Merge pull request #436 from iiab/master

Sync from iiab/iiab:master
2025-02-15 04:32:11 +00:00 · 2020-10-14 17:50:13 -07:00 · 2020-10-14 17:50:13 -07:00 · 21465ac3bb
commit 21465ac3bb
parent 797873b885 808d8d362c
15 changed files with 126 additions and 253 deletions
--- a/CONTRIBUTING.deprecated.md
+++ b/CONTRIBUTING.deprecated.md
@ -1,167 +0,0 @@
 # SEE THE NEW<br>[github.com/iiab/iiab/wiki/IIAB-Contributors-Guide](https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide)
 # THANKS! EVERYTHING BELOW IS DEPRECATED.
 Contributing to Internet-in-a-Box (IIAB)
 =======================================
 Internet-in-a-Box runs on various GNU/Linux operating systems such as Raspbian, Ubuntu, Debian, CentOS and Fedora.
 You can install Internet-in-a-Box on x86_64 PCs/laptops and Raspberry Pi 3 (or 3 B+).  Example PC's include Intel NUC and Gigabyte BRIX.  Partial support is also available on OLPC laptops like the XO-1.5, XO-1.75 and XO-4.  A VirtualBox VM can also be used for testing purposes.  Using Docker containers however is not recommended as our [Ansible](https://github.com/ansible/ansible) provisioning system requires low-level access to the operating system.
 Finally, running Internet-in-a-Box on the Raspberry Pi Zero W is also possible, if you transfer a working IIAB (microSD card) that was built up inside a Raspberry Pi 3 (or 3 B+).
 Please refer to [IIAB Platforms](https://github.com/iiab/iiab/wiki/IIAB-Platforms) for more information.
 Internet-in-a-Box uses Ansible (acquired by Red Hat in October 2015, similar to Puppet) to install and configure all software packages.  Ansible uses [playbooks](http://docs.ansible.com/ansible/latest/playbooks.html) as human-readable instruction files in [YAML](http://www.yaml.org/start.html) format.  Playbooks are divided into hosts, roles and tasks.
 ```
 ├── roles
 │   ├── 1-prep
 │   │   ├─ defaults
 |   |   |    ├──main.yml (lowest precedence variable definitions, overridden by <repo_root>/vars/default_vars.yml, overridden by /etc/iiab/local_vars.yml)
 │   │   ├── README.rst
 │   │   ├── tasks
 |   |   |    ├──main.yml (specifies the actions to install this role
 │   │   └── templates
 |   |   |    ├──<text files where Ansible variables are substituted, using jinja2 templating e.g. {% <variable> %}>
 │   ├── 2-common
 │   │   ├── README.rst
 │   │   ├── tasks
 │   │   └── templates
 ```
 Specifically, Ansible installs Internet-in-a-Box starting with 0-init, followed by Stages 1 to 9, and finally runs the network stage:
 - [0-init](https://github.com/iiab/iiab/tree/master/roles/0-init)
 - [1-prep](https://github.com/iiab/iiab/tree/master/roles/1-prep)
 - [2-common](https://github.com/iiab/iiab/tree/master/roles/2-common)
 - [3-base-server](https://github.com/iiab/iiab/tree/master/roles/3-base-server)
 - [4-server-options](https://github.com/iiab/iiab/tree/master/roles/4-server-options)
 - [5-xo-services](https://github.com/iiab/iiab/tree/master/roles/5-xo-services)
 - [6-generic-apps](https://github.com/iiab/iiab/tree/master/roles/6-generic-apps)
 - [7-edu-apps](https://github.com/iiab/iiab/tree/master/roles/7-edu-apps)
 - [8-mgmt-tools](https://github.com/iiab/iiab/tree/master/roles/8-mgmt-tools)
 - [9-local-addons](https://github.com/iiab/iiab/tree/master/roles/9-local-addons)
 - [network](https://github.com/iiab/iiab/tree/master/roles/network)
 Click on Stages 1 to 9 above for descriptions of their specific purposes.
 At runtime (to build up your Internet-in-a-Box server) Ansible gathers system information making it available (as 'facts') and combines this with Ansible 'variables' to guide the installation process. The execution follows a sequence of cascading steps:
 1. Bash script `./iiab-install` uses Ansible to run `/opt/iiab/iiab/iiab-stages.yml`
 2. `iiab-stages.yml` calls 9+ aggregate roles (AKA stages, these are the numbered directories above, in /opt/iiab/iiab/roles) and then the network role.  It avoids repeating any of these 9 core install stages (in case of Internet glitches etc) by keeping a counter ("STAGE") in `/etc/iiab/iiab.env`  (Aside: the network role can also later be run using `./iiab-network`)
 3. Each aggregate role AKA stage has a `<role>/tasks/main.yml` (formerly `<role>/meta/main.yml`) to invoke all needed roles and tasks.
 Please refer to the [IIAB Architecture](https://github.com/iiab/iiab/wiki/IIAB-Architecture) and [IIAB Variables]( https://github.com/iiab/iiab/wiki/IIAB-Variables) pages for more information.
 Installation
 ============
 Before you start the installation, please refer to the [hardware section of the FAQ](http://wiki.laptop.org/go/IIAB/FAQ#What_hardware_should_I_use.3F) page for memory, storage and network requirements for your platform.  Also note that downloading content might take a long time on slower Internet connections.
