5,27 +5,44 @@ ddns-update-style interim;
 #ignore client-updates;
 option domain-name "{{ iiab_domain }}";
-option domain-name-servers      172.18.96.1;
+option domain-name-servers      {{ lan_ip }};
-option ntp-servers		172.18.96.1;
+option ntp-servers              {{ lan_ip }};
 {% if network_172 %}
 subnet 172.18.96.0 netmask 255.255.224.0 {
-	{% if iiab_network_mode == "Gateway" %}
+    {% if iiab_network_mode == "Gateway" %}
-	option routers			172.18.96.1;
+    option routers               {{ lan_ip }};
-	{% endif %}
+    {% endif %}
-	option subnet-mask		255.255.224.0;
+    option subnet-mask           255.255.224.0;
-	option broadcast-address	172.18.127.255;
+    option broadcast-address     172.18.127.255;
-	# this is the whole range we have available - 8K addresses
+    # Description of network allocations in old OLPC school server
-	# range                           172.18.96.2 172.18.127.254;
+    # this is the whole range we have available - 8K addresses
-	# instead, we'll save 510 addresses for later. 
+    # range                      172.18.96.2 172.18.127.254;
-	range                           172.18.96.2 172.18.125.254;
+    # instead, we'll save 510 addresses for later.
-	# the other /24s:
+    range                        172.18.96.2 172.18.125.254;
-	# -> 172.18.126.0/24 for static IP addresses
+    # the other /24s:
-	#    for printers, AP management consoles, etc.
+    # -> 172.18.126.0/24 for static IP addresses
-	# -> 172.18.127.0/24 for temporary addresses for 
+    #    for printers, AP management consoles, etc.
-	#    XO activation
+    # -> 172.18.127.0/24 for temporary addresses for
-	
+    #    XO activation
-        # As this subnet is wired or wifi a/b/g, these lease 
+
-	#    times are on the long side
+    # As this subnet is wired or wifi a/b/g, these lease
-	default-lease-time 	10800;
+    #    times are on the long side
-	max-lease-time 		21600;
+    default-lease-time      10800;
    max-lease-time          21600;
 }
 {% else %}
 subnet 10.10.10.0 netmask 255.255.255.0 {
    {% if iiab_network_mode == "Gateway" %}
    option routers               {{ lan_ip }};
    {% endif %}
    option subnet-mask           255.255.255.0;
    option broadcast-address     10.10.10.255;
    range                        10.10.10.11 10.10.10.254;
    # As this subnet is wired or wifi a/b/g, these lease
    #    times are on the long side
    default-lease-time      10800;
    max-lease-time          21600;
 }
 {% endif %}
--- a/roles/network/templates/gateway/iiab-gen-iptables
+++ b/roles/network/templates/gateway/iiab-gen-iptables
@ -64,7 +64,7 @@ echo "iiab_gateway_enabled: $iiab_gateway_enabled"
 echo
 #network_mode=`grep iiab_network_mode_applied /etc/iiab/iiab.ini | gawk '{print $3}'`
 #echo -e "Network Mode: $network_mode\n"
-lan_ip=$(iiab_var_value lan_ip)    # 172.18.96.1
+lan_ip=$(iiab_var_value lan_ip)    # e.g. 10.10.10.10
 ports_externally_visible=$(iiab_var_value ports_externally_visible)
 gw_block_https=$(iiab_var_value gw_block_https)
--- a/roles/network/templates/named/school.internal.zone.db
+++ b/roles/network/templates/named/school.internal.zone.db
@ -1,27 +0,0 @@
@ in soa localhost. root 1 3H 15M 1W 1D
  ns localhost.
