Merge branch 'master' into izer

2025-02-13 03:32:12 +00:00 · 2018-08-07 18:04:14 -04:00 · 2018-08-07 18:04:14 -04:00 · 21d9d39191
commit 21d9d39191
parent b9350d12c0 708043431a
102 changed files with 1810 additions and 814 deletions
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -1,51 +1,71 @@
 Contributing to Internet-in-a-Box (IIAB)
 =======================================
-Internet-in-a-Box runs on various GNU/Linux operating systems such as Fedora, Ubuntu, Debian, CentOS and Raspbian.
+Internet-in-a-Box runs on various GNU/Linux operating systems such as Raspbian, Ubuntu, Debian, CentOS and Fedora.
-You can install Internet-in-a-Box on most late model desktop and laptop computers. It also supports Intel NUC, Intel Gigabyte BRIX, OLPC XO-1.5, XO-1.75, XO-4, Raspberry Pi 2 and Raspberry Pi 3. A VirtualBox VM can also used for testing purposes. Using Docker containers however is not recommended as our Ansible provisioning system requires low-level access to the operating system.
+You can install Internet-in-a-Box on x86_64 PCs/laptops and Raspberry Pi 3 (or 3 B+).  Example PC's include Intel NUC and Gigabyte BRIX.  Partial support is also available on OLPC laptops like the XO-1.5, XO-1.75 and XO-4.  A VirtualBox VM can also be used for testing purposes.  Using Docker containers however is not recommended as our Ansible provisioning system requires low-level access to the operating system.
 Finally, running Internet-in-a-Box on the Raspberry Pi Zero W is also possible, if you transfer a working IIAB (microSD card) that was built up inside a Raspberry Pi 3 (or 3 B+).
 Please refer to [IIAB Platforms](https://github.com/iiab/iiab/wiki/IIAB-Platforms) for more information.
-Internet-in-a-Box uses [Ansible](https://www.ansible.com/) infrastructure automation tool to deploy and configure all software packages. Ansible uses [playbooks](http://docs.ansible.com/ansible/latest/playbooks.html) a human readable instruction files in YAML format. Playbooks are divided into hosts, roles and tasks.
+Internet-in-a-Box uses Ansible (acquired by Red Hat in October 2015, similar to Puppet) to install and configure all software packages.  Ansible uses [playbooks](http://docs.ansible.com/ansible/latest/playbooks.html) as human-readable instruction files in [YAML](http://www.yaml.org/start.html) format.  Playbooks are divided into hosts, roles and tasks.
 ```
 ├── roles
 │   ├── 1-prep
 │   │   ├─ defaults
-|   |   |    ├──main.yml (lowest precedence variable definitions, overridden by <repo_root>/vars/default_vars.yml, overridden by ./vars/local_vars.yml.
+|   |   |    ├──main.yml (lowest precedence variable definitions, overridden by <repo_root>/vars/default_vars.yml, overridden by /etc/iiab/local_vars.yml)
 │   │   ├── README.rst
 │   │   ├── tasks
 |   |   |    ├──main.yml (specifies the actions to install this role
 │   │   └── templates
-|   |   |    ├<(text files where ansible variables are substituted, specified via {% <variable> %} containers-(jinja2 language).
+|   |   |    ├──<text files where Ansible variables are substituted, using jinja2 templating e.g. {% <variable> %}>
 │   ├── 2-common
 │   │   ├── README.rst
 │   │   ├── tasks
 │   │   └── templates
 ```
-At runtime, Ansible gathers system information and makes it available (called 'facts') and combines this with playbook defined 'variables' to guide the installation process. The execution follows a sequence of cascading steps:
+Specifically, Ansible installs Internet-in-a-Box starting with 0-init, followed by Stages 1 to 9, and finally runs the network stage:
 - [0-init](https://github.com/iiab/iiab/tree/master/roles/0-init)
 - [1-prep](https://github.com/iiab/iiab/tree/master/roles/1-prep)
 - [2-common](https://github.com/iiab/iiab/tree/master/roles/2-common)
 - [3-base-server](https://github.com/iiab/iiab/tree/master/roles/3-base-server)
 - [4-server-options](https://github.com/iiab/iiab/tree/master/roles/4-server-options)
 - [5-xo-services](https://github.com/iiab/iiab/tree/master/roles/5-xo-services)
 - [6-generic-apps](https://github.com/iiab/iiab/tree/master/roles/6-generic-apps)
 - [7-edu-apps](https://github.com/iiab/iiab/tree/master/roles/7-edu-apps)
 - [8-mgmt-tools](https://github.com/iiab/iiab/tree/master/roles/8-mgmt-tools)
 - [9-local-addons](https://github.com/iiab/iiab/tree/master/roles/9-local-addons)
 - [network](https://github.com/iiab/iiab/tree/master/roles/network)
-1. Bash script `./runansible` follows instructions in `iiab.yml` in the root directory.
+Click on Stages 1 to 9 above for descriptions of their specific purposes.
-2. `iiab.yml` calls 9 aggregate roles (the numbered directories under `./roles/`).
+At runtime (to build up your Internet-in-a-Box server) Ansible gathers system information making it available (as 'facts') and combines this with Ansible 'variables' to guide the installation process. The execution follows a sequence of cascading steps:
-3. Each aggregate role has a `<role>/meta/main.yml` which calls the individual named roles.
+1. Bash script `./iiab-install` uses Ansible to run `/opt/iiab/iiab/iiab-stages.yml`
 2. `iiab-stages.yml` calls 9+ aggregate roles (AKA stages, these are the numbered directories above, in /opt/iiab/iiab/roles) and then the network role.  It avoids repeating any of these 9 core install stages (in case of Internet glitches etc) by keeping a counter ("STAGE") in `/etc/iiab/iiab.env`  (Aside: the network role can also later be run using `./iiab-network`)
 3. Each aggregate role AKA stage has a `<role>/tasks/main.yml` (formerly `<role>/meta/main.yml`) to invoke all needed roles and tasks.
 Please refer to the [IIAB Architecture](https://github.com/iiab/iiab/wiki/IIAB-Architecture) and [IIAB Variables]( https://github.com/iiab/iiab/wiki/IIAB-Variables) pages for more information.
 Installation
 ============
-Before you start the installation please refer to the [hardware section of FAQ](http://wiki.laptop.org/go/IIAB/FAQ#What_hardware_should_I_use.3F) page for memory, storage and network requirements for your platform. Also note that downloading content might take a long time on slower Internet connections.
+Before you start the installation please refer to the [hardware section of FAQ](http://wiki.laptop.org/go/IIAB/FAQ#What_hardware_should_I_use.3F) page for memory, storage and network requirements for your platform.  Also note that downloading content might take a long time on slower Internet connections.
-If you are a developer, please consider [building Internet-in-a-Box from scratch](https://github.com/iiab/iiab/wiki/IIAB-Installation#do-everything-from-scratch).
+Most all implementers should use IIAB's 1-line installer at http://download.iiab.io (click on the version number, e.g. [6.6](http://download.iiab.io/6.6/)).
 If you are a developer, consider [building Internet-in-a-Box from scratch](https://github.com/iiab/iiab/wiki/IIAB-Installation#do-everything-from-scratch).
 Please refer to the [IIAB Installation](https://github.com/iiab/iiab/wiki/IIAB-Installation) page for more information.
 Setting up development environment
 ===================================
 ( This section uses experimental development environment for Internet-in-a-Box. It is being developed in the [iiab-dev-mode repository](https://github.com/arky/iiab-dev-mode). )
-This section provide a quick setup of Internet-in-a-Box (IIAB) development environment using [Vagrant](https://www.vagrantup.com/). You will need a computer with [virtualization enabled](https://www.virtualbox.org/manual/UserManual.html) and git, Vagrant (2.0 or later) and [VirtualBox](https://www.virtualbox.org/) installed.
+This section provide a quick setup of Internet-in-a-Box (IIAB) development environment using [Vagrant](https://www.vagrantup.com/).  You will need a computer with [virtualization enabled](https://www.virtualbox.org/manual/UserManual.html) and git, Vagrant (2.0 or later) and [VirtualBox](https://www.virtualbox.org/) installed.
 ## Requirements
@ -55,14 +75,15 @@ This section provide a quick setup of Internet-in-a-Box (IIAB) development envir
 * Editor ([Atom](www.atom.io), Emacs, vi, etc)
 ## Setup Instructions
 1. Check out the repository and its submodules onto your development machine.
 `git clone --recursive git@github.com:arky/iiab-dev-mode.git`
-2. Change directory into 'iiab-dev-mode' with `cd iiab-dev-mode`. You can update all the submodules to latest master using `git submodule foreach git pull origin master`
+2. Change directory into 'iiab-dev-mode' with `cd iiab-dev-mode`.  You can update all the submodules to the latest master using `git submodule foreach git pull origin master`
-3. Set up a vagrant machine with `vagrant up` and provision it with `vagrant provision`. Please select the available bridge network interface (wlan0 or eth0) that connects your host machine to the Internet.
+3. Set up a vagrant machine with `vagrant up` and provision it with `vagrant provision`.  Please select the available bridge network interface (wlan0 or eth0) that connects your host machine to the Internet.
-4. Connect to your vagrant machine with `vagrant ssh`. All your local development files available as shared folder in `/opt/iiab` directory.
+4. Connect to your vagrant machine with `vagrant ssh`.  All your local development files available as shared folder in `/opt/iiab` directory.
 5. Install IIAB itself from the Ansible playbooks by following [IIAB Installation](https://github.com/iiab/iiab/wiki/IIAB-Installation#do-everything-from-scratch) instructions:
 ```
@ -80,11 +101,11 @@ This section provide a quick setup of Internet-in-a-Box (IIAB) development envir
 ```
 6. Hack away!
-7. You can commit your local changes to your personal forks of Internet-in-a-Box repository and then send pull request to IIAB project. Once you forked a repository, you change directory into that repository and setting a default git remote push setting with the following command.
+7. You can commit your local changes to your personal forks of Internet-in-a-Box repository and then send pull request to the IIAB project.  Once you've forked a repository, you change directory into that repository and set a default git remote push setting with the following command:
   `cd <repo> && git remote set-url --push origin git@github.com:<your_username>/<your_forked_iiab_repo_name>.git`
-	Learn more by reading blog post [Different git Push & Pull(fetch) URLs](http://blog.yuriy.tymch.uk/2012/05/different-git-push-pullfetch-urls.html) and the [Git Basics - Working with Remotes](https://git-scm.com/book/en/v2/Git-Basics-Working-with-Remotes) chapter of Scott Chacon and Ben Straub's "Git Pro" book.
+	Learn more by reading the blog post [Different git Push & Pull(fetch) URLs](http://blog.yuriy.tymch.uk/2012/05/different-git-push-pullfetch-urls.html) and the [Git Basics - Working with Remotes](https://git-scm.com/book/en/v2/Git-Basics-Working-with-Remotes) chapter of Scott Chacon and Ben Straub's "Git Pro" book.
 8. Once you are done, you can stop your vagrant machine with `vagrant halt` or remove it completely with `vagrant destroy`.
@ -93,7 +114,7 @@ Debugging
 Here are few strategies for debugging problems during the Internet-in-a-Box installation.
-* When a installation task fails, Ansible halts printing out a descriptive error message to the screen. This error information is also written to `iiab-install.log` file within `/opt/iiab/iiab`. (Look through logs to check if any preceding line contains the error).
+* When a installation task fails, Ansible halts printing out a descriptive error message to the screen. This error information is also written to `iiab-install.log` file within `/opt/iiab/iiab`.  (Look through logs to check if any preceding line contains the error).
 * When an installation succeeds, the last lines printed on the screen will look like the following (failed=0):
 ```
   PLAY RECAP *********************************************************************
@ -111,7 +132,7 @@ Testing your code with Travis CI
 To maintain the quality of the Internet-in-a-Box (IIAB) code we use [Travis Continuous Integration (CI)](https://travis-ci.org) build infrastructure. Travis CI does tests to
 ensure the code syntax is correct and the code is formatted properly using `ansible` syntax checker, `ansible-lint` and `ansible-review` tools. The results of Travis CI Internet-in-a-Box (IIAB) could be seen [here](https://travis-ci.org/iiab/iiab).
-Every pull request is automatically tested by Travis CI. The results of these tests are added to the pull request. This aids Internet-in-a-Box (IIAB) developers in reviewing the quality of the code in a pull request.
+Every pull request [was] automatically tested by Travis CI.  The results of these tests [were] added to the pull request.  This aids Internet-in-a-Box (IIAB) developers in reviewing the quality of the code in a pull request [this approach is currently on hold as of July 2018 &mdash; if it's tuned up this or any similar CI/CD alternatives would be welcome!]
 To test your forked repository of Internet-in-a-Box (IIAB) code. You have to enable automatic build tests in your [Travis-ci.org](https://travis-ci.org) profile page.
@ -140,4 +161,4 @@ Get in touch
 * Join our [live calls](http://minutes.iiab.io) most Mondays and Thursday
 * Join us on IRC live chat: [#schoolserver](https://webchat.freenode.net/?channels=#schoolserver) on [freenode]( https://www.freenode.net/)
 * Post an idea or question to our [community forums](http://iiab.io/)
-* Read our Frequently Asked Questions ([FAQ.IIAB.IO](http://FAQ.IIAB.IO))
+* Read ["What are the best places for community support?"](http://FAQ.IIAB.IO#What_are_the_best_places_for_community_support.3F) within our Frequently Asked Questions  ([FAQ.IIAB.IO](http://FAQ.IIAB.IO))
--- a/README.md
+++ b/README.md
@ -1,4 +1,4 @@
-# Internet-in-a-Box (IIAB) [![Build Status](https://travis-ci.org/iiab/iiab.svg?branch=master)](https://travis-ci.org/iiab/iiab)
+# Internet-in-a-Box (IIAB)
 Welcome to the Git repository of the Internet-in-a-Box (IIAB) project. This is a community-based project developed and supported by volunteers from around the world. The Internet-in-a-Box (IIAB) is small, inexpensive device which provides essential Internet resources (like Wikipedia, OpenStreetMap, Khan Academy and others) without any Internet connection. It provides a local content server of the world’s Free Knowledge.