 Most implementers should use IIAB's 1-line installer at http://download.iiab.io (click on the version number, e.g. [6.6](http://download.iiab.io/6.6/)).
 If you are a developer, consider [building Internet-in-a-Box from scratch](https://github.com/iiab/iiab/wiki/IIAB-Installation#do-everything-from-scratch).
 Please refer to the [IIAB Installation](https://github.com/iiab/iiab/wiki/IIAB-Installation) page for more information.
 Setting up development environment
 ===================================
 ( This section uses an experimental development environment for Internet-in-a-Box. It is being developed in the [iiab-dev-mode repository](https://github.com/arky/iiab-dev-mode). )
 This section provides a quick setup of the Internet-in-a-Box (IIAB) development environment using [Vagrant](https://www.vagrantup.com/).  You will need a computer with [virtualization enabled](https://www.virtualbox.org/manual/UserManual.html) and git, Vagrant (2.0 or later) and [VirtualBox](https://www.virtualbox.org/) installed.
 ## Requirements
 * git
 * [Vagrant (2.0 or later)](https://www.vagrantup.com/)
 * [VirtualBox](https://www.virtualbox.org/wiki/Downloads)
 * Editor ([Atom](www.atom.io), Emacs, vi, etc)
 ## Setup Instructions
 1. Check out the repository and its submodules onto your development machine.
 `git clone --recursive git@github.com:arky/iiab-dev-mode.git`
 2. Change directory into 'iiab-dev-mode' with `cd iiab-dev-mode`.  You can update all the submodules to the latest master using `git submodule foreach git pull origin master`
 3. Set up a vagrant machine with `vagrant up` and provision it with `vagrant provision`.  Please select the available bridge network interface (wlan0 or eth0) that connects your host machine to the Internet.
 4. Connect to your vagrant machine with `vagrant ssh`.  All your local development files are available through shared folders in the `/opt/iiab` directory.
 5. Install IIAB itself from the Ansible playbooks by following [IIAB Installation](https://github.com/iiab/iiab/wiki/IIAB-Installation#do-everything-from-scratch) instructions:
 ```
   cd /opt/iiab/iiab/scripts/
   ./ansible
   cd /opt/iiab/iiab/
   ./runansible
   cd /opt/iiab/iiab-admin-console/
   ./install
   cd /opt/iiab/iiab-menu/
   ./cp-menus
 ```
 6. Hack away!
 7. You can commit your local changes to your personal forks of the Internet-in-a-Box repository and then send pull requests to the IIAB project.  Once you've forked a repository, you change directory into that repository and set a default git remote push setting with the following command:
   `cd <repo> && git remote set-url --push origin git@github.com:<your_username>/<your_forked_iiab_repo_name>.git`
 	Learn more by reading the blog post [Different git Push & Pull(fetch) URLs](http://blog.yuriy.tymch.uk/2012/05/different-git-push-pullfetch-urls.html) and the [Git Basics - Working with Remotes](https://git-scm.com/book/en/v2/Git-Basics-Working-with-Remotes) chapter of Scott Chacon and Ben Straub's "Git Pro" book.
 8. Once you are done, you can stop your vagrant machine with `vagrant halt` or remove it completely with `vagrant destroy`.
 Debugging
 =========
 Here are a few strategies for debugging problems during the Internet-in-a-Box installation.
 * When an installation task fails, Ansible halts printing out a descriptive error message to the screen. This error information is also written to a `iiab-install.log` file within `/opt/iiab/iiab`.  (Look through logs to check if any preceding line contains the error).
 * When an installation succeeds, the last lines printed on the screen will look like the following (failed=0):
 ```
   PLAY RECAP *********************************************************************
   127.0.0.1                  : ok=405  changed=125  unreachable=0    failed=0
 ```
 * Search through the Ansible playbooks using `egrep -rn <string from the failing step> /opt/iiab/iiab/roles/*>` to find the failed task.
 * You can add additional [debug print statements](http://docs.ansible.com/ansible/latest/debug_module.html) to Ansible playbooks for debugging the problem.
 * Talk to us or report a bug using the information below.
 Please refer to [Ansible playbook documentation](http://docs.ansible.com/ansible/latest/playbooks.html) for more information.
 Testing your code with Travis CI
 =================================
 To maintain the quality of the Internet-in-a-Box (IIAB) code, we use [Travis Continuous Integration (CI)](https://travis-ci.org) build infrastructure. Travis CI does tests to ensure the code syntax is correct and the code is formatted properly using `ansible` syntax checker, `ansible-lint` and `ansible-review` tools. The results of Travis CI Internet-in-a-Box (IIAB) could be seen [here](https://travis-ci.org/iiab/iiab).
 Every pull request [was] automatically tested by Travis CI.  The results of these tests [were] added to the pull request.  This aids Internet-in-a-Box (IIAB) developers in reviewing the quality of the code in a pull request [this approach is currently on hold as of July 2018 &mdash; if it's tuned up, this or any similar CI/CD alternatives would be welcome!]
 To test your forked repository of Internet-in-a-Box (IIAB) code, you have to enable automatic build tests in your [Travis-ci.org](https://travis-ci.org) profile page.
 * Login to [Travis-ci.org](https://travis-ci.org) using your Github account.
 * Go to your Travis CI profile page and enable the repository you want to build.
 * The builds will start whenever a new commit is pushed to your repository.