 {{ iiab_hostname }}	IN	A	172.18.96.1
 schoolserver	IN	A	172.18.96.1
 school		IN	A	172.18.96.1
 www		IN	A	172.18.96.1
 ntp		IN	A	172.18.96.1
 time		IN	A	172.18.96.1
 presence	IN	A	172.18.96.1
 xs		IN	A	172.18.96.1
 library		IN	A	172.18.96.1
 box		IN	A	172.18.96.1
 conference.schoolserver	IN	A	172.18.96.1
 ; translations of school - in plain latin script
 ; or un punycode of the utf-8 representation
 ; es - escuela
 escuela         IN      CNAME       school
 ; de - schule
 schule          IN      CNAME       school
--- a/roles/network/templates/named/school.internal.zone.db.j2
+++ b/roles/network/templates/named/school.internal.zone.db.j2
@ -0,0 +1,27 @@
@ in soa localhost. root 1 3H 15M 1W 1D
  ns localhost.
 {{ iiab_hostname }}	IN	A	{{ lan_ip }}
 schoolserver	IN	A	{{ lan_ip }}
 school		IN	A	{{ lan_ip }}
 www		IN	A	{{ lan_ip }}
 ntp		IN	A	{{ lan_ip }}
 time		IN	A	{{ lan_ip }}
 presence	IN	A	{{ lan_ip }}
 xs		IN	A	{{ lan_ip }}
 library		IN	A	{{ lan_ip }}
 box		IN	A	{{ lan_ip }}
 conference.schoolserver	IN	A	{{ lan_ip }}
 ; translations of school - in plain latin script
 ; or un punycode of the utf-8 representation
 ; es - escuela
 escuela         IN      CNAME       school
 ; de - schule
 schule          IN      CNAME       school
--- a/roles/network/templates/named/school.local.zone.db.j2
+++ b/roles/network/templates/named/school.local.zone.db.j2
@ -3,18 +3,18 @@
@ in soa localhost. root 1 3H 15M 1W 1D
  ns localhost.
-{{ iiab_hostname }}	IN	A	172.18.96.1
+{{ iiab_hostname }}	IN	A	{{ lan_ip }}
-schoolserver	IN	A	172.18.96.1
+schoolserver	IN	A	{{ lan_ip }}
-school		IN	A	172.18.96.1
+school		IN	A	{{ lan_ip }}
-www		IN	A	172.18.96.1
+www		IN	A	{{ lan_ip }}
-ntp		IN	A	172.18.96.1
+ntp		IN	A	{{ lan_ip }}
-time		IN	A	172.18.96.1
+time		IN	A	{{ lan_ip }}
-presence	IN	A	172.18.96.1
+presence	IN	A	{{ lan_ip }}
-xs		IN	A	172.18.96.1
+xs		IN	A	{{ lan_ip }}
-library		IN	A	172.18.96.1
+library		IN	A	{{ lan_ip }}
-box		IN	A	172.18.96.1
+box		IN	A	{{ lan_ip }}
-conference.schoolserver	IN	A	172.18.96.1
+conference.schoolserver	IN	A	{{ lan_ip }}
 ; translations of school - in plain latin script
--- a/roles/network/templates/network/bridge-br0
+++ b/roles/network/templates/network/bridge-br0
@ -6,7 +6,11 @@ interface-name=br0
 permissions=
 [ipv4]
 {% if network_172 %}
 address1={{ lan_ip }}/19
 {% else %}
 address1={{ lan_ip }}/24
 {% endif %}
 dns-search={{ iiab_domain }}
 method=manual
--- a/roles/network/templates/network/dhcpcd.conf.j2
+++ b/roles/network/templates/network/dhcpcd.conf.j2
@ -58,7 +58,11 @@ denyinterfaces {{ iiab_wired_lan_iface }}
 {% if dhcpcd_result == "enabled" and iiab_lan_iface != "none" %}
 interface {{ iiab_lan_iface }}
 {% if network_172 %}
 static ip_address={{ lan_ip }}/19
 {% else %}
 static ip_address={{ lan_ip }}/24
 {% endif %}
 static domain_name_servers=127.0.0.1
 {% endif %}
--- a/roles/network/templates/network/dnsmasq.conf.j2
+++ b/roles/network/templates/network/dnsmasq.conf.j2
@ -18,7 +18,12 @@ addn-hosts=/etc/hosts.dnsmasq
 expand-hosts
 # Specify the range of IP addresses the DHCP server will lease out to devices, and the duration of the lease
 {% if network_172 %}
 dhcp-range=172.18.100.1,172.18.126.254,1h
 {% else %}
 dhcp-range=10.10.10.11,10.10.10.254,1h