--- a/iiab-base.yml
+++ b/iiab-base.yml
@ -5,7 +5,7 @@
  vars_files:
  - vars/default_vars.yml
  - vars/{{ ansible_local.local_facts.os_ver }}.yml
-  - vars/local_vars.yml
+  - /etc/iiab/local_vars.yml
  roles:
      - { role: 0-init, tags: ['0-init'] }
--- a/iiab-from-console.yml
+++ b/iiab-from-console.yml
@ -5,7 +5,7 @@
  vars_files:
  - vars/default_vars.yml
  - vars/{{ ansible_local.local_facts.os_ver }}.yml
-  - vars/local_vars.yml
+  - /etc/iiab/local_vars.yml
  - /etc/iiab/config_vars.yml
  roles:
--- a/76
+++ b/76
@ -10,9 +10,42 @@ CWD=`pwd`
 OS=`grep ^ID= /etc/*release|cut -d= -f2`
 OS=${OS//\"/}
 MIN_RPI_KERN=4.9.59-v7+
-MIN_ANSIBLE_VER=2.4.1.0
+MIN_ANSIBLE_VER=2.5.7
-export ANSIBLE_LOG_PATH="$CWD/iiab-install.log"
+if [ ! -f /etc/iiab/local_vars.yml ]; then
    if [ -f /opt/iiab/iiab/vars/local_vars.yml ]; then
        echo -e "\nACTION NEEDED: YOUR /opt/iiab/iiab/vars/local_vars.yml IS NO LONGER SUPPORTED.\n" >&2
        echo -e "███████████████████ TO MOVE IT TO THE CORRECT LOCATION, RUN: ███████████████████" >&2
        echo -e "██                                                                            ██" >&2
        echo -e "██       mv /opt/iiab/iiab/vars/local_vars.yml /etc/iiab/local_vars.yml       ██" >&2
        echo -e "██                                                                            ██" >&2
        echo -e "████████████████████████████████████████████████████████████████████████████████\n" >&2
    fi
    echo -e "\nEXITING: /opt/iiab/iiab/iiab-install REQUIRES /etc/iiab/local_vars.yml\n" >&2
    echo -e "(1) Please read http://wiki.iiab.io/local_vars.yml to learn more" >&2
    echo -e "(2) MIN/MEDIUM/BIG samples are included in /opt/iiab/iiab/vars" >&2
    echo -e "(3) NO TIME FOR DETAILS?  RUN INTERNET-IN-A-BOX'S FRIENDLY 1-LINE INSTALLER:\n" >&2
    echo -e '    http://download.iiab.io   (click on "6.6" or a more recent version!)\n' >&2
    #case $OS in
    #    OLPC | fedora)
    #        echo -e "Please examine /opt/iiab/iiab/vars/local_vars_olpc.yml for XO laptops.\n" >&2
    #        ;;
    #    centos | debian | ubuntu | raspbian)
    #        echo -e "Please consider /opt/iiab/iiab/vars/local_vars_medium.yml or similar.\n" >&2
    #        ;;
    #    *)
    #        echo -e "EXITING: IIAB requires Raspbian, Debian, Ubuntu, CentOS or OLPC/Fedora.\n" >&2
    #        ;;
    #esac
    exit 1
 fi
 # FUTURE: Test if their local_vars.yml is sufficiently version-compatible !
 echo -e "\n\n./iiab-install $* BEGUN IN $CWD\n"
 if [ ! -f /etc/ansible/facts.d/local_facts.fact ]; then
    mkdir -p /etc/ansible/facts.d
@ -30,7 +63,7 @@ if [ "$1" != "--debug" ] && [ "$1" != "--reinstall" ] && [ "$1" != "" ]; then
    echo "Use './iiab-install' for regular installs, or to continue an install."
    echo "Use './iiab-install --reinstall' to force running all Stages 0-9."
    echo "Use './iiab-install --debug' to run Stage 0, followed by Stages 3-9."
-    echo "Use './runtags' to run a single Stage or Tag or Role."
+    echo "Use './runrole' to run a single Stage or Role."
    echo "Use './iiab-network' to run Network sections."
    exit 1
 fi
@ -68,9 +101,11 @@ if [[ `command -v ansible` ]]; then        # "command -v" is POSIX compliant; it
 fi
 if version_gt $MIN_ANSIBLE_VER $CURR_ANSIBLE_VER ; then
    echo -e "\nEXITING: Ansible "$MIN_ANSIBLE_VER" or higher required."
-    echo "PLEASE RUN './scripts/ansible' to install the latest Ansible from PPA or RPM."
+    echo
-    echo "'ansible --version' and 'apt -a list ansible' can also be useful here.  Try"
+    echo "REMOVE PRIOR VERSIONS using 'apt purge ansible' and/or 'pip uninstall ansible'."
-    echo "to remove prior versions with 'apt purge ansible' or 'pip uninstall ansible'."
+    echo "THEN RUN 'scripts/ansible' to install the latest Ansible from PPA or RPM."
    echo "'ansible --version' and 'apt -a list ansible' can also be very useful."
    echo
    echo "IIAB INSTALL INSTRUCTIONS: https://github.com/iiab/iiab/wiki/IIAB-Installation"
    exit 1
 fi
@ -107,36 +142,21 @@ if [ -f /etc/iiab/iiab.env ]; then
        echo -e "\nEXITING: STAGE (counter) in /etc/iiab/iiab.env shows Stage 9 Is Already Done."
        echo "Use './iiab-install --reinstall' to force running all Stages 0-9."
        echo "Use './iiab-install --debug' to run Stage 0, followed by Stages 3-9."
-        echo "Use './runtags' to run a single Stage or Tag or Role."
+        echo "Use './runrole' to run a single Stage or Role."
-        echo "Use './iiab-network' to run Network sections."
+        echo -e "Use './iiab-network' to run Network sections.\n\n"
-        exit 1
+        exit 0    # allows rerunning http://download.iiab.io/6.6/install.txt
    fi
 fi
 if [ "$STAGE" -lt 2 ] && [ "$1" == "--debug" ]; then
    echo -e "\n'--debug' *ignored* as STAGE (counter) < 2."
 fi
 # If vars/local_vars.yml is missing, put a default file in place.
 if [ ! -f ./vars/local_vars.yml ]; then
    case $OS in
        OLPC | fedora)
            cp ./vars/local_vars_olpc.yml ./vars/local_vars.yml
            echo -e "\nvars/local_vars.yml created from local_vars_olpc.yml defaults."
            ;;
        centos | debian | ubuntu | raspbian)
            cp ./vars/local_vars_medium.yml ./vars/local_vars.yml
            echo -e "\nvars/local_vars.yml created from local_vars_medium.yml defaults."
            echo "See MIN/MEDIUM/BIG options @ http://wiki.iiab.io/local_vars.yml"
            ;;
        *)
            echo -e "\nEXITING: IIAB requires Raspbian, Debian, Ubuntu, CentOS or OLPC/Fedora."
            exit 1
            ;;
    esac
 fi
 echo -e "\nTRY TO RERUN './iiab-install' IF IT FAILS DUE TO CONNECTIVITY ISSUES ETC!"
 echo -e "\nRunning local playbooks....Stage 0 will now run....followed by Stages $(($STAGE + 1))-9"
 export ANSIBLE_LOG_PATH="$CWD/iiab-install.log"
 ansible -m setup -i $INVENTORY localhost --connection=local >> /dev/null
 ansible-playbook -i $INVENTORY $PLAYBOOK ${ARGS} --connection=local
 echo -e "./iiab-install $* COMPLETED IN $CWD\n\n"
--- a/iiab-network.yml
+++ b/iiab-network.yml
@ -5,7 +5,7 @@
  vars_files:
  - vars/default_vars.yml
  - vars/{{ ansible_local.local_facts.os_ver }}.yml
-  - vars/local_vars.yml
+  - /etc/iiab/local_vars.yml
  - /etc/iiab/config_vars.yml
  roles:
--- a/iiab-stages.yml
+++ b/iiab-stages.yml
@ -6,7 +6,7 @@
  - roles/0-init/defaults/main.yml
  - vars/default_vars.yml
  - vars/{{ ansible_local.local_facts.os_ver }}.yml
-  - vars/local_vars.yml
+  - /etc/iiab/local_vars.yml
  tasks:
--- a/iiab.yml.deprecated
+++ b/iiab.yml.deprecated
@ -5,7 +5,7 @@
  vars_files:
  - vars/default_vars.yml
  - vars/{{ ansible_local.local_facts.os_ver }}.yml
-  - vars/local_vars.yml
+  - /etc/iiab/local_vars.yml
  - /etc/iiab/config_vars.yml
  roles:
--- a/4
+++ b/4
@ -14,7 +14,7 @@ then
 exit 1
 fi
-sed -i -e "s/openvpn_install: False/openvpn_install: True/" vars/local_vars.yml
+sed -i -e "s/openvpn_install: False/openvpn_install: True/" /etc/iiab/local_vars.yml
-sed -i -e "s/openvpn_enabled: False/openvpn_enabled: True/" vars/local_vars.yml
+sed -i -e "s/openvpn_enabled: False/openvpn_enabled: True/" /etc/iiab/local_vars.yml
 ansible-playbook -i $INVENTORY $PLAYBOOK --connection=local
--- a/roles/0-init/defaults/main.yml
+++ b/roles/0-init/defaults/main.yml
@ -12,7 +12,7 @@ gw_active: none
 internet_available: False
 discovered_wan_iface: none
-# old defs
+# Old defs
 gui_port: 80
 exFAT_enabled: False
 is_F18: False
@ -21,12 +21,12 @@ is_F18: False
 rtc_id: ds3231
 NUC6_firmware_needed: False
-# used in 2-common/tasks/xo.yml
+# Used in 2-common/tasks/xo.yml
 wifi_id: none
-# used in 2-common, 3-base-server and roles/network
+# Used in 2-common, 3-base-server and roles/network
 installing: False
-# network
+# Network
 no_net_restart: False
 no_NM_reload: False
--- a/roles/0-init/tasks/hostname.yml
+++ b/roles/0-init/tasks/hostname.yml
@ -3,7 +3,7 @@
    path: /etc/cloud/cloud.cfg
  register: U18_server
- name: edit cloud.cfg yaml
+- name: Edit cloud.cfg yaml
  lineinfile:
    dest: /etc/cloud/cloud.cfg
    regexp: '^preserve_hostname*'
--- a/roles/0-init/tasks/iiab_ini.yml
+++ b/roles/0-init/tasks/iiab_ini.yml
@ -1,5 +1,5 @@
 # workaround for fact that auto create does not work on ini_file
- name: Create iiab config file
+- name: Create /etc/iiab/iiab.ini (iiab_config_file)
  file:
    dest: "{{ iiab_config_file }}"
    state: touch
@ -16,12 +16,12 @@
    - option: iiab_dir
      value: "{{ iiab_dir }}"
- name: add version section
+- name: Add version section
  ini_file:
-      dest: "{{ iiab_config_file }}"
+    dest: "{{ iiab_config_file }}"
-      section: version
+    section: version
-      option: "{{ item.option }}"
+    option: "{{ item.option }}"
-      value: "{{ item.value }}"
+    value: "{{ item.value }}"
  with_items:
    - option: distribution
      value: "{{ ansible_distribution }}"
--- a/roles/0-init/tasks/main.yml
+++ b/roles/0-init/tasks/main.yml
@ -10,8 +10,8 @@
    first_run: True
  when: not NewInstall.stat.exists
-# we need to inialize the ini file and only write the location and version sections once and only
+# We need to inialize the ini file and only write the location and version
-# once to preserve the install date and git hash.
+# sections once and only once to preserve the install date and git hash.
 - name: Write iiab_ini.yml for the first time
  include_tasks: first_run.yml
  when: first_run
@ -22,13 +22,13 @@
  setup:
    filter: ansible_local
- name: Set top level variables from local facts for convenience
+- name: Set top-level variables from local_facts for convenience
  set_fact:
    xo_model: "{{ ansible_local.local_facts.xo_model }}"
    phplib_dir: "{{ ansible_local.local_facts.phplib_dir }}"
    iiab_stage: "{{ ansible_local.local_facts.stage }}"
- name: Discover if this is running Raspbian -- if so assume it is a RPi
+- name: Discover if this is running Raspbian -- if so assume it is an RPi
  set_fact:
    rpi_model: "rpi"
    is_rpi: True
@ -41,7 +41,8 @@
    exFAT_enabled: True
  when: xo_model != "none"
-# Discover  do we have a gateway? -- if ansible detects gateway, becomes WAN candidate
+# Discover: do we have a gateway?
 # If Ansible detects gateway, becomes WAN candidate.
 - name: Finding gateway
  set_fact:
    discovered_wan_iface: "{{ ansible_default_ipv4.alias }}"
@ -58,7 +59,7 @@
    gw_active: True
  when: discovered_wan_iface != "none" and gw_active_test.stdout == "1"
- name: Test for internet access
+- name: Test for Internet access
  get_url:
    url: "{{ iiab_download_url }}/heart-beat.txt"
    dest: /tmp/heart-beat.txt
@ -74,12 +75,12 @@
    internet_available: True
  when: not internet_access_test|failed and not disregard_network
- name: Cleanup internet test file
+- name: Remove Internet test file
  file:
    path: /tmp/heart-beat.txt
    state: absent
-# Put all computed vars here so derive properly from any prior var file
+# Put all computed vars here so derive properly from any prior var file.
 - name: If the TZ is not set in env, set it to UTC
  include_tasks: tz.yml
@ -98,24 +99,24 @@
    mysql_install: True
    mysql_enabled: True
-# we decided to enable mysql unconditionally
+# We decided to enable mysql unconditionally.
 #  when: elgg_enabled or rachel_enabled or owncloud_enabled or phpmyadmin_enabled or wordpress_enabled or iiab_menu_install
-# Commenting out MongoDB on a trial basis, for a more basic/lightweight Sugarizer, per https://github.com/iiab/iiab/pull/427
+# Late 2017: Had commented out MongoDB on a trial basis, for a more basic/lightweight Sugarizer, per https://github.com/iiab/iiab/pull/427
- name: Turn on mongodb if sugarizer enabled
+- name: Turn on vars for MongoDB if Sugarizer enabled
  set_fact:
     mongodb_install: True
     mongodb_enabled: True
  when: sugarizer_enabled
 # There might be other db's
- name: Turn on PostgreSQL if Moodle or Pathagar enabled
+- name: Turn on vars for PostgreSQL if Moodle or Pathagar enabled
  set_fact:
    postgresql_install: True
    postgresql_enabled: True
  when: moodle_enabled or pathagar_enabled
- name: Turn on Docker if SchoolTool is to be installed
+- name: Turn on vars for Docker if SchoolTool is to be installed
  set_fact:
    docker_install: True
    docker_enabled: True
@ -131,15 +132,14 @@
    python_path: /usr/local/lib/python2.7/dist-packages/
  when: is_debuntu
-# for various reasons the mysql service can not be enabled on fedora 20,
+# For various reasons the mysql service cannot be enabled on Fedora 20, but
-# but 'mariadb', which is its real name can
+# 'mariadb', which is its real name can.  On Fedora 18 we need to use 'mysqld'.