 Please refer to [Travis CI documentation](https://docs.travis-ci.com/user/getting-started/) for more information.
 Reporting Bugs
 ==============
 You can file bug reports on [GitHub](https://github.com/):
 * Sign up for a [GitHub](https://github.com/) account
 * Go to the [issue tracker on GitHub](https://github.com/iiab/iiab/issues)
 * Search for existing issues using the search field
 * If you don't find any similar issues, file a new issue!
 Please consider providing a descriptive title, your operating system information, error messages and steps to reproduce the issue.
 Get in touch
 ============
 * Join our [technology](http://lists.laptop.org/listinfo/server-devel) and [learning design](https://groups.google.com/group/unleashkids) mailing lists
 * Join our [live calls](http://minutes.iiab.io) most Mondays and Thursdays
 * Join us on IRC live chat: [#schoolserver](https://webchat.freenode.net/?channels=#schoolserver) on [freenode]( https://www.freenode.net/)
 * Post an idea or question to our [community forums](http://iiab.io/)
 * Read ["What are the best places for community support?"](http://FAQ.IIAB.IO#What_are_the_best_places_for_community_support.3F) within our Frequently Asked Questions  ([FAQ.IIAB.IO](http://FAQ.IIAB.IO))
--- a/LICENSING.md
+++ b/LICENSING.md
@ -15,6 +15,6 @@ this is to include the following two lines at the top of the file:
    Licensed under the terms of the GNU GPL v2 or later; see LICENSE for details.
 All files not containing an explicit copyright notice or terms of license in
-the file are Copyright © 2015-2018, Unleash Kids, and are licensed under the
+the file are Copyright © 2015-2020, Unleash Kids, and are licensed under the
 terms of the GPLv2 license in the file named LICENSE in the root of the
 repository.
--- a/2
+++ b/2
@ -92,3 +92,5 @@ brctl show
 echo
 echo "iiab-network run start: $Start"
 echo "iiab-network run end: $End"
 echo
 echo "Please REBOOT to fully verify your network -- graphical desktops MUST reboot!"
--- a/roles/4-server-options/tasks/main.yml
+++ b/roles/4-server-options/tasks/main.yml
@ -56,9 +56,11 @@
    name: samba
  when: samba_install | bool
-# 2020-02-17: what was roles/homepage lives in roles/www_options.  Eventually
+# 2020-02-17: What was roles/homepage lives in roles/www_options
-# softcoding of iiab_home_url should happen everywhere (incl Admin Console) for
+# 2020-10-08: Softcoded iiab_home_url should work (e.g. using local_vars.yml or
-# more field options, e.g. changing /library/www/html/home even when offline...
+# Admin Console) for more field options, e.g. changing /library/www/html/home
 # to WordPress or Moodle even when offline?  @tim-moody cautions that this is
 # untested for several years, so let's keep an eye on it!  iiab/iiab#2560
 - name: WWW_OPTIONS (WWW_BASE should have been installed earlier)
  include_role:
--- a/roles/iiab-admin/README.rst
+++ b/roles/iiab-admin/README.rst
@ -13,16 +13,25 @@
 iiab-admin README
 =================
-This role is home to a number of administrative playbooks.  Those implemented are:
+This role is home to a number of administrative (Ansible) playbooks:
 Add Administrative User
 -----------------------
-* Add the iiab-admin user and password
+* Adds the Linux user that will allow you access to IIAB's Admin Console (http://box.lan/admin) if this has not already been done for you by IIAB's 1-line installer (http://download.iiab.io).
-* N.B. to create password hash use python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")'
+* By default this is ``iiab-admin`` with password ``g0adm1n``
-* Make a sudoer
+   * *Do change the default password if you haven't yet, by running:* **sudo passwd iiab-admin**
-* |ss| Add /root/.ssh and dummy authorized_keys file as placeholder |se| |nbsp| (moved to playbook roles/sshd)
+   * After IIAB is installed, you can also change the password by logging into Admin Console (http://box.lan/admin) > Utilities > Change Password
-* Force password for sudoers
+   * If you prefer using a pre-existing user like ``pi`` or ``ubuntu`` etc, consider customizing variables ``iiab_admin_user_install``, ``iiab_admin_user`` and ``iiab_admin_user_group`` in your `/etc/iiab/local_vars.yml <http://wiki.laptop.org/go/IIAB/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F>`_ (please do this prior to installing IIAB !)
 * Please read more about what escalated (root) actions are authorized when you log into IIAB's Admin Console, and how this works: https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md
 Desiderata, for the historical record:
 * Auto-checking for the default password is implemented in `/etc/profile.d <https://github.com/iiab/iiab/blob/master/roles/iiab-admin/templates/sshpwd-profile-iiab.sh>`_ (and `/etc/xdg/lxsession/LXDE-pi <https://github.com/iiab/iiab/blob/master/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh>`_ when it exists).