 {% endif %}
 # Specify the default route
 dhcp-option=3,{{ lan_ip }}
 # Specify the DNS server address
--- a/roles/network/templates/network/systemd-br0-network.j2
+++ b/roles/network/templates/network/systemd-br0-network.j2
@ -3,7 +3,11 @@
 Name=br0
 [Network]
 {% if network_172 %}
 Address={{ lan_ip }}/19
 {% else %}
 Address={{ lan_ip }}/24
 {% endif %}
 LinkLocalAddressing=no
 ConfigureWithoutCarrier=yes
 RequiredForOnline=degraded-carrier
--- a/roles/nextcloud/README.md
+++ b/roles/nextcloud/README.md
@ -1,6 +1,6 @@
 # Nextcloud README
-Students and teachers can store their documents, calendars, contacts and photos locally within [Nextcloud](https://nextcloud.com), which is much like having a (local) version of Dropbox or Google Drive on your very own [Internet-in-a-Box](http://internet-in-a-box.org).
+Students and teachers can store their documents, calendars, contacts and photos locally within [Nextcloud](https://nextcloud.com), which is much like having a (local) version of Dropbox or Google Drive on your very own [Internet-in-a-Box](https://internet-in-a-box.org).
 This Ansible playbook was derived from an earlier ownCloud playbook thanks to [Josh Dennis](https://github.com/floydianslips) in 2016/2017.
@ -43,7 +43,7 @@ Useful PHP recommendations for these settings (while largely tailored to WordPre
 ## Using It
-Log in to Nextcloud at http://box/nextcloud, http://box.lan/nextcloud, http://172.18.96.1/nextcloud (or similar) using:
+Log in to Nextcloud at http://box/nextcloud, http://box.lan/nextcloud, http://10.10.10.10/nextcloud (or similar) using:
    Username: Admin
    Password: changeme
--- a/roles/nextcloud/defaults/main.yml
+++ b/roles/nextcloud/defaults/main.yml
@ -14,7 +14,7 @@
 # 2020-01-07: If installing IIAB often, download.nextcloud.com may throttle
 # you to ~100 kbit/sec, delaying your IIAB install by an hour or more (#2112).
 # The following line can avoid that: (but might install an older Nextcloud!)
-# nextcloud_dl_url: http://d.iiab.io/packages/latest.tar.bz2
+# nextcloud_dl_url: https://d.iiab.io/packages/latest.tar.bz2
 nextcloud_dl_url: https://download.nextcloud.com/server/releases/latest.tar.bz2
 nextcloud_url: /nextcloud
--- a/roles/nextcloud/tasks/main.yml
+++ b/roles/nextcloud/tasks/main.yml
@ -19,37 +19,44 @@
    quiet: yes
- name: Install Nextcloud if 'nextcloud_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
+- block:
  include_tasks: install.yml
  when: nextcloud_installed is undefined
  - name: Install Nextcloud if 'nextcloud_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
    include_tasks: install.yml
    when: nextcloud_installed is undefined
- name: Enable/Disable/Restart NGINX
+  - name: Enable/Disable/Restart NGINX
-  include_tasks: nginx.yml
+    include_tasks: nginx.yml
  - name: Add 'nextcloud' variable values to {{ iiab_ini_file }}
    ini_file:
      path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
      section: Nextcloud
      option: "{{ item.option }}"
      value: "{{ item.value | string }}"
    with_items:
      - option: name
        value: Nextcloud
      - option: description
        value: '"Nextcloud is a local server-based facility for sharing files, photos, contacts, calendars, etc."'