 # on fedora 18 we need to use 'mysqld'
- name: Set mysqld_service to mariadb by default
+- name: Set mysql_service to mariadb by default
  set_fact:
    mysql_service: mariadb
- name: Set mysqld_service to mysqld etc (Fedora 18)
+- name: Set mysql_service to mysqld etc (Fedora 18)
  set_fact:
    mysql_service: mysqld
    no_NM_reload: True
@ -161,11 +161,11 @@
    FQDN_changed: True
  when: iiab_fqdn != ansible_fqdn
- name: Setting hostname
+- name: Set hostname if FQDN_changed
  include_tasks: hostname.yml
  when: FQDN_changed
- name: Add version section
+- name: Add 'runtime' section alongside list of services at /etc/iiab/iiab.ini
  ini_file:
    dest: "{{ iiab_config_file }}"
    section: runtime
@ -209,9 +209,9 @@
    - option: FQDN_changed
      value:  "{{ FQDN_changed }}"
- name: Now changing FQDN
+#- name: Now changing FQDN
-  include_tasks: hostname.yml
+#  include_tasks: hostname.yml
-  when: FQDN_changed
+#  when: FQDN_changed
 - name: STAGE 0 HAS COMPLETED ======================================
  ini_file:
--- a/roles/2-common/tasks/packages.yml
+++ b/roles/2-common/tasks/packages.yml
@ -14,14 +14,14 @@
    - avahi-tools
  when: is_redhat
- name: Download usbmount -- not in Debian Stretch (debian_9)
+- name: Download usbmount -- not in Debian Stretch (debian-9)
  get_url:
    url: "{{ iiab_download_url }}/usbmount_0.0.14.1_all.deb"
    dest: "{{ downloads_dir }}"
    timeout: "{{ download_timeout }}"
  when: internet_available and is_debian_9
- name: Install usbmount (debian_9)
+- name: Install usbmount (debian-9)
  command: apt install -y {{ downloads_dir }}/usbmount_0.0.14.1_all.deb
  when: is_debian_9
--- a/roles/2-common/tasks/udev.yml
+++ b/roles/2-common/tasks/udev.yml
@ -22,8 +22,9 @@
  when: udev_unit.stat.exists is defined and udev_unit.stat.exists
 # ubuntu 16.04 comes with ansible 2.0.0.2 -- no systemd module
- name: Ask systemd to recognize the changes
+- name: Ask systemd to reread unit files (daemon-reload)
-  shell: systemctl daemon-reload
+  systemd:
    daemon_reload: yes
  when: udev_unit.stat.exists is defined and udev_unit.stat.exists
 - name: Restart so systemd recognizes the changes
--- a/roles/4-server-options/README.rst
+++ b/roles/4-server-options/README.rst
@ -2,7 +2,7 @@
 4-server-options README
 =======================
-Whereas 3-base-server installs critical packages needed by all, this 4th stage installs a broad array of *options* -- depending on which server apps will be installed in later stages -- as specified in /opt/iiab/iiab/vars/local_vars.yml
+Whereas 3-base-server installs critical packages needed by all, this 4th stage installs a broad array of *options* -- depending on which server apps will be installed in later stages -- as specified in /etc/iiab/local_vars.yml
 This includes some networking fundamentals, before they're configured later on.
--- a/roles/4-server-options/tasks/main.yml
+++ b/roles/4-server-options/tasks/main.yml
@ -85,7 +85,7 @@
    src: roles/1-prep/templates/iiab_env.py.j2
    dest: /etc/iiab/iiab_env.py
- name: Generate the offline documents
+- name: Run /usr/bin/iiab-refresh-wiki-docs (scraper script) to create http://box/info offline documentation (script was installed at the beginning of Stage 3 = roles/3-base-server/tasks/main.yml, which runs the HTTPD playbook = roles/httpd/tasks/main.yml)
  command: /usr/bin/iiab-refresh-wiki-docs
  when: not nodocs
--- a/roles/7-edu-apps/tasks/main.yml
+++ b/roles/7-edu-apps/tasks/main.yml
@ -9,6 +9,12 @@
  when: kalite_install
  tags: kalite
 - name: KOLIBRI
  include_role:
    name: kolibri
  when: kolibri_install
  tags: kolibri
 - name: KIWIX
  include_role:
    name: kiwix
--- a/roles/calibre/defaults/main.yml
+++ b/roles/calibre/defaults/main.yml
@ -5,7 +5,14 @@ calibre_web_path: calibre
 # In addition to: http://box:8080 http://box/books box/libros box/livres box/livros box/liv
 calibre_dbpath: "{{ content_base }}/calibre"
-# i.e. /library/calibre
+# i.e. /library/calibre (holds metadata.db + book directories + our users.sqlite)
 calibre_userdb: "{{ calibre_dbpath }}/users.sqlite"
 # i.e. /library/calibre/users.sqlite since github.com/iiab/iiab/issues/830
 # Teachers add/remove/convert books & edit metadata using: Admin/changeme
 # Stub/Student acnts to browse: box/box, h/h, ht/ht, m/m, mx/mx, p/p, pe/pe
 # Edit accounts/permissions using:
 #   calibre-server --manage-users --userdb /library/calibre/users.sqlite
 calibre_sample_book: "Metamorphosis-jackson.epub"
 # Must be downloadable from http://download.iiab.io/packages
@ -14,5 +21,5 @@ calibre_src_url: "https://raw.githubusercontent.com/kovidgoyal/calibre/master/se
 # USE TO TEST debs.yml (RASPBIAN APPROACH!) ON DEBIAN 9.X: (now handled by calibre_via_debs in /opt/iiab/iiab/vars/*)
 #calibre_debs_on_debian: True
-# Enable unstable .deb's, not just testing .deb's: (moved to vars/local_vars.yml & vars/default_vars.yml)
+# Enable unstable .deb's, not just testing .deb's: (moved to /etc/iiab/local_vars.yml & /opt/iiab/iiab/vars/default_vars.yml)
 #calibre_unstable_debs: False
--- a/roles/calibre/tasks/create-db.yml
+++ b/roles/calibre/tasks/create-db.yml
@ -1,9 +1,3 @@
 - name: Create /library/calibre (mandatory since Calibre 3.x)
  file:
    path: "{{ calibre_dbpath }}"
    state: directory
    #mode: 0755
 - name: Check if sample book exists in /opt/iiab/downloads
  stat:
    path: "{{ content_base }}/downloads/{{ calibre_sample_book }}"
--- a/roles/calibre/tasks/debs.yml
+++ b/roles/calibre/tasks/debs.yml
@ -28,7 +28,8 @@
 #  when: is_rpi and internet_available
 - name: Upgrade to latest Calibre using .deb's from testing (rpi)
-  command: scripts/calibre-install-latest-rpi.sh    # SEEMS TO ONCE AGAIN WORK since Calibre 3.26.0 (Calibre 3.24-3.25 required above prereq calibre-install-packages.sh then Debian's own calibre-install-latest.sh to be bootable in Zero W)
+  #command: scripts/calibre-install-latest-rpi-plus.sh    # NEC FOR Calibre 3.27.1 on 2018-07-22 (#948 -> PR #950) THO NOT BOOTABLE IN Zero W (#952).  Similar to Calibre 3.24.x & 3.25 in June 2018, which had used calibre-install-packages.sh then Debian's own calibre-install-latest.sh
  command: scripts/calibre-install-latest-rpi.sh    # WORKS for Calibre 3.28 on 2018-07-26 (PR #971).  Likewise for Calibre 3.26.x
  when: is_rpi and internet_available
 - name: Upgrade to Calibre testing .deb's - target Ubuntu 16.04 (not rpi and not ubuntu_18)
--- a/roles/calibre/tasks/main.yml
+++ b/roles/calibre/tasks/main.yml
@ -32,7 +32,7 @@
 # - run testing branch for Ubuntu 16.04: scripts/calibre-install-latest.sh
 # - run unstable branch for Debian etc: scripts/calibre-install-unstable.sh
- name: Create calibre-serve.service and calibre.conf
+- name: Create calibre-serve.service and calibre.conf (IF /usr/bin/calibre WAS MISSING)
  template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
@ -40,15 +40,17 @@
    group: root
    mode: "{{ item.mode }}"
    backup: no
-  register: calibre_config
+# register: calibre_config
  with_items:
    - { src: 'calibre-serve.service.j2', dest: '/etc/systemd/system/calibre-serve.service', mode: '0644'}
    - { src: 'calibre.conf', dest: '/etc/{{ apache_config_dir }}', mode: '0644'}
  when: (not calib_executable.stat.exists)
- name: Force systemd to reread configs
+- name: Force systemd to reread configs (IF /usr/bin/calibre WAS MISSING)
  systemd:
    daemon_reload: yes
-  when: calibre_config.changed
+  when: (not calib_executable.stat.exists)
 # when: calibre_config.changed
 # 2. STOP CALIBRE SERVICE IF IT EXISTS (REQUIRED FOR DB ACTIVITY...AND IF not calibre_enabled)
@ -67,7 +69,24 @@
 #  failed_when: false          # Never Fail during "systemctl stop calibre-serve" (even if service doesn't exist!)
 # when: calibre_svc.stat.exists
-# 3. CREATE DATABASE WITH A SAMPLE BOOK (REQUIRED AS OF CALIBRE 3.x)
+# 3. CREATE USER DATABASE
 - name: Create /library/calibre (mandatory since Calibre 3.x)
  file:
    path: "{{ calibre_dbpath }}"
    state: directory
    #mode: 0755
 - name: Copy template userdb to /library/calibre/users.sqlite (IF /usr/bin/calibre WAS MISSING)
  copy:
    src: /opt/iiab/iiab/roles/calibre/templates/users.sqlite
    dest: "{{ calibre_userdb }}"
    owner: root
    group: root
    mode: 0644
  when: (not calib_executable.stat.exists)
 # 4. CREATE CONTENT DATABASE WITH A SAMPLE BOOK (REQUIRED AS OF CALIBRE 3.x)
 - name: Check if /library/calibre/metadata.db exists
  stat:
@ -78,7 +97,7 @@
  include_tasks: create-db.yml
  when: not calibre_db.stat.exists
-# 4. WRAP UP: ENABLE CALIBRE SERVICE, http://box/books ETC
+# 5. WRAP UP: ENABLE CALIBRE SERVICE, http://box/books ETC
 # http://box:8080 & http://box:8080/mobile WORK BUT OTHER URL'S LIKE http://box/books ARE A MESS (BOOKS RARELY DISPLAY)
 - name: Create calibre.conf link for UNTESTED http://box/books etc (debuntu)
--- a/roles/calibre/templates/calibre-serve.service.j2
+++ b/roles/calibre/templates/calibre-serve.service.j2
@ -6,7 +6,7 @@ After=syslog.target network.target local-fs.target
 Type=forking
 PIDFile=/var/run/calibre.pid
 TimeoutStartSec=400
-ExecStart=/usr/bin/calibre-server --daemonize --log=/var/log/calibre.log --pidfile=/var/run/calibre.pid --port={{ calibre_port }} {{ calibre_dbpath }}
+ExecStart=/usr/bin/calibre-server --daemonize --log=/var/log/calibre.log --pidfile=/var/run/calibre.pid --port={{ calibre_port }} --enable-auth --userdb={{ calibre_userdb }} {{ calibre_dbpath }}
 [Install]
 TimeoutStartSec=900
--- a/roles/calibre/templates/calibre.conf
+++ b/roles/calibre/templates/calibre.conf
@ -1,4 +1,4 @@
-# http://box/XYZ mnemonic if properly set within /opt/iiab/iiab/vars/local_vars.yml
+# http://box/XYZ mnemonic if properly set within /etc/iiab/local_vars.yml
 ProxyPass /{{ calibre_web_path }}  http://localhost:{{ calibre_port }}
 ProxyPassReverse /{{ calibre_web_path }}  http://localhost:{{ calibre_port }}
--- a/roles/calibre/templates/users.sqlite
+++ b/roles/calibre/templates/users.sqlite
--- a/roles/elgg/README.rst
+++ b/roles/elgg/README.rst
@ -6,24 +6,25 @@ Elgg is an award-winning social networking engine, delivering the building block
 that enable businesses, schools, universities and associations to create their own
 fully-featured social networks and applications.
-http://elgg.org/
+https://elgg.org
 After Installation
 ------------------
-Go to http://box.lan/elgg and log on as Admin with password changeme.
+Go to http://box/elgg or http://box.lan/elgg and log on as Admin with password changeme.
 Change the following:
 * Administrator password
-* Title to appear on elgg screens and any other settings as desired.
+* Title to appear on Elgg screens and any other settings as desired.
 Locations
 ---------
 - The uploaded files are expected to be in /library/elgg
- The URL is /elgg
+- The software is in /opt/elgg -> /opt/elgg-x.y.z (i.e. actual version number)
 - The URL is http://box/elgg
 Parameters
 ----------
@ -34,16 +35,16 @@ some constraints.
 Users and Passwords
 -------------------
-There are a number of seemilingly similar user names and passwords in this installation:
+There are a number of seemingly similar usernames and passwords in this installation:
-* dbuser - the mysql user that elgg uses to access the database.  This is a local variable
+* dbuser - the MySQL user that Elgg uses to access the database
-           the name of which corresponds to that in the elgg settings.php file.
+           This is a local variable, the name of which corresponds to that in /opt/elgg/elgg-config/settings.php
-* dbpassword - password for dbuser. This is also a local variable
+* dbpassword - password for dbuser
-               the name of which corresponds to that in the elgg settings.php file.
+               This is also a local variable, the name of which corresponds to that in /opt/elgg/elgg-config/settings.php
-* elgg_mysql_password - this is the global name for dbpassword in default_vars.yml.
+* elgg_mysql_password - this is the global name for dbpassword in default_vars.yml
-* elgg_admin_user - the elgg (not mysql) user that is the administrator.
+* elgg_admin_user - the Elgg (not MySQL) user that is the administrator
-* elgg_admin_password - the password for elgg_admin_user.
+* elgg_admin_password - the password for elgg_admin_user
--- a/roles/elgg/defaults/main.yml
+++ b/roles/elgg/defaults/main.yml
@ -1,5 +1,5 @@
 elgg_xx: elgg
-elgg_version: "2.3.7"
+elgg_version: "2.3.8"
 # elgg_mysql_password: defined in default_vars
 elgg_url: /elgg
@ -7,7 +7,7 @@ elgg_upload_path: /library/elgg
 elgg_install: True
 elgg_enabled: False
-# following variables used in elgg engine/settings.php template
+# Variables used by template to create /opt/elgg/elgg-config/settings.php
 dbuser: Admin
 dbpassword: changeme
 dbname: elggdb
--- a/roles/elgg/tasks/main.yml
+++ b/roles/elgg/tasks/main.yml
@ -29,10 +29,9 @@
    state: link
    force: true
-# use template to fix up settings in engine/settings.php with our variables substituted
+# Use template to fix up settings in elgg-config/settings.php with our variables substituted.