 * |ss| N.B. to create password hash use python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")' |se| |nbsp| (not recommended as of October 2020)
 * |ss| Make a sudoer |se| |nbsp| (likely going away in October 2020, as group 'iiab-admin' should be recommended instead of group 'sudo')
 * |ss| Add /root/.ssh and dummy authorized_keys file as placeholder |se| |nbsp| (moved to `roles/openvpn/tasks/install.yml <https://github.com/iiab/iiab/blob/master/roles/openvpn/tasks/install.yml>`_)
 * |ss| Force password for sudoers |se| |nbsp| (sudo flag ``NOPASSWORD:`` and the ``wheel`` group will no longer being used as of October 2020)
 Add Packages for Remote Access
 ------------------------------
@ -33,4 +42,4 @@ Add Packages for Remote Access
 Admin Console
 -------------
-Has been moved to separate git repo: https://github.com/iiab/iiab-admin-console
+Has been moved to this separate git repo: https://github.com/iiab/iiab-admin-console
--- a/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh
+++ b/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh
@ -12,8 +12,14 @@
 # bash syntax "function check_user_pwd() {" was removed, as it prevented all
 # lightdm/graphical logins (incl autologin) on Raspbian: #1252 -> PR #1253
 check_user_pwd() {
-    id -u $1 > /dev/null 2>&1 || return 2    # FORCE ERROR if no such user
+    #id -u $1 > /dev/null 2>&1 || return 2    # Not needed if return 1 is good
-    # *BUT* overall bash script still returns exit code 0 ("success")
+    # enough when user does not exist.  Or uncomment to FORCE ERROR CODE 2.
    # Either way, overall bash script still returns exit code 0 ("success")
    # sudo works below (unlike in sshpwd-profile-iiab.sh) b/c RaspiOS ships w/
    # /etc/sudoers.d/010_pi-nopasswd containing "pi ALL=(ALL) NOPASSWD: ALL"
    # (read access to /etc/shadow is otherwise restricted to just root and
    # group www-data i.e. Apache, NGINX get special access).  SEE: #2431, #2561
    # $meth (hashing method) is typically '6' which implies 5000 rounds
    # of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password
--- a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh
+++ b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh
@ -14,9 +14,14 @@
 # bash syntax "function check_user_pwd() {" was removed, as it prevented all
 # lightdm/graphical logins (incl autologin) on Raspbian: #1252 -> PR #1253
 check_user_pwd() {
    #[ $(id -un) = "root" ] || return 2
    #[ $(id -un) = "root" ] || [ $(id -un) = "iiab-admin" ] || return 2
    [ -r /etc/shadow ] || return 2    # FORCE ERROR if /etc/shadow not readable
    # *BUT* overall bash script still returns exit code 0 ("success").
-    id -u $1 > /dev/null 2>&1 || return 2    # FORCE ERROR if no such user
+    #id -u $1 > /dev/null 2>&1 || return 2    # Not needed if return 1 is good
-    # *BUT* overall bash script still returns exit code 0 ("success")
+    # enough when user does not exist.  Or uncomment to FORCE ERROR CODE 2.
    # Either way, overall bash script still returns exit code 0 ("success").
    # $meth (hashing method) is typically '6' which implies 5000 rounds
    # of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password
@ -26,21 +31,20 @@ check_user_pwd() {
    [ $(python3 -c "import crypt; print(crypt.crypt('$2', '\$$meth\$$salt'))") == "\$$meth\$$salt\$$hash" ]
 }
-[ $(id -un) = "root" ] || return   # MUST be executed as root!  Non-root logins
+# 2020-10-13 https://github.com/iiab/iiab/issues/2561 RECAP: Above was blocking
-# were blocking on above permissions to grep /etc/shadow.  As it's unreasonable
+# logins, lacking permissions to grep /etc/shadow.  As it's unreasonable to
-# to provide sudo privs to every user (with "NOPASSWD:" password-free sudo
+# provide sudo privs to every user (with "NOPASSWD:" password-free sudo access
-# access or not, as required by graphical logins!)  iiab/iiab#2561
+# or not, as required by graphical logins!)