      - option: nextcloud_install
        value: "{{ nextcloud_install }}"
      - option: nextcloud_enabled
        value: "{{ nextcloud_enabled }}"
      - option: nextcloud_dl_url
        value: "{{ nextcloud_dl_url }}"
      - option: nextcloud_url
        value: "{{ nextcloud_url }}"
      - option: nextcloud_base_dir
        value: "{{ nextcloud_base_dir }}"
      - option: nextcloud_root_dir
        value: "{{ nextcloud_root_dir }}"
      - option: nextcloud_data_dir
        value: "{{ nextcloud_data_dir }}"
- name: Add 'nextcloud' variable values to {{ iiab_ini_file }}
+  rescue:
-  ini_file:
+
-    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+  - name: 'SEE ERROR ABOVE (skip_role_on_error: {{ skip_role_on_error }})'
-    section: Nextcloud
+    fail:
-    option: "{{ item.option }}"
+      msg: ""
-    value: "{{ item.value | string }}"
+    when: not skip_role_on_error
  with_items:
    - option: name
      value: Nextcloud
    - option: description
      value: '"Nextcloud is a local server-based facility for sharing files, photos, contacts, calendars, etc."'
    - option: nextcloud_install
      value: "{{ nextcloud_install }}"
    - option: nextcloud_enabled
      value: "{{ nextcloud_enabled }}"
    - option: nextcloud_dl_url
      value: "{{ nextcloud_dl_url }}"
    - option: nextcloud_url
      value: "{{ nextcloud_url }}"
    - option: nextcloud_base_dir
      value: "{{ nextcloud_base_dir }}"
    - option: nextcloud_root_dir
      value: "{{ nextcloud_root_dir }}"
    - option: nextcloud_data_dir
      value: "{{ nextcloud_data_dir }}"
--- a/roles/nginx/README.md
+++ b/roles/nginx/README.md
@ -35,7 +35,7 @@
      * usb_lib
      * wordpress
-   2. These support "Native" NGINX ***AND*** Apache, a.k.a. "dual support" for legacy testing (if suitable "Shims" from *Section iii.* below are preserved!)  Both "Native" NGINX and "Shim" proxying from NGINX to Apache port 8090 *cannot be enabled simultaneously* for these IIAB Apps/Service:<!--But if you want to attempt their "Shim" proxying legacy testing mode, try setting your *primary web server* to Apache using `apache_install: True` and `apache_enabled: True` (and `nginx_enabled: False` to disable NGINX) in [/etc/iiab/local_vars.yml](http://wiki.laptop.org/go/IIAB/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F) before you install IIAB.  You may also need to run `cd /opt/iiab/iiab; ./runrole httpd` since this has been removed from [roles/3-base-server/tasks/main.yml](https://github.com/iiab/iiab/blob/master/roles/3-base-server/tasks/main.yml)-->
+   2. These support "Native" NGINX ***AND*** Apache, a.k.a. "dual support" for legacy testing (if suitable "Shims" from *Section iii.* below are preserved!)  Both "Native" NGINX and "Shim" proxying from NGINX to Apache port 8090 *cannot be enabled simultaneously* for these IIAB Apps/Service:<!--But if you want to attempt their "Shim" proxying legacy testing mode, try setting your *primary web server* to Apache using `apache_install: True` and `apache_enabled: True` (and `nginx_enabled: False` to disable NGINX) in [/etc/iiab/local_vars.yml](https://wiki.iiab.io/go/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it%3F) before you install IIAB.  You may also need to run `cd /opt/iiab/iiab; ./runrole httpd` since this has been removed from [roles/3-base-server/tasks/main.yml](https://github.com/iiab/iiab/blob/master/roles/3-base-server/tasks/main.yml)-->
      * **NONE: Apache support is now fully REMOVED as of 2021-08-08** ([PR #2850](https://github.com/iiab/iiab/pull/2850))
--- a/roles/nodejs/tasks/main.yml
+++ b/roles/nodejs/tasks/main.yml
@ -35,23 +35,31 @@
    var: nodejs_installed
- name: Install Node.js if 'nodejs_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
+- block:
  include_tasks: install.yml
  when: nodejs_installed is undefined
  - name: Install Node.js if 'nodejs_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
    include_tasks: install.yml
    when: nodejs_installed is undefined
- name: Add 'nodejs' variable values to {{ iiab_ini_file }}
+  - name: Add 'nodejs' variable values to {{ iiab_ini_file }}
-  ini_file:
+    ini_file:
-    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+      path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
-    section: nodejs
+      section: nodejs
-    option: "{{ item.option }}"
+      option: "{{ item.option }}"
-    value: "{{ item.value | string }}"
+      value: "{{ item.value | string }}"
-  with_items:
+    with_items:
-    - option: name
+      - option: name
-      value: Node.js
+        value: Node.js
-    - option: description
+      - option: description
-      value: '"Node.js is a JavaScript runtime environment built on Chrome''s V8 JavaScript engine, that executes JavaScript code outside of a browser."'