-# into engine/settings.example.php
+# Note this will overwrite any manual settings.
-# note this will overwrite any manual settings
+- name: Substitute our parameters in /opt/elgg/elgg-config/settings.php
 - name: Substitute our parameters in engine/settings.example.php
  template:
    src: "settings.php.j2"
    dest: "/opt/{{ elgg_xx }}/elgg-config/settings.php"
@ -90,9 +89,9 @@
    password: "{{ dbpassword }}"
    priv: "{{ dbname }}.*:ALL"
  with_items:
-        - 127.0.0.1
+    - 127.0.0.1
-        - ::1
+    - ::1
-        - localhost
+    - localhost
 - name: Create file to load database
  template:
--- a/roles/homepage/tasks/main.yml
+++ b/roles/homepage/tasks/main.yml
@ -1,16 +1,19 @@
 - name: Create home directory
-  file: path={{ doc_root }}/home
+  file:
-        mode=0755
+    path: "{{ doc_root }}/home"
-        owner={{ apache_user }}
+    owner: "{{ apache_user }}"
-        group={{ apache_user }}
+    group: "{{ apache_user }}"
-        state=directory
+    mode: 0755
    state: directory
 - name: Install admin homepage into apache2
-  template: src=iiab-homepage.conf
+  template:
-            dest=/etc/{{ apache_config_dir }}/iiab-homepage.conf
+    src: iiab-homepage.conf
    dest: "/etc/{{ apache_config_dir }}/iiab-homepage.conf"
 - name: Enable the home page
-  file: src=/etc/{{ apache_config_dir }}/iiab-homepage.conf
+  file:
-        dest=/etc/apache2/sites-enabled/iiab-homepage.conf
+    src: "/etc/{{ apache_config_dir }}/iiab-homepage.conf"
-        state=link
+    dest: /etc/apache2/sites-enabled/iiab-homepage.conf
    state: link
  when: is_debuntu
--- a/roles/httpd/files/html/credits.html
+++ b/roles/httpd/files/html/credits.html
@ -10,35 +10,39 @@
 <BODY>
  <h1>Internet-in-a-Box Credits</h1>
-  The XSCE School Server known as Internet-in-a-Box includes a variety of educational and other content and applications which are attributed as follows:<br><br>
+  Internet-in-a-Box (formerly known as XSCE School Server) includes a variety of educational content and applications which are attributed as follows:<br><br>
  All Wikipedia content is available for free at  <a href="http://www.wikipedia.org/">www.wikipedia.org</a>.<br>
  All other Wikimedia content is available for free via links at  <a href="http://www.wikimedia.org/">www.wikimedia.org</a>.<br>
  All Khan Academy content is available for free at  <a href="http://www.khanacademy.org/">www.khanacademy.org</a>.<br>
  All CK-12 content is available for free at  <a href="http://www.ck-12.org/">www.ck-12.org</a>.<br>
  All PhET Interactive Simulations content is available for free at  <a href="http://phet.colorado.edu">phet.colorado.edu</a>.<br>
  All MedLine content is available for free at  <a href="http://www.nlm.nih.gov/medlineplus/">www.nlm.nih.gov/medlineplus</a>.<br>
  All Hesperian content is available for free at  <a href="http://www.hesperian.org/">www.hesperian.org</a>.<br>
  All Gutenberg content is available for free at  <a href="http://www.gutenberg.org/">www.gutenberg.org</a>.<br>
  All OLPC content is available for free at  <a href="http://wiki.laptop.org/go/Library_grid">www.laptop.org</a>.<br>
  All MIT Scratch content is available for free at  <a href="http://scratch.mit.edu">scratch.mit.edu</a>.<br>
  All UNESCO's IICBA content is available for free at  <a href="http://www.eng.unesco-iicba.org/elibrary">www.eng.unesco-iicba.org</a>.<br>
  All Math Expression content is available for free at  <a href="http://www.mathexpression.com">www.mathexpression.com</a>.<br>
  All Music Theory content is available for free at  <a href="http://www.musictheory.net">www.musictheory.net</a>.<br><br>
  All Wikipedia content is available for free at  <a href="https://www.wikipedia.org/">www.wikipedia.org</a>.<br>
  All other Wikimedia content is available for free via links at  <a href="https://www.wikimedia.org/">www.wikimedia.org</a>.<br>
  All Khan Academy content is available for free at  <a href="https://www.khanacademy.org/">www.khanacademy.org</a>.<br>
  All CK-12 content is available for free at  <a href="https://www.ck12.org/">www.ck12.org</a>.<br>
  All PhET Interactive Simulations content is available for free at  <a href="https://phet.colorado.edu">phet.colorado.edu</a>.<br>
  All MedLine content is available for free at  <a href="https://medlineplus.gov/">medlineplus.gov</a>.<br>
  All Hesperian content is available for free at  <a href="https://hesperian.org/">hesperian.org</a>.<br>
  Arabic translations of Hesperian content were done by Arab Resource Collective and are available for free at  <a href="http://www.mawared.org">mawared.org</a>.<br>
  All Gutenberg content is available for free at  <a href="https://www.gutenberg.org/">www.gutenberg.org</a>.<br>
  All OLPC content is available for free at  <a href="http://wiki.laptop.org/go/Collections">wiki.laptop.org</a>.<br>
  All MIT Scratch content is available for free at  <a href="https://scratch.mit.edu">scratch.mit.edu</a>.<br>
  All UNESCO's IICBA content is available for free at  <a href="http://www.iicba.unesco.org/?q=elibrary">www.iicba.unesco.org/</a>.<br>
  All Math Expression content is available for free at  <a href="https://www.mathexpression.com/">www.mathexpression.com</a>.<br>
  All Music Theory content is available for free at  <a href="https://www.musictheory.net/">www.musictheory.net</a>.<br>
  All HealthPhone content is available for free at  <a href="http://www.healthphone.org/">www.healthphone.org</a>.<br>
  All Centers for Disease Control content is available for free at  <a href="https://www.cdc.gov/">www.cdc.gov</a>.<br>
  All Global Emergency Medicine Wiki content is available for free at  <a href="https://wikem.org/wiki/Main_Page">wikem.org/wiki/Main_Page</a>.<br><br>
  Internet-in-a-Box also includes the work of content aggregators which we gratefully acknowledge:<br><br>
-  RACHEL is a curation of selected offline content at  <a href="http://www.rachel.worldpossible.org/">www.rachel.worldpossible.org</a>.<br>
+  RACHEL is a curation of selected offline content at  <a href="http://oer2go.org/">oer2go.org</a>.<br>
-  Kiwix is a Zim server and repository of Wikimedia and other content in a compressed Zim file format at <a href="http://www.kiwix.org/">www.kiwix.org</a>.<br>
+  Kiwix is a ZIM server and repository of Wikimedia and other content in a compressed ZIM file format at <a href="http://www.kiwix.org/">www.kiwix.org</a>.<br>
-  KA Lite is a server and repository of Khan Academy content in various languages at  <a href="http://learningequality.org/ka-lite/">learningequality.org/ka-lite</a>.<br><br>
+  KA Lite is a server and repository of Khan Academy content in various languages at  <a href="https://learningequality.org/ka-lite/">learningequality.org/ka-lite</a>.<br><br>
-  Internet-in-a-Box also contains a number of applications each of which has its own attribution information which is included.<br><br>
+  Internet-in-a-Box also contains a number of applications each of which has its own attribution information, which is included.<br><br>
-  This Internet-in-a-Box distribution resides at <a href="http://github.com/XSCE/iiab">github.com/XSCE/iiab</a>.<br><br>
+  This Internet-in-a-Box distribution resides at <a href="https://github.com/iiab">github.com/iiab</a>.<br><br>
  It is licensed under the terms of the GNU Library General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.<br><br>
-  Licensing information may be found at  <a href="http://github.com/XSCE/iiab/blob/master/LICENSE">github.com/XSCE/iiab/blob/master/LICENSE</a>.<br>
+  Licensing information may be found at  <a href="https://github.com/iiab/iiab/blob/master/LICENSE.md">github.com/iiab/iiab/blob/master/LICENSE.md</a>.<br>
 </BODY>
 <script type="text/javascript" src="incl/xs-portal.js"></script>
--- a/roles/httpd/tasks/main.yml
+++ b/roles/httpd/tasks/main.yml
@ -53,7 +53,6 @@
 - name: Remove the default apache2 config file (debuntu)
  file:
    path: /etc/apache2/sites-enabled/000-default.conf
    src: /etc/apache2/sites-available/000-default.conf
    state: absent
  when: is_debuntu
@ -170,7 +169,12 @@
  tags:
    - base
- name: Place the script to generate homepages
+# Fixes search @ http://box/modules/es-wikihow - see https://github.com/iiab/iiab/issues/829
 - include_tasks: php-stem.yml
  tags:
    - base
 - name: Install /usr/bin/iiab-refresh-wiki-docs (scraper script) to create http://box/info offline documentation (will be run at the end of Stage 4 = roles/4-server-options/tasks/main.yml)
  template:
    src: refresh-wiki-docs.sh
    dest: /usr/bin/iiab-refresh-wiki-docs
--- a/roles/httpd/tasks/php-stem.yml
+++ b/roles/httpd/tasks/php-stem.yml
@ -0,0 +1,38 @@
 # Fixes search @ http://box/modules/es-wikihow (popular with Spanish youth)
 # Source code: http://download.iiab.io/packages/php-stem.src.tar
 # June 2018 debugging & compilation thanks to Tim Moody & George Hunt
 # Original bug: https://github.com/iiab/iiab/issues/829
 #- name: Download php-stem.rpi.tar
 #  command: cd /; wget http://download.iiab.io/packages/php-stem.rpi.tar
 #  when: is_rpi
 #- name: Download php-stem.x86.tar
 #  command: cd /; wget http://download.iiab.io/packages/php-stem.x64.tar
 #  when: not is_rpi
 - name: Download & unpack php-stem.rpi.tar to / (rpi)
  unarchive:
    src: http://download.iiab.io/packages/php-stem.rpi.tar
    dest: /
    owner: root
    group: root
    #mode: ????
    remote_src: yes
  when: is_rpi
 - name: Download & unpack php-stem.x86.tar to / (not rpi)
  unarchive:
    src: http://download.iiab.io/packages/php-stem.x64.tar
    dest: /
    owner: root
    group: root
    #mode: ????
    remote_src: yes
  when: not is_rpi
 # No need to do this twice?  Happens later @ https://github.com/iiab/iiab/blob/master/roles/3-base-server/tasks/main.yml#L24-L28