-# 2020-10-10 RECAP: most logins (graphical or tty) blocked on above [sudo] grep
+# MORE DETAILS: most logins (graphical or tty) blocked on above [sudo] grep
 # (at least tty logins finally let sudoers in, after entering password twice!)
 # EXCEPTION: ALL GRAPHICAL logins to Raspberry Pi OS still worked, no matter
 # whether sshpwd-lxde-iiab.sh's "sudo grep" displayed our popup warning or not!
 #[ $(id -un) = "{{ iiab_admin_user }}" ] || [ $(id -un) = "root" ] || return
 # HISTORICAL: if password-free sudo access is truly nec, it can be set with
 # "iiab-admin ALL=(ALL) NOPASSWD: ALL" in /etc/sudoers as seen in the older:
 # https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/admin-user.yml
-# BUT: popup warnings still don't appear on most OS's, much as mentioned here:
+# CAUTION: popup warnings still don't appear on most OS's, as mentioned here:
 # https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/main.yml#L24-L30
 if check_user_pwd "{{ iiab_admin_user }}" "{{ iiab_admin_published_pwd }}" ; then    # iiab-admin g0adm1n
--- a/roles/network/tasks/detected_network.yml
+++ b/roles/network/tasks/detected_network.yml
@ -106,19 +106,20 @@
  register: wifi_gateway_found
  when: discovered_wireless_iface != "none"
- name: Set has_wifi_gateway for {{ discovered_wireless_iface }} if WiFi gateway is detected
+- name: Set has_wifi_gateway if WiFi has default gateway detected for {{ discovered_wireless_iface }}
  set_fact:
    has_wifi_gateway: True
  when: discovered_wireless_iface != "none" and (wifi_gateway_found.stdout|int > 0)
- name: Detect secondary gateway active
+- name: Detect secondary gateway active on all interfaces
  shell: ip r | grep default | grep -v {{ discovered_wan_iface }} | awk '{print $5}'
  register: second_gateway_found
  changed_when: False
- name: Set exclude_devices for {{ second_gateway_found.stdout }} if gateway is detected
+- name: Set exclude_devices if default gateway has been detected for {{ second_gateway_found.stdout }}
  set_fact:
-    exclude_devices: "-e {{ second_gateway_found.stdout }}"
+    exclude_devices: "{{ second_gateway_found.stdout }}"
-  when: second_gateway_found.changed
+  when: second_gateway_found.stdout != ""
 # XO hack here ap_device would not be active therefore not set with
 # wired as gw use ap_device to exclude eth0 from network calulations
@ -130,11 +131,11 @@
 - name: Exclude reserved Network Adapter if defined - takes adapter name
  set_fact:
-    exclude_devices: "-e {{ reserved_device }} {{ exclude_devices }}"
+    exclude_devices: "{{ exclude_devices }} -e {{ reserved_device }}"
  when: reserved_device is defined
 - name: Count LAN ifaces
-  shell: ls /sys/class/net | grep -v {{ virtual_network_devices }} -e wwlan -e ppp -e {{ device_gw }} {{ exclude_devices }} | wc -l
+  shell: ls /sys/class/net | grep -v {{ virtual_network_devices }} -e wwlan -e ppp -e {{ device_gw }} -e {{ exclude_devices }} | wc -l
  register: num_lan_interfaces_result
 - name: Calculate number of LAN interfaces including WiFi
@ -143,7 +144,7 @@
 # LAN - pick non WAN's
 - name: Create list of LAN (non WAN) ifaces
-  shell: ls /sys/class/net | grep -v {{ virtual_network_devices }} -e wwlan -e ppp -e {{ device_gw }} {{ exclude_devices }}
+  shell: ls /sys/class/net | grep -v {{ virtual_network_devices }} -e wwlan -e ppp -e {{ device_gw }} -e {{ exclude_devices }}
  when: num_lan_interfaces != "0"
  register: lan_list_result
--- a/roles/osm-vector-maps/README.md
+++ b/roles/osm-vector-maps/README.md
@ -3,6 +3,7 @@
 1. If you install [IIAB 7.2](https://github.com/iiab/iiab/wiki/IIAB-7.2-Release-Notes) with [IIAB Maps](https://github.com/iiab/iiab/wiki/IIAB-Maps), a new **Install IIAB Maps** page is available (http://box/osm-vector-maps/installer/) with [instructions](https://github.com/iiab/iiab/wiki/IIAB-Maps#how-do-i-install-map-packs-and-satellite-photo-regions-on-iiab-72-), separate from IIAB's Admin Console:
   1. This [very visual page](https://user-images.githubusercontent.com/2458907/94740848-46c4eb00-0341-11eb-93ea-e3e4758dce48.png) facilitates selecting/downloading/installing of Map Pack(s) for your favorite "continent(s)".  (SEE 2. BELOW)
   2. If you've installed at least one Map Pack, you can then use this same page to select/download/install Hi-Res Satellite Photo Region(s) for your local communities.  (SEE 3. BELOW)
   3. All these downloads can now happen 10X to 100X faster, thanks to [PR #38](https://github.com/iiab/maps/pull/38) !
 2. **Map Packs** no longer bundle both data and program in a .zip file.  All Map Packs are really now just a collection of 3 .mbtiles files:
   1. The main focus of a Map Pack remains Hi-Res Vector Map data from OpenStreetMap, for your selected "continent" — but Lo-Res vector map tiles (1.74GB .mbtiles) and Lo-Res satellite photos (932MB .mbtiles) are also included for the entire planet.  Read more at: https://github.com/iiab/iiab/wiki/IIAB-Maps
--- a/roles/www_base/files/html/html/credits.html
+++ b/roles/www_base/files/html/html/credits.html
@ -27,7 +27,7 @@
  All Gutenberg content is available for free at  <a href="https://www.gutenberg.org/">www.gutenberg.org</a>.<br>
  All OLPC content is available for free at  <a href="http://wiki.laptop.org/go/Collections">wiki.laptop.org</a>.<br>
  All MIT Scratch content is available for free at  <a href="https://scratch.mit.edu">scratch.mit.edu</a>.<br>
-  All UNESCO's IICBA content is available for free at  <a href="http://www.iicba.unesco.org/?q=elibrary">www.iicba.unesco.org/</a>.<br>
+  All UNESCO's IICBA content is available for free at  <a href="http://www.iicba.unesco.org/?q=elibrary">www.iicba.unesco.org</a>.<br>
  All Math Expression content is available for free at  <a href="https://www.mathexpression.com/">www.mathexpression.com</a>.<br>
  All Music Theory content is available for free at  <a href="https://www.musictheory.net/">www.musictheory.net</a>.<br>
  All HealthPhone content is available for free at  <a href="http://www.healthphone.org/">www.healthphone.org</a>.<br>
@ -46,7 +46,7 @@
  It is licensed under the terms of the GNU Library General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.<br><br>
-  Licensing information may be found at  <a href="https://github.com/iiab/iiab/blob/master/LICENSE.md">github.com/iiab/iiab/blob/master/LICENSE.md</a>.<br>
+  Licensing information may be found at  <a href="https://github.com/iiab/iiab/blob/master/LICENSING.md">github.com/iiab/iiab/blob/master/LICENSING.md</a>.<br>
 </BODY>
 <script type="text/javascript" src="incl/xs-portal.js"></script>
--- a/scripts/ansible
+++ b/scripts/ansible
@ -5,7 +5,7 @@
 APT_PATH=/usr/bin    # Avoids problematic /usr/local/bin/apt on Linux Mint
 CURR_VER="undefined"    # Ansible version you currently have installed
-GOOD_VER="2.10.1"    # Orig for 'yum install [rpm]' & XO laptops (pip install)
+GOOD_VER="2.10.2"    # Orig for 'yum install [rpm]' & XO laptops (pip install)