+        value: '"Node.js is a JavaScript runtime environment built on Chrome''s V8 JavaScript engine, that executes JavaScript code outside of a browser."'
-    - option: nodejs_install
+      - option: nodejs_install
-      value: "{{ nodejs_install }}"
+        value: "{{ nodejs_install }}"
-    - option: nodejs_enabled
+      - option: nodejs_enabled
-      value: "{{ nodejs_enabled }}"
+        value: "{{ nodejs_enabled }}"
  rescue:
  - name: 'SEE ERROR ABOVE (skip_role_on_error: {{ skip_role_on_error }})'
    fail:
      msg: ""
    when: not skip_role_on_error
--- a/roles/nodered/tasks/main.yml
+++ b/roles/nodered/tasks/main.yml
@ -19,26 +19,33 @@
    quiet: yes
- name: Install Node-RED if nodered_installed is not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
+- block:
  include_tasks: install.yml
  when: nodered_installed is undefined
  - name: Install Node-RED if nodered_installed is not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
    include_tasks: install.yml
    when: nodered_installed is undefined
- include_tasks: enable-or-disable.yml
+  - include_tasks: enable-or-disable.yml
  - name: Add 'nodered' variable values to {{ iiab_ini_file }}
    ini_file:
      path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
      section: nodered
      option: "{{ item.option }}"
      value: "{{ item.value | string }}"
    with_items:
      - option: name
        value: Node-RED
      - option: description
        value: '"Node-RED is a flow-based development tool for visual programming developed originally by IBM for wiring together hardware devices, APIs and online services as part of the Internet of Things.  Node-RED provides a web browser-based flow editor, which can be used to create JavaScript functions."'
      - option: nodered_install
        value: "{{ nodered_install }}"
      - option: nodered_enabled
        value: "{{ nodered_enabled }}"
- name: Add 'nodered' variable values to {{ iiab_ini_file }}
+  rescue:
-  ini_file:
+
-    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+  - name: 'SEE ERROR ABOVE (skip_role_on_error: {{ skip_role_on_error }})'
-    section: nodered
+    fail:
-    option: "{{ item.option }}"
+      msg: ""
-    value: "{{ item.value | string }}"
+    when: not skip_role_on_error
  with_items:
    - option: name
      value: Node-RED
    - option: description
      value: '"Node-RED is a flow-based development tool for visual programming developed originally by IBM for wiring together hardware devices, APIs and online services as part of the Internet of Things.  Node-RED provides a web browser-based flow editor, which can be used to create JavaScript functions."'
    - option: nodered_install
      value: "{{ nodered_install }}"
    - option: nodered_enabled
      value: "{{ nodered_enabled }}"