 #- name: Restart apache2 / httpd
 #  service:
 #    name: "{{ apache_service }}"
 #    state: restarted
--- a/roles/kalite/defaults/main.yml
+++ b/roles/kalite/defaults/main.yml
@ -1,21 +1,29 @@
 ---
 # The values here are defaults.
-# To override them edit the main var definitions in iiab/vars
+# To override them edit /etc/iiab/local_vars.yml
-kalite_version: "0.17.4"
+
 kalite_install: True
 kalite_enabled: False
 kalite_version: "0.17.5"
 kalite_repo_url: "https://github.com/learningequality/ka-lite.git"
 kalite_requirements: "https://raw.githubusercontent.com/learningequality/ka-lite/master/requirements.txt"
 kalite_venv: "/usr/local/kalite/venv"
 kalite_program: "{{ kalite_venv }}/bin/kalite"
 kalite_requirements: "https://raw.githubusercontent.com/learningequality/ka-lite/master/requirements.txt"
 kalite_root: "/library/ka-lite"
 kalite_server_port: 8008
 kalite_admin_user: Admin
 kalite_admin_password: changeme
 # Unused in 2018; but remain as placeholders for Fedora 18 legacy (XO laptops)
 kalite_cron_enabled: False
 kalite_user: kalite
 # obtain a password hash with - python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")'
 kalite_password_hash: $6$<salt>$KHET0XRRsgAY.wOWyTOI3W7dyDh0ESOr48uI5vtk2xdzsU7aw0TF4ZkNuM34RmHBGMJ1fTCmOyVobo0LOhBlJ/
 kalite_password: kalite
-kalite_admin_user: Admin
+
-kalite_admin_password: changeme
+# Unused in 2018
-kalite_server_name: kalite
+# kalite_server_name: kalite
-kalite_server_port: 8008
+# khan_assessment_install: True
-kalite_enabled: False
+# khan_assessment_url: "http://pantry.learningequality.org/downloads/ka-lite/0.16/content/khan_assessment.zip"
 kalite_cron_enabled: False
 khan_assessment_install: True
 khan_assessment_url: "http://pantry.learningequality.org/downloads/ka-lite/0.16/content/khan_assessment.zip"
--- a/roles/kalite/tasks/assessment.yml
+++ b/roles/kalite/tasks/assessment.yml
@ -8,7 +8,7 @@
 - name: Run the assessment setup using kalite manage
  command: "{{ kalite_program }} manage unpack_assessment_zip {{ downloads_dir }}/khan_assessment.zip"
  environment:
-     KALITE_HOME: "{{ kalite_root }}"
+    KALITE_HOME: "{{ kalite_root }}"
  async: 900
  poll: 10
  when: not khan_assessment_installed.stat.exists or khan_assessment_installed.stat.size < 20000
--- a/roles/kalite/tasks/enable.yml
+++ b/roles/kalite/tasks/enable.yml
@ -2,26 +2,30 @@
 # And the systemd unit files should be defined
 - name: Enable 'kalite-serve' service
-  service: name=kalite-serve
+  service:
-           enabled=yes
+    name: kalite-serve
-           state=started
+    enabled: yes
    state: started
 - name: Disable 'kalite-serve' service
-  service: name=kalite-serve
+  service:
-           enabled=no
+    name: kalite-serve
-           state=stopped
+    enabled: no
    state: stopped
  when: not kalite_enabled
 # Since Fedora 18 we don't have a separate unit file for kalite-cron
 - name: Disable kalite cron server F18
-  service: name=kalite-cron
+  service:
-           enabled=no
+    name: kalite-cron
-           state=stopped
+    enabled: no
    state: stopped
  when: not kalite_cron_enabled and is_F18
 - name: Enable kalite cron server F18
-  service: name=kalite-cron
+  service:
-           enabled=yes
+    name: kalite-cron
-           state=started
+    enabled: yes
    state: started
  when: kalite_cron_enabled and is_F18
--- a/roles/kalite/tasks/install-f18.yml
+++ b/roles/kalite/tasks/install-f18.yml
@ -1,66 +1,75 @@
 # This is for Fedora 18, assumed to be an XO
 - name: Install dependent packages (Fedora 18)
-  package: name={{ item }}
+  package:
-           state=present
+    name: "{{ item }}"
    state: present
  with_items:
    - python-psutil
    - expect
  when: is_F18
 - name: Install dependent pip packages (Fedora 18)
-  pip: name=selenium
+  pip:
    name: selenium
  when: internet_available and is_F18
 - name: Determine if KA Lite is already downloaded
-  stat: path={{ downloads_dir }}/ka-lite
+  stat:
    path: "{{ downloads_dir }}/ka-lite"
  register: kalite
 - name: Download the latest KA Lite repo
-  git: repo={{ kalite_repo_url }}
+  git:
-       dest={{ downloads_dir }}/ka-lite
+    repo: "{{ kalite_repo_url }}"
-       depth=1
+    dest: "{{ downloads_dir }}/ka-lite"
-       version="0.13.x"
+    depth: 1
    version: 0.13.x
  ignore_errors: yes
  when: internet_available and kalite.stat.exists is defined and not kalite.stat.exists
 - name: Create iiab-kalite user and password (Fedora 18)
-  user: name={{ kalite_user }}
+  user:
-        password={{ kalite_password_hash }}
+    name: "{{ kalite_user }}"
-        update_password=on_create
+    password: "{{ kalite_password_hash }}"
    update_password: on_create
 - name: Create kalite_root directory (Fedora 18)
-  file: path={{ kalite_root }}
+  file:
-        owner=root
+    path: "{{ kalite_root }}"
-        group=root
+    owner: root
-        mode=0755
+    group: root
-        state=directory
+    mode: 0755
    state: directory
 - name: Copy the KA Lite repo into place (Fedora 18)
  command: "rsync -at {{ downloads_dir }}/ka-lite/ {{ kalite_root }}"
 - name: Make kalite_user owner
-  file: path={{ kalite_root }}
+  file:
-        owner={{ kalite_user }}
+    path: "{{ kalite_root }}"
-        group={{ kalite_user }}
+    owner: "{{ kalite_user }}"
-        recurse=yes
+    group: "{{ kalite_user }}"
-        state=directory
+    recurse: yes
    state: directory
 # local_settings is deprecated
 - name: Copy local_settings file
-  template: src=f18/local_settings.py.j2
+  template:
-            dest="{{ kalite_root }}/kalite/local_settings.py"
+    src: f18/local_settings.py.j2
-            owner={{ kalite_user }}
+    dest: "{{ kalite_root }}/kalite/local_settings.py"
-            group={{ kalite_user }}
+    owner: "{{ kalite_user }}"
-            mode=0644
+    group: "{{ kalite_user }}"
    mode: 0644
 - name: Create kalite-serve & kalite-cron services, and iiab_cronservectl.sh
-  template: backup=no
+  template:
-            src={{ item.src }}
+    backup: no
-            dest={{ item.dest }}
+    src: "{{ item.src }}"
-            owner=root
+    dest: "{{ item.dest }}"
-            group=root
+    owner: root
-            mode={{ item.mode }}
+    group: root
    mode: "{{ item.mode }}"
  with_items:
    - { src: 'f18/kalite-serve.service.j2', dest: '/etc/systemd/system/kalite-serve.service', mode: '0644'}
    - { src: 'f18/kalite-cron.service.j2', dest: '/etc/systemd/system/kalite-cron.service', mode: '0644'}
--- a/roles/kalite/tasks/install.yml
+++ b/roles/kalite/tasks/install.yml
@ -32,7 +32,7 @@
 #       extra_args="--disable-pip-version-check"
  when: internet_available and is_debuntu
-#- name: Install KA Lite non-static + reqs file with pip - (OS's other than debuntu)
+#- name: Install KA Lite non-static + reqs file with pip (OS's other than debuntu)
 #  pip: requirements={{ pip_packages_dir }}/kalite.txt
 #       virtualenv={{ kalite_venv }}
 #       virtualenv_site_packages=no
@ -40,7 +40,7 @@
 #       extra_args="--disable-pip-version-check"
 #  when: internet_available and not is_debuntu
- name: Install KA Lite static with pip - (OS's other than debuntu)
+- name: Install KA Lite static with pip (OS's other than debuntu)
  pip:
    name: ka-lite-static
    version: "{{ kalite_version }}"
--- a/roles/kalite/tasks/main.yml
+++ b/roles/kalite/tasks/main.yml
@ -4,16 +4,17 @@
 - name: Calc KA Lite db file name (Fedora 18)
  set_fact:
-     kalite_db_name: "{{ kalite_root }}/kalite/database/data.sqlite"
+    kalite_db_name: "{{ kalite_root }}/kalite/database/data.sqlite"
  when: is_F18
 - name: Calc KA Lite db file name (OS's other than Fedora 18)
  set_fact:
-     kalite_db_name: "{{ kalite_root }}/database/data.sqlite"
+    kalite_db_name: "{{ kalite_root }}/database/data.sqlite"
  when: not is_F18
 - name: See if KA Lite is already configured
-  stat: path="{{ kalite_db_name }}"
+  stat:
    path: "{{ kalite_db_name }}"
  register: kalite_installed
 - include_tasks: install-f18.yml
@ -22,8 +23,9 @@
 - include_tasks: install.yml
  when: kalite_installed is defined and not kalite_installed.stat.exists and not is_F18
- name: Ask systemd to reread the unit files
+- name: Ask systemd to reread unit files (daemon-reload)
-  shell: systemctl daemon-reload
+  systemd:
    daemon_reload: yes
  when: not kalite_installed.stat.exists
 - include_tasks: setup-f18.yml
@ -47,13 +49,9 @@
    value: '"KA Lite is a server to present Khan Academy videos offline and to download them."'
  - option: path
    value: "{{ kalite_root }}"
  - option: server_name
    value: "{{ kalite_server_name }}"
  - option: port
    value: "{{ kalite_server_port }}"
  - option: enabled
    value: "{{ kalite_enabled }}"
  - option: cron_enabled
    value: "{{ kalite_cron_enabled }}"
  - option: khan_assessment_install
    value: "{{ khan_assessment_install }}"
--- a/roles/kalite/tasks/setup.yml
+++ b/roles/kalite/tasks/setup.yml
@ -1,15 +1,16 @@
 # This is for an OS other than Fedora 18
 - name: Create kalite_root directory
-  file: path={{ kalite_root }}/httpsrv/static
+  file:
-        owner=root
+    path: "{{ kalite_root }}/httpsrv/static"
-        group=root
+    owner: root
-        mode=0755
+    group: root
-        state=directory
+    mode: 0755
    state: directory
 - name: Run the setup using 'kalite manage'
  command: "{{ kalite_program }} manage setup --username={{ kalite_admin_user }} --password={{ kalite_admin_password }} --noinput"
  environment:
-     KALITE_HOME: "{{ kalite_root }}"
+    KALITE_HOME: "{{ kalite_root }}"
  async: 900
  poll: 10
--- a/roles/kiwix/README.rst
+++ b/roles/kiwix/README.rst
@ -13,7 +13,8 @@ Locations
 - Your ZIM files are expected to be in /library/zims/content
 - Your ZIM index files are expected to be in directories under /library/zims/index
- The URL is http://box:3000
+- The URL is http://box/kiwix or http://box.lan/kiwix (both proxied for AWStats)
 - Use URL http://box:3000/kiwix if you want to avoid the proxy
 Your local ZIM catalog (at /library/zims/library.xml) can be
-regenerated by running: iiab-make-kiwix-lib
+regenerated by running: /usr/bin/iiab-make-kiwix-lib
--- a/roles/kiwix/defaults/main.yml
+++ b/roles/kiwix/defaults/main.yml
@ -2,8 +2,8 @@
 # As obtained from http://download.kiwix.org/release/kiwix-tools/ or http://download.kiwix.org/nightly/
 kiwix_version_armhf: "kiwix-tools_linux-armhf-0.6.0"
-kiwix_version_linux64: "kiwix-tools_linux-i586-0.6.0"
+kiwix_version_linux64: "kiwix-tools_linux-x86_64-0.6.0"
-kiwix_version_i686: "kiwix-tools_linux-x86_64-0.6.0"
+kiwix_version_i686: "kiwix-tools_linux-i586-0.6.0"
 # kiwix_src_file_i686: "kiwix-linux-i686.tar.bz2"
 # v0.9 for i686 published May 2014 ("use it to test legacy ZIM content")
 # v0.10 for i686 published Oct 2016 ("experimental") REPLACED IN EARLY 2018, thx to Matthieu Gautier:
@ -12,12 +12,11 @@ kiwix_version_i686: "kiwix-tools_linux-x86_64-0.6.0"
 kiwix_src_file_armhf: "{{ kiwix_version_armhf }}.tar.gz"
 kiwix_src_file_linux64: "{{ kiwix_version_linux64 }}.tar.gz"
-kiwix_src_file_i686: "{{ kiwix_version_i686 }}.tar.bz2"
+kiwix_src_file_i686: "{{ kiwix_version_i686 }}.tar.gz"
 kiwix_port: 3000
-# Expected to be used soon for Kiwix proxy:
+# Used for Kiwix proxy http://box/kiwix/
-kiwix_url: /kiwix/
+kiwix_url: /kiwix
 # Unused in Nov 2017, but should be:
 kiwix_path: "{{ iiab_base }}/kiwix"
 # /library/zims contains 3 important things:
@ -26,13 +25,9 @@ kiwix_path: "{{ iiab_base }}/kiwix"
 # - index directory for legacy *.zim.idx's
 iiab_zim_path: "{{ content_base }}/zims"
 kiwix_library_xml: "{{ iiab_zim_path }}/library.xml"
 # Unused: (Nov 2017)
 # kiwix_content_path: "{{ iiab_zim_path }}/content"
 # Installation Variables
 kiwix_install: True
 kiwix_enabled: True
 # MOVE FILE /opt/iiab/kiwix/bin/kiwix-serve TO FORCE A REINSTALL OF kiwix-tools
 kiwix_force_install: False
 # Unused: (Nov 2017)
 # kiwix_content_found: False
--- a/roles/kiwix/tasks/kiwix_install.yml
+++ b/roles/kiwix/tasks/kiwix_install.yml
@ -58,9 +58,8 @@
    state: directory
 # 2. INSTALL KIWIX-TOOLS EXECUTABLES IF kiwix_force_install
 # (We get a whole web server for i686 but only kiwix execs for linux64 & armhf)
- name: Unarchive kiwix-tools .tar.gz or .tar.bz2 to /tmp
+- name: Unarchive kiwix-tools .tar.gz to /tmp
  unarchive:
    src: "{{ downloads_dir }}/{{ kiwix_src_file }}"
    dest: /tmp
@ -68,34 +67,9 @@
    group: root
  when: kiwix_force_install
- name: Move /tmp/{{ kiwix_src_dir }}/* to permanent location /opt/iiab/kiwix/bin (armhf & linux64)
+- name: Move /tmp/{{ kiwix_src_dir }}/* to permanent location /opt/iiab/kiwix/bin (armhf & linux64 & i686)
  shell: "mv /tmp/{{ kiwix_src_dir }}/* {{ kiwix_path }}/bin/"
-  when: kiwix_force_install and not kiwix_src_contains_bin
+  when: kiwix_force_install
 - name: Move /tmp/{{ kiwix_src_dir }}/bin/* to permanent location /opt/iiab/kiwix/bin (i686)
  shell: "mv /tmp/{{ kiwix_src_dir }}/bin/* {{ kiwix_path }}/bin/"
  when: kiwix_force_install and kiwix_src_contains_bin
 #- name: Unarchive Kiwix binaries to permanent location (NOT i686)
 #  unarchive:
 #    src: "{{ downloads_dir }}/{{ kiwix_src_file }}"
 #    dest: "{{ kiwix_path }}/bin"
 #    owner: root
 #    group: root
 #  when: kiwix_src_bin_only and kiwix_force_install
 #- name: Unarchive kiwix*i686.tar.bz2 to /tmp (i686)
 #  unarchive:
 #    src: "{{ downloads_dir }}/{{ kiwix_src_file }}"
 #    dest: /tmp
 #    # dest: "{{ iiab_base }}"
 #    owner: root
 #    group: root
 #  when: not kiwix_src_bin_only and kiwix_force_install
 #
 #- name: Move /tmp/kiwix*i686/bin/* to permanent location /opt/iiab/kiwix/bin (i686)
 #  shell: "mv /tmp/kiwix*i686/bin/* {{ kiwix_path }}/bin/"
 #  when: not kiwix_src_bin_only and kiwix_force_install
 # 3. ENABLE MODS FOR APACHE PROXY IF DEBUNTU
@ -193,8 +167,5 @@
    value: "{{ iiab_zim_path }}"
  - option: kiwix_library_xml
    value: "{{ kiwix_library_xml }}"
 # The following 2 lines are unused: (Nov 2017)
 #   - option: kiwix_content_path
 #     value: "{{ kiwix_content_path }}"
  - option: enabled
    value: "{{ kiwix_enabled }}"
--- a/roles/kiwix/tasks/main.yml
+++ b/roles/kiwix/tasks/main.yml
@ -2,21 +2,18 @@
  set_fact:
     kiwix_src_dir: "{{ kiwix_version_armhf }}"
     kiwix_src_file: "{{ kiwix_src_file_armhf }}"
     kiwix_src_contains_bin: False
  when: ansible_machine == "armv7l" or ansible_machine == "armv6l"
 - name: "Set Kiwix filename to d/l: {{ kiwix_src_file_linux64 }} (x86_64)"
  set_fact:
     kiwix_src_dir: "{{ kiwix_version_linux64 }}"
     kiwix_src_file: "{{ kiwix_src_file_linux64 }}"
     kiwix_src_contains_bin: False
  when: ansible_machine == "x86_64"
 - name: "Set Kiwix filename to d/l: {{ kiwix_src_file_i686 }} (i686)"
  set_fact:
     kiwix_src_dir: "{{ kiwix_version_i686 }}"
     kiwix_src_file: "{{ kiwix_src_file_i686 }}"
     kiwix_src_contains_bin: True
  when: ansible_machine == "i686"
 # COMMENT OUT LINE ABOVE TO TEST i686 CODE PATH ON X86_64 (WORKS NOV 2017)
--- a/roles/kiwix/templates/iiab-make-kiwix-lib
+++ b/roles/kiwix/templates/iiab-make-kiwix-lib
@ -1,8 +1,30 @@
-#!/bin/bash
+#!/bin/bash
-
+
-{{ systemctl_program }} stop kiwix-serve
+LOCK_PATH=/run/lock/kiwix
-/usr/bin/iiab-make-kiwix-lib.py
+mkdir -p $LOCK_PATH
-#/usr/bin/iiab-make-apache-config.py
+
-{{ systemctl_program }} start kiwix-serve
+WAITLOCK="$LOCK_PATH/make-kiwix-lib-wait.LCK";
-
+RUNLOCK="$LOCK_PATH/kiwix-lib-access.LCK";
-exit 0
+KIWIXLIB={{ kiwix_library_xml }}
 exec 200>$WAITLOCK;
 exec 201>$RUNLOCK;
 if flock -n -e 200; then :
  echo 'Waiting to run iiab-make-kiwix-lib.py'
  # wait for up to 5 min
  flock -x -w 300 201
  flock -u 200 # unlock queue
  echo "Now running iiab-make-kiwix-lib.py"
  # write to {{ kiwix_library_xml }}.tmp to minimize kiwix down
  # zim map could be out of sync for a few seconds
  /usr/bin/iiab-make-kiwix-lib.py
  {{ systemctl_program }} stop kiwix-serve
  rm $KIWIXLIB
  mv $KIWIXLIB.tmp $KIWIXLIB
  {{ systemctl_program }} start kiwix-serve
 else
  echo "Can't get wait lock for iiab-make-kiwix-lib.py";
  exit 1;
 fi
 exit 0
--- a/roles/kiwix/templates/iiab-make-kiwix-lib.py
+++ b/roles/kiwix/templates/iiab-make-kiwix-lib.py
@ -2,7 +2,7 @@
 """
-   Creates library.xml file for kiwix from contents of /zims/content and index
+   Creates temp library.xml file for kiwix from contents of /zims/content and index
   Author: Tim Moody <tim(at)timmoody(dot)com>
   Contributors: Jerry Vonau <jvonau3(at)gmail.com>
@ -30,6 +30,8 @@ iiab_config_file = "{{ iiab_config_file }}"
 # Variables that should be read from config file
 # All of these variables will be read from config files and recomputed in init()
 iiab_zim_path = "{{ iiab_zim_path }}"
 # Later we will append .tmp to file name
 kiwix_library_xml = "{{ kiwix_library_xml }}"
 iiab_base_path = "{{ iiab_base }}"
@ -41,8 +43,9 @@ old_zim_map = {"bad.zim" : "unparseable name"}
 def main():
    """Server routine"""
-
+    global kiwix_library_xml
    init()
    kiwix_library_xml += '.tmp' # write to temp file    
    # remove existing file
    try:
--- a/roles/kiwix/templates/kiwix.conf.j2
+++ b/roles/kiwix/templates/kiwix.conf.j2
@ -1 +1,6 @@
-ProxyPass {{ kiwix_url }}  http://127.0.0.1:{{ kiwix_port }}{{ kiwix_url }}
+ProxyPreserveHost On
 ProxyPass {{ kiwix_url }} http://127.0.0.1:{{ kiwix_port}}{{ kiwix_url }}
 ProxyPassReverse {{ kiwix_url }} http://127.0.0.1:{{ kiwix_port}}{{ kiwix_url }}
 RewriteEngine on
 RewriteRule ^/kiwix$ /kiwix/ [R]
--- a/roles/kolibri/README.rst
+++ b/roles/kolibri/README.rst
@ -0,0 +1,67 @@
 ==============
 Kolibri README
 ==============
 This Ansible role installs Kolibri within Internet-in-a-Box.  Kolibri is an
 open-source educational platform specially designed to provide offline access
 to a wide range of quality, openly licensed educational contents in
 low-resource contexts like rural schools, refugee camps, orphanages, and also
 in non-formal school programs.