 # We install latest 'ansible-base' from PPA: (may be more recent than GOOD-VER)
 # https://launchpad.net/~ansible/+archive/ubuntu/ansible
 # https://launchpad.net/~ansible/+archive/ubuntu/ansible-2.10
--- a/vars/default_vars.yml
+++ b/vars/default_vars.yml
@ -50,13 +50,17 @@ language_priority: en es fr
 # Real-time clock: set RTC chip family here.  Future auto-detection plausible?
 # rtc_id: ds3231
-# Set iiab_admin_user_install: False if you don't want iiab_admin_user & wheel
+# Please read more about the 'iiab-admin' Linux user and group, which allow
-# group auto-created in roles/iiab-admin/tasks/main.yml (hence disabling sudo-
+# you to log in to IIAB's Admin Console (http://box.lan/admin):
-# checks/warnings of published passwds like pi/raspberry & iiab-admin/g0adm1n).
+# https://github.com/iiab/iiab/tree/master/roles/iiab-admin
 # https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md
 # Set iiab_admin_user_install: False if you don't want iiab_admin_user auto-
 # created e.g. by IIAB's 1-line installer and roles/iiab-admin/tasks/main.yml
 iiab_admin_user_install: True
-# If iiab_admin_user_install: False, set iiab_admin_user (below) to an existing
+# If iiab_admin_user_install: False, set iiab_admin_user to an existing Linux
-# Linux user that has sudo access, for login to Admin Console http://box/admin
+# user that's a member of group sudo (or group below?) for Admin Console login:
 iiab_admin_user: iiab-admin
 iiab_admin_user_group: iiab-admin    # 2020-10-13: Coming Soon?
 iiab_admin_published_pwd: g0adm1n    # For live checks/alerts of published pwds
 # Password hash to override above, if Ansible creates above user:
 iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop.
@ -68,13 +72,13 @@ iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGm
 # Time Zone (php needs timezone to be set)
 local_tz: "{{ ansible_date_time.tz }}"
-# Set these to False if you do not want to install IIAB Admin Console
+# Set these to False if you do not want to install/enable IIAB Admin Console
 admin_console_install: True
 admin_console_enabled: True
 #
-# Set to "False" if you do not want to use the latest js-menus
+# Set to "False" if you do not want to use the latest js-menus, either because
-# either because you use wordpress or another home page
+# you use WordPress or another home page, or if you prefer the older
-# or if you prefer the older https://github.com/iiab/iiab-menu (no longer maintained)
+# https://github.com/iiab/iiab-menu (no longer maintained)
 js_menu_install: True
@ -216,7 +220,8 @@ sshd_port: 22    # Not fully functional.  SEE: roles/sshd/tasks/install.yml
 openvpn_install: True
 openvpn_enabled: False
 # For /etc/iiab/openvpn_handle
-openvpn_handle:
+openvpn_handle: ""    # Empty string on purpose since ~2016, for /etc/iiab/uuid
 # SEE https://github.com/iiab/iiab/blob/master/roles/openvpn/tasks/main.yml#L45
 # cron seems necessary on CentOS:
 openvpn_cron_enabled: False
 # General OpenVPN settings
@ -463,6 +468,8 @@ moodle_enabled: False
 # Instructions: https://github.com/iiab/iiab/wiki/IIAB-Maps
 osm_vector_maps_install: True
 osm_vector_maps_enabled: False
 # Set to "True" to download .mbtiles files from Archive.org (might be slow!)
 maps_from_internet_archive: False
 iiab_map_url : http://download.iiab.io/content/OSM/vector-tiles/maplist/hidden
 vector_map_path: "{{ content_base }}/www/osm-vector-maps"    # /library/www/osm-vector-maps
@ -608,12 +615,6 @@ calibreweb_home: "{{ content_base }}/calibre-web"    # /library/calibre-web
 # =============================================================================
 # UNMAINTAINED LEGACY VARIABLES: YOU'RE TAKING BIG RISKS IF YOU USE ANY HERE...
 # CONSIDER THESE NEW OPENSTREETMAP (OSM) APPROACHES INSTEAD:
 #
 # 2019: https://github.com/iiab/iiab/wiki/IIAB-Maps SEE ABOVE osm_vector_maps_*
 # 2018: http://download.iiab.io/content/OSM/vector-tiles/
 # 2017: http://oer2go.org/viewmod/en-worldmap-10
 #
 # Unmaintained
 # osm_install: False
 # osm_enabled: False
@ -625,10 +626,6 @@ calibreweb_home: "{{ content_base }}/calibre-web"    # /library/calibre-web