--- a/roles/osm-vector-maps/defaults/main.yml
+++ b/roles/osm-vector-maps/defaults/main.yml
@ -15,8 +15,8 @@ maps_branch: master    # Quotes not required
 #maps_branch: maps7.3
 # 2022-04-30 -- Bluehost (timmoody.com) has become extremely slow!
-#map_installer_url: http://timmoody.com/iiab-files/maps
+#map_installer_url: https://timmoody.com/iiab-files/maps
-map_installer_url: http://download.iiab.io/content/OSM/vector-tiles
+map_installer_url: https://download.iiab.io/content/OSM/vector-tiles
 installer_planet: planet_z0-z6_2020.mbtiles
 installer_satellite: satellite_z0-z6_2020.mbtiles
@ -29,4 +29,4 @@ archive_org_url: https://archive.org/download
 # 2022-04-30 -- Unused, but URL illustrates legacy approach:
-#iiab_map_url: http://download.iiab.io/content/OSM/vector-tiles/maplist/hidden
+#iiab_map_url: https://download.iiab.io/content/OSM/vector-tiles/maplist/hidden
--- a/roles/osm-vector-maps/tasks/install.yml
+++ b/roles/osm-vector-maps/tasks/install.yml
@ -79,7 +79,7 @@
 - name: Download 48MB {{ map_installer_url }}/{{ installer_planet }} to {{ vector_map_path }}/installer/ -- for map installer
  get_url:
-    url: "{{ map_installer_url }}/{{ installer_planet }}"    # e.g. http://download.iiab.io/content/OSM/vector-tiles + / + planet_z0-z6_2020.mbtiles
+    url: "{{ map_installer_url }}/{{ installer_planet }}"    # e.g. https://download.iiab.io/content/OSM/vector-tiles + / + planet_z0-z6_2020.mbtiles
    dest: "{{ vector_map_path }}/installer/"
    timeout: "{{ download_timeout }}"
--- a/Show more
+++ b/Show more
`@ -54,4 +54,4 @@ Install our latest pre-release using the 1-line installer at: [**download.iiab.i`

	`You can also consider <!--latest Internet-in-a-Box (IIAB)--> earlier official releases at: [github.com/iiab/iiab/releases](https://github.com/iiab/iiab/releases)`	`You can also consider <!--latest Internet-in-a-Box (IIAB)--> earlier official releases at: [github.com/iiab/iiab/releases](https://github.com/iiab/iiab/releases)`

	`For much older versions, see: [github.com/xsce](http://github.com/xsce), [schoolserver.org](http://schoolserver.org)`	`For much older versions, see: [github.com/xsce](https://github.com/xsce), [schoolserver.org](http://schoolserver.org)`
`@ -1,4 +1,4 @@`
	`_Please Also See: http://FAQ.IIAB.IO > ["Captive Portal Administration: What tips & tricks exist?"](http://wiki.laptop.org/go/IIAB/FAQ#Captive_Portal_Administration:_What_tips_.26_tricks_exist.3F)_`	`_Please Also See: http://FAQ.IIAB.IO > ["Captive Portal Administration: What tips & tricks exist?"](https://wiki.iiab.io/go/FAQ#Captive_Portal_Administration:_What_tips_&_tricks_exist%3F)_`

	`## Theory of Operation`	`## Theory of Operation`
`@ -74,4 +74,4 @@ _WARNING: If on login users see "500 : Internal Server Error", you may need to r`

	`While PAWS is a little bit off topic, if you have an interest in Wikipedia, please do see this 23m 42s video ["Intro to PAWS/Jupyter notebooks for Python beginners"](https://www.youtube.com/watch?v=AUZkioRI-aA&list=PLeoTcBlDanyNQXBqI1rVXUqUTSSiuSIXN&index=8) by Chico Venancio, from 2021-06-01.`	`While PAWS is a little bit off topic, if you have an interest in Wikipedia, please do see this 23m 42s video ["Intro to PAWS/Jupyter notebooks for Python beginners"](https://www.youtube.com/watch?v=AUZkioRI-aA&list=PLeoTcBlDanyNQXBqI1rVXUqUTSSiuSIXN&index=8) by Chico Venancio, from 2021-06-01.`

	`He explains PAWS as a "powerful Python execution environment http://paws.wmcloud.org [allowing] ordinary folks to write interactive scripts to work with Wikimedia content."`	`He explains PAWS as a "powerful Python execution environment https://paws.wmcloud.org = https://wikitech.wikimedia.org/wiki/PAWS [allowing] ordinary folks to write interactive scripts to work with Wikimedia content."`