 Access
 ------
 If enabled and with the default settings Kolibri should be accessible at http://box:8009
 To login to Kolibri enter
  Username: Admin
  Password: changeme
 Configuration Parameters
 ------------------------
 Please look in defaults/main.yml for the default values of the various install parameters.  Everything
 in this readme assumes the default values.
 Automatic Device Provisioning
 -----------------------------
 When kolibri_provision is enabled, the installation will setup the following settings:
  Kolibri Facility name: 'Kolibri-in-a-Box'
  Kolibri Preset type: formal (Other options are nonformal, informal)
  Kolibri default language: en (Otherwise language are ar,bn-bd,en,es-es,fa,fr-fr,hi-in,mr,nyn,pt-br,sw-tz,ta,te,ur-pk,yo,zu)
  Kolibri Admin User: Admin
  Kolibri Admin password: changeme
 Cloning content
 ---------------
 Kolibri 0.10 introduced `kolibri manage deprovision` which will remove
 user configuration, leaving content intact. You can then copy/clone /library/kolibri
 to a new location.
 Troubleshooting
 ----------------
 You can run the server manually with the following commands:
  systemctl stop kolibri (make sure the systemd service is not running)
  export KOLIBRI_HOME=/library/kolibri
  export KOLIBRI_HTTP_PORT=8009 (otherwise Kolibri will try to run on default port 8080)
  kolibri start
 To return to using the systemd unit:
  kolibri stop
  systemctl start kolibri
--- a/roles/kolibri/defaults/main.yml
+++ b/roles/kolibri/defaults/main.yml
@ -0,0 +1,35 @@
 # The values here are defaults.
 # To override them edit /etc/iiab/local_vars.yml
 # Installation Variables
 kolibri_install: False
 kolibri_enabled: False
 # Kolibri folder to store its data and configuration files.
 kolibri_home: "{{ content_base }}/kolibri"
 kolibri_http_port: 8009
 kolibri_url: /kolibri/
 kolibri_path: "{{ iiab_base }}/kolibri"
 # 2018-07-16: IIAB recommends /usr/bin but @arky says this isn't yet possible, due to pip
 kolibri_exec_path: /usr/local/bin/kolibri
 # Kolibri system user
 kolibri_user: kolibri
 # Kolibri setup will be provisioned with default administration account, preset and
 # language. You could turn this to 'False' while reinstalling kolibri.
 kolibri_provision: True
 # Kolibri Facility name
 kolibri_facility: Kolibri-in-a-Box
 # Kolibri Preset type: formal, nonformal, informal
 kolibri_preset: formal
 # Kolibri default language (ar,bn-bd,en,es-es,fa,fr-fr,hi-in,mr,nyn,pt-br,sw-tz,ta,te,ur-pk,yo,zu)
 kolibri_language: en
 # Kolibri admin account
 kolibri_admin_user: Admin
 kolibri_admin_password: changeme
--- a/roles/kolibri/tasks/main.yml
+++ b/roles/kolibri/tasks/main.yml
@ -0,0 +1,96 @@
 - name: Create Linux user {{ kolibri_user }} and add it to groups {{ apache_user }}, disk
  user:
    name: "{{ kolibri_user }}"
    groups:
      - "{{ apache_user }}"
      - disk
    state: present
    shell: /bin/false
    system: yes
    create_home: no
 - name: Create /library/kolibri to store data and configuration files
  file:
    path: "{{ item }}"
    owner: "{{ kolibri_user }}"
    group: "{{ apache_user }}"
    mode: 0755
    state: directory
  with_items:
    - "{{ kolibri_home }}"
 - name: Install kolibri using pip on all OS's
  pip:
    name: kolibri
    state: latest
    extra_args: --no-cache-dir
  when: internet_available
 - name: Create kolibri systemd service unit file
  template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
    mode: "{{ item.mode }}"
    owner: root
    group: root
  with_items:
    - { src: 'kolibri.service.j2', dest: '/etc/systemd/system/kolibri.service', mode: '0644' }
 - name: Ask systemd to reread unit files (daemon-reload)
  systemd:
    daemon_reload: yes
 - name: Set kolibri default language
  shell: export KOLIBRI_HOME="{{ kolibri_home }}" && "{{ kolibri_exec_path }}" language setdefault "{{ kolibri_language }}"
  ignore_errors: yes
  when: kolibri_provision
 - name: Create kolibri default facility name, admin account and language
  shell: >
    export KOLIBRI_HOME="{{ kolibri_home }}" &&
    "{{ kolibri_exec_path }}" manage provisiondevice --facility "{{ kolibri_facility }}"
    --superusername "{{ kolibri_admin_user }}" --superuserpassword "{{ kolibri_admin_password }}"
    --preset "{{ kolibri_preset }}" --language_id "{{ kolibri_language }}" --verbosity 0 --noinput
  ignore_errors: yes
  when: kolibri_provision
 - name: Change /library/kolibri directory permissions
  file:
    path: "{{ kolibri_home }}"
    owner: "{{ kolibri_user }}"
    group: "{{ apache_user }}"
    recurse: yes
 - name: Enable kolibri service
  service:
    name: kolibri
    enabled: yes
    state: restarted
  when: kolibri_enabled
 - name: Disable kolibri service
  service:
    name: kolibri
    enabled: no
    state: stopped
  when: not kolibri_enabled
 - name: Add 'kolibri' to list of services at /etc/iiab/iiab.ini
  ini_file:
    dest: "{{ service_filelist }}"
    section: kolibri
    option: "{{ item.option }}"
    value: "{{ item.value }}"
  with_items:
    - option: name
      value: kolibri
    - option: description
      value: '"Kolibri is an open-source educational platform specially designed to provide offline access to a wide range of quality, openly licensed educational contents in low-resource contexts like rural schools, refugee camps, orphanages, and also in non-formal school programs."'
    - option: kolibri_url
      value: "{{ kolibri_url }}"
    - option: kolibri_path
      value: "{{ kolibri_path }}"
    - option: kolibri_port
      value: "{{ kolibri_http_port }}"
    - option: enabled
      value: "{{ kolibri_enabled }}"
--- a/roles/kolibri/templates/kolibri.service.j2
+++ b/roles/kolibri/templates/kolibri.service.j2
@ -0,0 +1,16 @@
 [Unit]
 Description=Kolibri
 [Service]
 Type=forking
 RemainAfterExit=yes
 Environment=KOLIBRI_USER={{ kolibri_user }}
 Environment=KOLIBRI_HOME={{ kolibri_home }}
 Environment=KOLIBRI_HTTP_PORT={{ kolibri_http_port }}
 User={{ kolibri_user }}
 Group={{ apache_user }}
 ExecStart={{ kolibri_exec_path }} start
 ExecStop={{ kolibri_exec_path }} stop
 [Install]
 WantedBy=multi-user.target
--- a/roles/mongodb/defaults/main.yml
+++ b/roles/mongodb/defaults/main.yml
@ -1,2 +1,6 @@
 mongodb_install: False
 mongodb_enabled: False
 mongodb_conf: /etc/mongod.conf
 mongodb_db_path: "{{ content_base }}/dbdata/mongodb"    # == /library/dbdata/mongodb/
 mongodb_db_lock_file: "{{ mongodb_db_path }}/mongod.lock"
--- a/roles/mongodb/tasks/main.yml
+++ b/roles/mongodb/tasks/main.yml
@ -1,6 +1,7 @@
- name: Install mongodb required packages
+- name: Install MongoDB required packages
-  package: name={{ item }}
+  package:
-           state=present
+    name: "{{ item }}"
    state: present
  with_items:
    - mongodb-server
    - mongodb
@ -8,50 +9,67 @@
  tags:
    - download
- name: create the data directory for mongodb
+- name: Create the data directory for MongoDB
-  file: state=directory
+  file:
-        path={{ item.path }}
+    state: directory
-        owner=mongodb
+    path: "{{ item.path }}"
    owner: mongodb
  with_items:
-     - { path: '/var/run/mongodb' }
+    - { path: '/var/run/mongodb' }
-     - { path: '/library/dbdata/mongodb' }
+    - { path: "{{ mongodb_db_path }}" }    # == /library/dbdata/mongodb/
-     - { path: '/var/log/mongodb' }
+    - { path: '/var/log/mongodb' }
- name: Move required files
+- name: Populate & position /etc/mongod.conf, mongodb.service
-  template: src={{ item.src }}
+  template:
-            dest={{ item.dest }}
+    src: "{{ item.src }}"
-            owner=root
+    dest: "{{ item.dest }}"
-            group=root
+    owner: root
-            mode=0644
+    group: root
    mode: "{{ item.mode }}"
  with_items:
-     - { src: 'mongodb.service' , dest: '/etc/systemd/system/' }
+    - { src: 'mongod.conf.j2', dest: "{{ mongodb_conf }}", mode: '0644' }
-     - { src: 'mongod.conf' , dest: '/etc/mongod.conf'}
+    - { src: 'mongodb.service.j2', dest: '/etc/systemd/system/mongodb.service', mode: '0644' }
    - { src: 'iiab-mongodb-repair-if-no-lock.j2', dest: '/usr/bin/iiab-mongodb-repair-if-no-lock', mode: '0755' }
- name: enable services
+- name: Enable+restart systemd service if mongodb_enabled, with "systemctl daemon-reload" (in case mongodb.service changed?)
-  service: name={{ item.name }}
+  systemd:
-           enabled=yes
+    name: mongodb
-           state=restarted
+    enabled: yes
-  with_items:
+    state: restarted
-      - { name: mongodb }
+    daemon_reload: yes
  when: mongodb_enabled
- name: disable services
+- name: 'Disable+stop systemd service if mongodb_enabled: False'
-  service: name={{ item.name }}
+  systemd:
-           enabled=no
+    name: mongodb
-           state=stopped
+    enabled: no
-  with_items:
+    state: stopped
      - { name: mongodb }
  when: not mongodb_enabled
- name: add mongodb to service list
+#- name: Restart service if enabled
-  ini_file: dest="{{ service_filelist }}"
+#  service:
-            section=mongodb
+#    name: mongodb
-            option="{{ item.option }}"
+#    enabled: yes
-            value="{{ item.value }}"
+#    state: restarted
 #  when: mongodb_enabled
 #- name: Stop service if not enabled
 #  service:
 #    name: mongodb
 #    enabled: no
 #    state: stopped
 #  when: not mongodb_enabled
 - name: Add 'mongodb' to list of services at /etc/iiab/iiab.ini
  ini_file:
    dest: "{{ service_filelist }}"
    section: mongodb
    option: "{{ item.option }}"
    value: "{{ item.value }}"
  with_items:
-       - option: name
+    - option: name
-         value: MongoDB
+      value: MongoDB
-       - option: description
+    - option: description
-         value: '"MongoDB is an open-source document database that provides high performance, high availability, and automatic scaling."'
+      value: '"MongoDB is an open-source document database that provides high performance, high availability, and automatic scaling."'