 # docker_install: False
 # docker_enabled: False
 # THOSE ABOVE WERE STILL OCCASIONALLY USED AS OF NOVEMBER 2019.
 # =============================================================================
 # THOSE BELOW WERE *NOT* USED FOR YEARS, AS OF NOVEMBER 2019.
 # Unmaintained
 # authserver_install: False
 # authserver_enabled: False
@ -684,7 +681,7 @@ calibreweb_home: "{{ content_base }}/calibre-web"    # /library/calibre-web
 # OS-DEPENDENT VARS: TURN OFF ALL VARS BELOW AND THEN THE CORRECT
 # /opt/iiab/iiab/vars/<OS>.yml WILL TURN ON WHAT'S APPROPRIATE.  See "How This
-# Works" ~30 lines below, and https://github.com/iiab/iiab/wiki/IIAB-Platforms
+# Works" ~32 lines below, and https://github.com/iiab/iiab/wiki/IIAB-Platforms
 # Wide to narrow (insofar as poss)
 is_debuntu: False    # Covers all 4: Ubuntu, Linux Mint, Debian, Raspberry Pi OS (Raspbian)
--- a/vars/local_vars_big.yml
+++ b/vars/local_vars_big.yml
@ -22,13 +22,17 @@ language_priority: en es fr
 # Real-time clock: set RTC chip family here.  Future auto-detection plausible?
 # rtc_id: ds3231
-# Set iiab_admin_user_install: False if you don't want iiab_admin_user & wheel
+# Please read more about the 'iiab-admin' Linux user and group, which allow
-# group auto-created in roles/iiab-admin/tasks/main.yml (hence disabling sudo-
+# you to log in to IIAB's Admin Console (http://box.lan/admin):
-# checks/warnings of published passwds like pi/raspberry & iiab-admin/g0adm1n).
+# https://github.com/iiab/iiab/tree/master/roles/iiab-admin
 # https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md
 # Set iiab_admin_user_install: False if you don't want iiab_admin_user auto-
 # created e.g. by IIAB's 1-line installer and roles/iiab-admin/tasks/main.yml
 iiab_admin_user_install: True
-# If iiab_admin_user_install: False, set iiab_admin_user (below) to an existing
+# If iiab_admin_user_install: False, set iiab_admin_user to an existing Linux
-# Linux user that has sudo access, for login to Admin Console http://box/admin
+# user that's a member of group sudo (or group below?) for Admin Console login:
 iiab_admin_user: iiab-admin
 iiab_admin_user_group: iiab-admin    # 2020-10-13: Coming Soon?
 # Password hash to be used if Ansible creates the above user:
 iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop.
 # Obtain a password hash - NEW MORE SECURE WAY:
@ -36,13 +40,13 @@ iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGm
 # Obtain a password hash - OLD WAY:
 #    python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")'
-# Set these to False if you do not want to install IIAB Admin Console
+# Set these to False if you do not want to install/enable IIAB Admin Console
 admin_console_install: True
 admin_console_enabled: True
 #
-# Set to "False" if you do not want to use the latest js-menus
+# Set to "False" if you do not want to use the latest js-menus, either because
-# either because you use wordpress or another home page
+# you use WordPress or another home page, or if you prefer the older
-# or if you prefer the older https://github.com/iiab/iiab-menu (no longer maintained)
+# https://github.com/iiab/iiab-menu (no longer maintained)
 js_menu_install: True
@ -151,7 +155,7 @@ sshd_enabled: True
 openvpn_install: True
 openvpn_enabled: False
 # Set /etc/iiab/openvpn_handle in advance here:
-openvpn_handle:
+openvpn_handle: "BIG-sized - Put Your Name Here"
 # Some prefer 512MB for Zero W, others prefer 2048MB or higher for RPi 3 and 4.
 # Please see recommendations at: https://itsfoss.com/swap-size/
@ -318,6 +322,8 @@ moodle_enabled: True
 # Instructions: https://github.com/iiab/iiab/wiki/IIAB-Maps
 osm_vector_maps_install: True
 osm_vector_maps_enabled: True
 # Set to "True" to download .mbtiles files from Archive.org (might be slow!)
 maps_from_internet_archive: False
 # Might stall MongoDB on Power Failure: github.com/xsce/xsce/issues/879
 # Sugarizer 1.0.1+ strategies to solve? github.com/iiab/iiab/pull/957
--- a/vars/local_vars_medium.yml
+++ b/vars/local_vars_medium.yml
@ -22,13 +22,17 @@ language_priority: en es fr
 # Real-time clock: set RTC chip family here.  Future auto-detection plausible?
 # rtc_id: ds3231
-# Set iiab_admin_user_install: False if you don't want iiab_admin_user & wheel
+# Please read more about the 'iiab-admin' Linux user and group, which allow
-# group auto-created in roles/iiab-admin/tasks/main.yml (hence disabling sudo-
+# you to log in to IIAB's Admin Console (http://box.lan/admin):
-# checks/warnings of published passwds like pi/raspberry & iiab-admin/g0adm1n).
+# https://github.com/iiab/iiab/tree/master/roles/iiab-admin
 # https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md
 # Set iiab_admin_user_install: False if you don't want iiab_admin_user auto-
 # created e.g. by IIAB's 1-line installer and roles/iiab-admin/tasks/main.yml
 iiab_admin_user_install: True
-# If iiab_admin_user_install: False, set iiab_admin_user (below) to an existing
+# If iiab_admin_user_install: False, set iiab_admin_user to an existing Linux
-# Linux user that has sudo access, for login to Admin Console http://box/admin
+# user that's a member of group sudo (or group below?) for Admin Console login:
 iiab_admin_user: iiab-admin
 iiab_admin_user_group: iiab-admin    # 2020-10-13: Coming Soon?