-       - option: enabled
+    - option: enabled
-         value: "{{ mongodb_enabled }}"
+      value: "{{ mongodb_enabled }}"
--- a/roles/mongodb/templates/iiab-mongodb-repair-if-no-lock.j2
+++ b/roles/mongodb/templates/iiab-mongodb-repair-if-no-lock.j2
@ -0,0 +1,7 @@
 #!/bin/bash
 if [ -f {{ mongodb_db_lock_file }} ]; then
    echo '"mongod --repair" cannot run when {{ mongodb_db_lock_file }} present.' >&2    # Output to STDERR but keep going, so /etc/systems/system/mongodb.service continues
 else
    /usr/bin/mongod --repair --dbpath {{ mongodb_db_path }}
 fi
--- a/roles/mongodb/templates/mongod.conf.j2
+++ b/roles/mongodb/templates/mongod.conf.j2
@ -21,7 +21,7 @@ logpath = /var/log/mongodb/mongod.log
 # unixSocketPrefix = /var/run/mongodb
 # Directory for datafiles (defaults to /data/db/)
-dbpath = /library/dbdata/mongodb
+dbpath = {{ mongodb_db_path }}
 # Enable/Disable journaling (journaling is on by default for 64 bit)
 journal = true
@ -234,4 +234,3 @@ smallfiles = true
 # Activate FIPS 140-2 mode at startup
 #sslFIPSMode = true
--- a/roles/mongodb/templates/mongodb.service
+++ b/roles/mongodb/templates/mongodb.service
@ -1,13 +0,0 @@
 [Unit]
 Description=High-performance, schema-free document-oriented database
 After=syslog.target network.target
 [Service]
 Type=simple
 User=mongodb
 Group=mongodb
 ExecStart=/usr/bin/mongod  -f /etc/mongod.conf
 [Install]
 WantedBy=multi-user.target
--- a/roles/mongodb/templates/mongodb.service.j2
+++ b/roles/mongodb/templates/mongodb.service.j2
@ -0,0 +1,20 @@
 [Unit]
 Description=High-performance, schema-free document-oriented database
 After=syslog.target network.target
 [Service]
 Type=simple
 User=mongodb
 Group=mongodb
 # FAILS (after power failures, etc) as --repair cannot run when lock file exists: (https://github.com/iiab/iiab/issues/942)
 #ExecStartPre=/usr/bin/mongod --repair --dbpath /library/dbdata/mongodb
 # FAILS as systemd cannot run bash here:
 #ExecStartPre=if [ ! -f /library/dbdata/mongodb/mongod.lock ]; then /usr/bin/mongod --repair --dbpath {{ mongodb_db_path }}; fi
 ExecStartPre=/usr/bin/iiab-mongodb-repair-if-no-lock
 ExecStart=/usr/bin/mongod -f {{ mongodb_conf }}
 ExecStop=/usr/bin/killall mongod
 # killall's SIGTERM (15) seems fine, to induce a graceful stop.  This would work too:
 #ExecStop=mongod --dbpath {{ mongodb_db_path }} --shutdown
 [Install]
 WantedBy=multi-user.target
--- a/roles/moodle/tasks/main.yml
+++ b/roles/moodle/tasks/main.yml
@ -22,12 +22,12 @@
    - php{{ php_version }}-cli
  when: is_debuntu
- name: php-zip name (debian_9 or ubuntu)
+- name: php-zip name (debian-9 or ubuntu)
  package:
    name: "php{{ php_version }}-zip"
  when: is_debian_9 or is_ubuntu
- name: php-zip name for (debian_8)
+- name: php-zip name for (debian-8)
  package:
    name: php-pclzip
  when: is_debian_8
--- a/roles/mysql/tasks/main.yml
+++ b/roles/mysql/tasks/main.yml
@ -19,13 +19,13 @@
      tags:
        - download
-    - name: php-xml (ubuntu or debian_9)
+    - name: php-xml (ubuntu or debian-9)
      package:
        name: "php{{ php_version }}-xml"
        state: present
      when: is_ubuntu or is_debian_9
-    - name: php-xml (debian_8)
+    - name: php-xml (debian-8)
      package:
        name: "php-xml-parser"
        state: present
--- a/roles/network/defaults/main.yml
+++ b/roles/network/defaults/main.yml
@ -1,4 +1,3 @@
 ---
 # Defaults for network detection
 wireless_lan_present: False
 strict_networking: False
@ -19,14 +18,14 @@ discovered_lan_iface: "none"
 discovered_wired_iface: "none"
 discovered_wireless_iface: "none"
-#Redhat
+# Red Hat
 #iiab_wired_lan_iface: "none"
 #iiab_wireless_lan_iface: "none"
 has_WAN: False
 has_ifcfg_gw: "none"
 has_wifi_gw: "none"
-#Debian
+# Debian
 dhcpcd_result: ""
 wan_in_interfaces: False
 network_manager_active: False
@ -39,13 +38,13 @@ gui_desired_network_role: Gateway
 wondershaper_dspeed: "4096"
 wondershaper_upspeed: "1024"
-# WiFi
+# Wi-Fi
 host_ssid: IIAB
 hostapd_wait: 1
 host_wifi_mode: g
 host_channel: 6
 host_wireless_n: False
-# Below moved to /opt/iiab/iiab/vars/local_vars.yml: (so implementer sets this)
+# Below moved to /etc/iiab/local_vars.yml: (so implementer sets this)
 #host_country_code: US
 hostapd_secure: True
 hostapd_password: "iiab2017"
@ -63,11 +62,20 @@ network_config_dir: /etc/network/interfaces.d
 dns_jail_enabled: False
 services_externally_visible: False
-# following variables set for old apache,dhcpd,named usage
+# Following variables set for old Apache, dhcpd, named usage
 dhcpd_install: True
 dhcpd_enabled: True
 named_install: True
 named_enabled: True
 dnsmasq_enabled: False
 dnsmasq_install: False
 # For @tim-moody's Nodogsplash approach to Captive Portal?  High experimental as of June 2018: github.com/iiab/iiab/issues/608
 captive_portal_enabled: False
 # Simple python Captive Portal, that @m-anish & @jvonau are experimenting with in July 2018: github.com/iiab/iiab/pull/870
 py_captive_portal_install: True
 py_captive_portal_enabled: True
 py_captive_portal_port: "9090"
 py_captive_portal_username: "Admin"
 py_captive_portal_password: "changeme"
--- a/roles/network/tasks/captive_portal.yml
+++ b/roles/network/tasks/captive_portal.yml
@ -0,0 +1,47 @@
 - name: Create directory for Captive Portal script
  file:
    path: /opt/iiab/captive-portal
    state: directory
  when: py_captive_portal_install
 - name: Copy Captive Portal script
  template:
    src: roles/network/templates/captive_portal/captive_portal.py.j2
    dest: /opt/iiab/captive-portal/captive_portal.py
    owner: root
    group: root
    mode: 0740
  when: py_captive_portal_install
 - name: Copy Captive Portal service file
  template:
    src: roles/network/templates/captive_portal/captive_portal.service.j2
    dest: /etc/systemd/system/captive_portal.service
    owner: root
    group: root
    mode: 0644
  when: py_captive_portal_install
 - name: Enable captive_portal after copying files
  service:
    name: captive_portal.service
    enabled: yes
  when: py_captive_portal_install and py_captive_portal_enabled
 - name: Start captive_portal after copying files
  service:
    name: captive_portal.service
    state: started
  when: py_captive_portal_install and py_captive_portal_enabled
 - name: Disable captive_portal after copying files
  service:
    name: captive_portal.service
    enabled: no
  when: py_captive_portal_install and py_captive_portal_enabled
 - name: Stop captive_portal after copying files
  service:
    name: captive_portal.service
    state: started
  when: py_captive_portal_install and py_captive_portal_enabled
--- a/roles/network/tasks/debian.yml
+++ b/roles/network/tasks/debian.yml
@ -21,52 +21,64 @@
 #           state=present
 - name: For upgrades from earlier IIAB 6.2, remove br0 file
-  file: path=/etc/network/interfaces.d/br0
+  file:
-        state=absent
+    path: /etc/network/interfaces.d/br0
    state: absent
  when: iiab_lan_iface != "br0" and wan_ip == "dhcp"
 - name: Supply resolvconf.conf
-  template: dest=/etc/resolvconf.conf
+  template:
-            src=network/resolvconf.j2
+    dest: /etc/resolvconf.conf
    src: network/resolvconf.j2
 - name: Supply dhcpcd.conf
-  template: dest=/etc/dhcpcd.conf
+  template:
-            src=network/dhcpcd.conf.j2
+    dest: /etc/dhcpcd.conf
    src: network/dhcpcd.conf.j2
  when: dhcpcd_result == "enabled"
 - name: Copy the bridge script
-  template: dest=/etc/network/interfaces.d/iiab
+  template:
-            src=network/systemd.j2
+    dest: /etc/network/interfaces.d/iiab
    src: network/systemd.j2
  when: not is_rpi and (iiab_lan_iface == "br0" or wan_ip != "dhcp" or gui_static_wan_ip == "undefined")
 - name: Copy the bridge script for RPi
-  template: dest=/etc/network/interfaces.d/iiab
+  template:
-            src=network/rpi.j2
+    dest: /etc/network/interfaces.d/iiab
    src: network/rpi.j2
  when: is_rpi and iiab_lan_iface == "br0"
- name: Workaround auto issue on Debian-9
+- name: Workaround auto issue (debian-9)
-  template: dest=/etc/network/interfaces.d/patch_auto
+  template:
-            src=network/debian-auto.j2
+    dest: /etc/network/interfaces.d/patch_auto
    src: network/debian-auto.j2
  when: iiab_wan_iface != "none" and is_debian_9
- name: Clearing out /etc/network/interfaces for static addresses (is_debian_9)
+- name: Clearing out /etc/network/interfaces for static addresses (debian-9)
  lineinfile:
-      state: absent
+    state: absent
-      path: /etc/network/interfaces
+    path: /etc/network/interfaces
-      regexp: "{{ iiab_wan_iface }}"
+    regexp: "{{ iiab_wan_iface }}"
  when: wan_ip != "dhcp" and iiab_wan_iface != "none" and is_debian_9
- name: bind may be affected
+- name: BIND may be affected
-  service: name={{ dns_service }} state=stopped
+  service:
    name: "{{ dns_service }}"
    state: stopped
  when: named_install and dnsmasq_enabled
 # dhcpd_server release the interface
 - name: dhcpd_server may be affected - stopping dhcpd
-  service: name=dhcpd state=stopped
+  service:
    name: dhcpd
    state: stopped
  when: dhcpd_install
 - name: dhcpd_server may be affected - stopping dnsmasq
-  service: name=dnsmasq state=stopped
+  service:
    name: dnsmasq
    state: stopped
  when: dnsmasq_install
 - name: Reload systemd
@ -75,9 +87,13 @@
 # now pick up denyinterfaces
 - name: Restart dhcpcd
-  service: name=dhcpcd state=restarted
+  service:
    name: dhcpcd
    state: restarted
  when: dhcpcd_result == "enabled"
 - name: Restart the networking service
-  service: name=networking  state=restarted
+  service:
    name: networking
    state: restarted
  when: not nobridge is defined and not no_net_restart
--- a/roles/network/tasks/down-debian.yml
+++ b/roles/network/tasks/down-debian.yml
@ -5,7 +5,7 @@
 #     dest: /etc/resolvconf.conf
 #    src: network/resolvconf.j2
- name: bind may be affected
+- name: BIND may be affected
  service:
    name: "{{ dns_service }}"
    state: stopped
--- a/roles/network/tasks/enable_services.yml
+++ b/roles/network/tasks/enable_services.yml
@ -1,156 +1,181 @@
 - name: Disable dhcpd service
-  service: name=dhcpd
+  service:
-           enabled=no
+    name: dhcpd
    enabled: no
  when: not dhcpd_enabled and dhcpd_install
 # service is restarted with NM dispatcher.d script
 - name: Enable dhcpd service
-  service: name=dhcpd
+  service:
-           enabled=yes
+    name: dhcpd
    enabled: yes
  when: dhcpd_enabled and dhcpd_install
 - name: Copy /etc/sysconfig/dhcpd file
-  template: src={{ item.src }}
+  template:
-            dest={{ item.dest }}
+    src: "{{ item.src }}"
-            owner=root
+    dest: "{{ item.dest }}"
-            group=root
+    owner: root
-            mode={{ item.mode }}
+    group: root
    mode: "{{ item.mode }}"
  with_items:
-   - { src: 'dhcp/dhcpd-env.j2' , dest: '/etc/sysconfig/dhcpd' , mode: '0644' }
+   - { src: 'dhcp/dhcpd-env.j2', dest: '/etc/sysconfig/dhcpd', mode: '0644' }
   - { src: 'dhcp/dhcpd-iiab.conf.j2', dest: '/etc/dhcpd-iiab.conf', mode: '0644' }
  when: dhcpd_enabled and dhcpd_install
 - name: Copy named file
-  template: src={{ item.src }}
+  template:
-            dest={{ item.dest }}
+    src: "{{ item.src }}"
-            owner=root
+    dest: "{{ item.dest }}"
-            group=root
+    owner: root
-            mode={{ item.mode }}
+    group: root
    mode: "{{ item.mode }}"
  with_items:
-   - { src: 'named/school.local.zone.db' , dest: '/var/named-iiab/' , mode: '0644' }
+   - { src: 'named/named-iiab.conf.j2', dest: '/etc/named-iiab.conf', mode: '0644' }
-   - { src: 'named/school.internal.zone.db' , dest: '/var/named-iiab/' , mode: '0644' }
+   - { src: 'named/school.local.zone.db', dest: '/var/named-iiab/', mode: '0644' }
   - { src: 'named/school.internal.zone.db', dest: '/var/named-iiab/', mode: '0644' }
 - name: Enable named service
-  service: name={{ dns_service }}
+  service:
-           enabled=yes
+    name: "{{ dns_service }}"
    enabled: yes
  when: named_enabled and named_install
 - name: Disable named service
-  service: name={{ dns_service }}
+  service:
-           enabled=no
+    name: "{{ dns_service }}"
    enabled: no
  when: not named_enabled and named_install
 - name: Disable dnsmasq
-  service: name=dnsmasq
+  service:
-           enabled=no
+    name: dnsmasq
    enabled: no
  when: not dnsmasq_enabled and dnsmasq_install
- name: dnsmasq copy config file to /etc
+- name: Copy dnsmasq.conf to /etc
-  template: src=network/dnsmasq.conf.j2 dest=/etc/dnsmasq.conf
+  template:
    src: network/dnsmasq.conf.j2
    dest: /etc/dnsmasq.conf
  when: dnsmasq_enabled and dnsmasq_install
 - name: Enable dnsmasq
-  service: name=dnsmasq
+  service:
-           enabled=yes
+    name: dnsmasq
    enabled: yes
  when: dnsmasq_enabled and dnsmasq_install
 - name: Enable DansGuardian
-  service: name=dansguardian
+  service:
-           enabled=yes