 # Password hash to be used if Ansible creates the above user:
 iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop.
 # Obtain a password hash - NEW MORE SECURE WAY:
@ -36,13 +40,13 @@ iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGm
 # Obtain a password hash - OLD WAY:
 #    python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")'
-# Set these to False if you do not want to install IIAB Admin Console
+# Set these to False if you do not want to install/enable IIAB Admin Console
 admin_console_install: True
 admin_console_enabled: True
 #
-# Set to "False" if you do not want to use the latest js-menus
+# Set to "False" if you do not want to use the latest js-menus, either because
-# either because you use wordpress or another home page
+# you use WordPress or another home page, or if you prefer the older
-# or if you prefer the older https://github.com/iiab/iiab-menu (no longer maintained)
+# https://github.com/iiab/iiab-menu (no longer maintained)
 js_menu_install: True
@ -151,7 +155,7 @@ sshd_enabled: True
 openvpn_install: True
 openvpn_enabled: False
 # Set /etc/iiab/openvpn_handle in advance here:
-openvpn_handle:
+openvpn_handle: "MEDIUM-sized - Put Your Name Here"
 # Some prefer 512MB for Zero W, others prefer 2048MB or higher for RPi 3 and 4.
 # Please see recommendations at: https://itsfoss.com/swap-size/
@ -318,6 +322,8 @@ moodle_enabled: False
 # Instructions: https://github.com/iiab/iiab/wiki/IIAB-Maps
 osm_vector_maps_install: True
 osm_vector_maps_enabled: True
 # Set to "True" to download .mbtiles files from Archive.org (might be slow!)
 maps_from_internet_archive: False
 # Might stall MongoDB on Power Failure: github.com/xsce/xsce/issues/879
 # Sugarizer 1.0.1+ strategies to solve? github.com/iiab/iiab/pull/957
--- a/vars/local_vars_min.yml
+++ b/vars/local_vars_min.yml
@ -22,13 +22,17 @@ language_priority: en es fr
 # Real-time clock: set RTC chip family here.  Future auto-detection plausible?
 # rtc_id: ds3231
-# Set iiab_admin_user_install: False if you don't want iiab_admin_user & wheel
+# Please read more about the 'iiab-admin' Linux user and group, which allow
-# group auto-created in roles/iiab-admin/tasks/main.yml (hence disabling sudo-
+# you to log in to IIAB's Admin Console (http://box.lan/admin):
-# checks/warnings of published passwds like pi/raspberry & iiab-admin/g0adm1n).
+# https://github.com/iiab/iiab/tree/master/roles/iiab-admin
 # https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md
 # Set iiab_admin_user_install: False if you don't want iiab_admin_user auto-
 # created e.g. by IIAB's 1-line installer and roles/iiab-admin/tasks/main.yml
 iiab_admin_user_install: True
-# If iiab_admin_user_install: False, set iiab_admin_user (below) to an existing
+# If iiab_admin_user_install: False, set iiab_admin_user to an existing Linux
-# Linux user that has sudo access, for login to Admin Console http://box/admin
+# user that's a member of group sudo (or group below?) for Admin Console login:
 iiab_admin_user: iiab-admin
 iiab_admin_user_group: iiab-admin    # 2020-10-13: Coming Soon?
 # Password hash to be used if Ansible creates the above user:
 iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop.
 # Obtain a password hash - NEW MORE SECURE WAY:
@ -36,13 +40,13 @@ iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGm
 # Obtain a password hash - OLD WAY:
 #    python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")'
-# Set these to False if you do not want to install IIAB Admin Console
+# Set these to False if you do not want to install/enable IIAB Admin Console
 admin_console_install: True
 admin_console_enabled: True
 #
-# Set to "False" if you do not want to use the latest js-menus
+# Set to "False" if you do not want to use the latest js-menus, either because
-# either because you use wordpress or another home page
+# you use WordPress or another home page, or if you prefer the older
-# or if you prefer the older https://github.com/iiab/iiab-menu (no longer maintained)
+# https://github.com/iiab/iiab-menu (no longer maintained)
 js_menu_install: True
@ -151,7 +155,7 @@ sshd_enabled: True
 openvpn_install: True
 openvpn_enabled: False
 # Set /etc/iiab/openvpn_handle in advance here:
-openvpn_handle:
+openvpn_handle: "MIN-sized - Put Your Name Here"
 # Some prefer 512MB for Zero W, others prefer 2048MB or higher for RPi 3 and 4.
 # Please see recommendations at: https://itsfoss.com/swap-size/
@ -318,6 +322,8 @@ moodle_enabled: False
 # Instructions: https://github.com/iiab/iiab/wiki/IIAB-Maps
 osm_vector_maps_install: True
 osm_vector_maps_enabled: True
 # Set to "True" to download .mbtiles files from Archive.org (might be slow!)
 maps_from_internet_archive: False
 # Might stall MongoDB on Power Failure: github.com/xsce/xsce/issues/879
 # Sugarizer 1.0.1+ strategies to solve? github.com/iiab/iiab/pull/957