+    name: dansguardian
    enabled: yes
  when: dansguardian_enabled and dansguardian_install
 - name: Disable DansGuardian
-  service: name=dansguardian
+  service:
-           enabled=no
+    name: dansguardian
    enabled: no
  when: not dansguardian_enabled and dansguardian_install
 - name: Create xs_httpcache flag
-  lineinfile: dest=/etc/iiab/iiab.env
+  lineinfile:
-              regexp='^HTTPCACHE_ON=*'
+    dest: /etc/iiab/iiab.env
-              line='HTTPCACHE_ON=True'
+    regexp: '^HTTPCACHE_ON=*'
-              state=present
+    line: 'HTTPCACHE_ON=True'
    state: present
  when: squid_enabled and squid_install
 - name: Enable Squid service
-  service: name={{ proxy }}
+  service:
-           enabled=yes
+    name: "{{ proxy }}"
    enabled: yes
  when: squid_enabled and squid_install
 - name: Copy init script and config file
-  template: src={{ item.src }}
+  template:
-            dest={{ item.dest }}
+    src: "{{ item.src }}"
-            owner={{ item.owner }}
+    dest: "{{ item.dest }}"
-            group={{ item.group }}
+    owner: "{{ item.owner }}"
-            mode={{ item.mode }}
+    group: "{{ item.group }}"
    mode: "{{ item.mode }}"
  with_items:
-    - src: 'squid/squid-iiab.conf.j2'
+    - src: squid/squid-iiab.conf.j2
-      dest: '/etc/{{ proxy }}/squid-iiab.conf'
+      dest: "/etc/{{ proxy }}/squid-iiab.conf"
-      owner: '{{ proxy_user }}'
+      owner: "{{ proxy_user }}"
-      group: '{{ proxy_user }}'
+      group: "{{ proxy_user }}"
-      mode: '0644'
+      mode: 0644
  when: squid_enabled and squid_install
 - name: Point to Squid config file from startup file
-  lineinfile: regexp='^CONFIG'
+  lineinfile:
-              line='CONFIG=/etc/{{ proxy }}/squid-iiab.conf'
+    regexp: '^CONFIG'
-              dest=/etc/init.d/{{ proxy }}
+    line: "CONFIG=/etc/{{ proxy }}/squid-iiab.conf"
    dest: "/etc/init.d/{{ proxy }}"
  when: squid_enabled and squid_install and is_debuntu
 - name: Disable Squid service
-  service: name={{ proxy }}
+  service:
-           enabled=no
+    name: "{{ proxy }}"
    enabled: no
  when: not squid_enabled and squid_install
 - name: Remove xs_httpcache flag
-  lineinfile: dest=/etc/iiab/iiab.env
+  lineinfile:
-              regexp='^HTTPCACHE_ON=*'
+    dest: /etc/iiab/iiab.env
-              line='HTTPCACHE_ON=False'
+    regexp: '^HTTPCACHE_ON=*'
-              state=present
+    line: 'HTTPCACHE_ON=False'
    state: present
  when: not squid_enabled
 - name: Enable Wondershaper service
-  service: name=wondershaper
+  service:
-           enabled=yes
+    name: wondershaper
    enabled: yes
  when: wondershaper_enabled and wondershaper_install
 - name: Disable Wondershaper service
-  service: name=wondershaper
+  service:
-           enabled=no
+    name: wondershaper
    enabled: no
  when: not wondershaper_enabled and wondershaper_install
 # check-LAN should be iptables.yml remove later
 - name: Grab clean copy of iiab-gen-iptables
-  template: src={{ item.0 }}
+  template:
-            dest={{ item.1 }}
+    src: "{{ item.0 }}"
-            owner='root'
+    dest: "{{ item.1 }}"
-            group='root'
+    owner: root
-            mode='0755'
+    group: root
    mode: 0755
  with_items:
   - { 0: 'gateway/iiab-gen-iptables', 1: '/usr/bin/iiab-gen-iptables' }
- name: Add 'squid' to service list
+- name: Add 'squid' to list of services at /etc/iiab/iiab.ini
-  ini_file: dest='{{ service_filelist }}'
+  ini_file:
-            section=squid
+    dest: "{{ service_filelist }}"
-            option='{{ item.option }}'
+    section: squid
-            value='{{ item.value }}'
+    option: "{{ item.option }}"
    value: "{{ item.value }}"
  with_items:
    - option: enabled
      value: "{{ squid_enabled }}"
- name: Add 'dansguardian' to service list
+- name: Add 'dansguardian' to list of services at /etc/iiab/iiab.ini
-  ini_file: dest='{{ service_filelist }}'
+  ini_file:
-            section=dansguardian
+    dest: "{{ service_filelist }}"
-            option='{{ item.option }}'
+    section: dansguardian
-            value='{{ item.value }}'
+    option: "{{ item.option }}"
    value: "{{ item.value }}"
  with_items:
    - option: enabled
      value: "{{ dansguardian_enabled }}"
- name: Add 'wondershaper' to service list
+- name: Add 'wondershaper' to list of services at /etc/iiab/iiab.ini
-  ini_file: dest='{{ service_filelist }}'
+  ini_file:
-            section=wondershaper
+    dest: "{{ service_filelist }}"
-            option='{{ item.option }}'
+    section: wondershaper
-            value='{{ item.value }}'
+    option: "{{ item.option }}"
    value: "{{ item.value }}"
  with_items:
    - option: enabled
      value: "{{ wondershaper_enabled }}"
--- a/roles/network/tasks/ifcfg_mods.yml
+++ b/roles/network/tasks/ifcfg_mods.yml
@ -26,16 +26,22 @@
  with_items:
    - "{{ discovered_lan_iface }}"
- name: bind may be affected
+- name: BIND may be affected
-  service: name={{ dns_service }} state=stopped
+  service:
    name: "{{ dns_service }}"
    state: stopped
  when: named_install and dnsmasq_enabled
 - name: dhcpd_server may be affected - stopping dhcpd
-  service: name=dhcpd state=stopped
+  service:
    name: dhcpd
    state: stopped
  when: dhcpd_install
 - name: dhcpd_server may be affected - stopping dnsmasq
-  service: name=dnsmasq state=stopped
+  service:
    name: dnsmasq
    state: stopped
  when: dnsmasq_install
 - name: Stop the LAN/Bridge deleting iiab-LAN
@ -59,21 +65,24 @@
 #  when: iiab_wan_iface != "none" and not has_WAN and has_ifcfg_gw == "none" and xo_model == "none" and not iiab_demo_mode
 - name: Configuring LAN interface as iiab_lan_iface
-  template: src=network/ifcfg.j2
+  template:
-            dest=/etc/sysconfig/network-scripts/ifcfg-LAN
+    src: network/ifcfg.j2
    dest: /etc/sysconfig/network-scripts/ifcfg-LAN
  when: iiab_lan_iface != "none"
 # can be more than one wired interface
 - name: Wired enslaving ## lan_list_result ## to Bridge
-  template: src=network/ifcfg-slave.j2
+  template:
-            dest=/etc/sysconfig/network-scripts/ifcfg-{{ item|trim }}
+    src: network/ifcfg-slave.j2
    dest: "/etc/sysconfig/network-scripts/ifcfg-{{ item|trim }}"
  when: iiab_lan_iface == "br0" and item|trim != iiab_wireless_lan_iface and item|trim != iiab_wan_iface
  with_items:
-      - "{{ lan_list_result.stdout_lines }}"
+    - "{{ lan_list_result.stdout_lines }}"
 - name: WiFi enslaving {{ iiab_wireless_lan_iface }} to Bridge
-  template: src=network/wifi-slave.j2
+  template:
-            dest=/etc/sysconfig/network-scripts/ifcfg-{{ iiab_wireless_lan_iface }}
+    src: network/wifi-slave.j2
    dest: "/etc/sysconfig/network-scripts/ifcfg-{{ iiab_wireless_lan_iface }}"
  when: iiab_lan_iface == "br0" and iiab_wireless_lan_iface != "none"
  tags:
    - network
@ -81,7 +90,7 @@
 - include_tasks: enable_wan.yml
  when: not installing and not iiab_demo_mode
- name: ask systemd to reread the unit files, picks up changes done
+- name: Ask systemd to reread the unit files, picks up changes done
  systemd:
    daemon_reload: yes
  when: not installing
@ -111,7 +120,7 @@
  ignore_errors: True
  when: iiab_lan_iface == "br0" and item|trim != iiab_wireless_lan_iface and item|trim != iiab_wan_iface and not iiab_demo_mode
  with_items:
-      - "{{ lan_list_result.stdout_lines }}"
+    - "{{ lan_list_result.stdout_lines }}"
 #- name: restart hostapd when wifi is present
 #  service: name=hostapd state=started
--- a/roles/network/tasks/main.yml
+++ b/roles/network/tasks/main.yml
@ -74,6 +74,14 @@
  include_tasks: squid.yml
  when: FQDN_changed and squid_install and iiab_stage|int == 9
 #- name: FOREFULLY ENABLE CAPTIVE PORTAL
 #  set_fact:
 #    py_captive_portal_install: True
 - name: (Re)Installing captive portal
  include_tasks: captive_portal.yml
  when: py_captive_portal_install
 #### start services
 - include_tasks: avahi.yml
  tags:
--- a/roles/network/tasks/named.yml
+++ b/roles/network/tasks/named.yml
@ -1,6 +1,7 @@
 - name: Install named packages (debuntu)
-  package: name={{ item }}
+  package:
-           state=present
+    name: "{{ item }}"
    state: present
  with_items:
   - bind9
   - bind9utils
@ -9,8 +10,9 @@
    - download
 - name: Install named packages (OS's that are not debuntu)
-  package: name={{ item }}
+  package:
-           state=present
+    name: "{{ item }}"
    state: present
  with_items:
   - bind
   - bind-utils
@ -20,76 +22,87 @@
 # or we have to change the serial number in the config files.
 - name: Stop named before copying files
-  service: name={{ dns_service }} state=stopped
+  service:
    name: "{{ dns_service }}"
    state: stopped
  when: first_run and is_debuntu
 - name: Set folder permission
-  file: path={{ item }}
+  file:
-        owner={{ dns_user }}
+    path: "{{ item }}"
-        group=root
+    owner: "{{ dns_user }}"
-        mode=0755
+    group: root
-        state=directory
+    mode: 0755
    state: directory
  with_items:
    - /var/named-iiab
    - /var/named-iiab/data
    - /etc/sysconfig/olpc-scripts/domain_config.d
 - name: Configure named
-  template: src={{ item.src }}
+  template:
-            dest={{ item.dest }}
+    src: "{{ item.src }}"
-            owner={{ item.owner }}
+    dest: "{{ item.dest }}"
-            group=root
+    owner: "{{ item.owner }}"
-            mode={{ item.mode }}
+    group: root
    mode: "{{ item.mode }}"
  with_items:
-    - { src: 'roles/network/templates/named/named-iiab.conf.j2', dest: '/etc/named-iiab.conf', owner: "root" , mode: '0644' }
+    - { src: 'roles/network/templates/named/named-iiab.conf.j2', dest: '/etc/named-iiab.conf', owner: "root", mode: '0644' }
-    - { src: 'roles/network/templates/named/named.j2', dest: '/etc/sysconfig/named', owner: "root" , mode: '0644' }
+    - { src: 'roles/network/templates/named/named.j2', dest: '/etc/sysconfig/named', owner: "root", mode: '0644' }
-    - { src: 'roles/network/templates/named/named', dest: '/etc/sysconfig/olpc-scripts/domain_config.d/named', owner: "root" , mode: '0644' }
+    - { src: 'roles/network/templates/named/named', dest: '/etc/sysconfig/olpc-scripts/domain_config.d/named', owner: "root", mode: '0644' }
-    - { src: 'roles/network/templates/named/localdomain.zone', dest: '/var/named-iiab/localdomain.zone',owner: "{{ dns_user }}" , mode: '0644' }
+    - { src: 'roles/network/templates/named/localdomain.zone', dest: '/var/named-iiab/localdomain.zone', owner: "{{ dns_user }}", mode: '0644' }
-    - { src: 'roles/network/templates/named/localhost.zone', dest: '/var/named-iiab/localhost.zone', owner: "{{ dns_user }}" , mode: '0644' }
+    - { src: 'roles/network/templates/named/localhost.zone', dest: '/var/named-iiab/localhost.zone', owner: "{{ dns_user }}", mode: '0644' }
-    - { src: 'roles/network/templates/named/named.broadcast', dest: '/var/named-iiab/named.broadcast', owner: "{{ dns_user }}" , mode: '0644'}
+    - { src: 'roles/network/templates/named/named.broadcast', dest: '/var/named-iiab/named.broadcast', owner: "{{ dns_user }}", mode: '0644' }
-    - { src: 'roles/network/templates/named/named.ip6.local', dest: '/var/named-iiab/named.ip6.local' , owner: "{{ dns_user }}" , mode: '0644'}
+    - { src: 'roles/network/templates/named/named.ip6.local', dest: '/var/named-iiab/named.ip6.local', owner: "{{ dns_user }}", mode: '0644' }
-    - { src: 'roles/network/templates/named/named.local', dest: '/var/named-iiab/named.local' , owner: "{{ dns_user }}" , mode: '0644'}
+    - { src: 'roles/network/templates/named/named.local', dest: '/var/named-iiab/named.local', owner: "{{ dns_user }}", mode: '0644' }
-    - { src: 'roles/network/templates/named/named.rfc1912.zones', dest: '/var/named-iiab/named.rfc1912.zones' , owner: "{{ dns_user }}" , mode: '0644'}
+    - { src: 'roles/network/templates/named/named.rfc1912.zones', dest: '/var/named-iiab/named.rfc1912.zones', owner: "{{ dns_user }}", mode: '0644' }
-    - { src: 'roles/network/templates/named/named.root', dest: '/var/named-iiab/named.root' , owner: "{{ dns_user }}" , mode: '0644'}
+    - { src: 'roles/network/templates/named/named.root', dest: '/var/named-iiab/named.root', owner: "{{ dns_user }}", mode: '0644' }
-    - { src: 'roles/network/templates/named/named.root.hints', dest: '/var/named-iiab/named.root.hints' , owner: "{{ dns_user }}" , mode: '0644'}
+    - { src: 'roles/network/templates/named/named.root.hints', dest: '/var/named-iiab/named.root.hints', owner: "{{ dns_user }}", mode: '0644' }
-    - { src: 'roles/network/templates/named/named.zero', dest: '/var/named-iiab/named.zero' , owner: "{{ dns_user }}" , mode: '0644'}
+    - { src: 'roles/network/templates/named/named.zero', dest: '/var/named-iiab/named.zero', owner: "{{ dns_user }}", mode: '0644' }
-    - { src: 'roles/network/templates/named/school.external.zone.db', dest: '/var/named-iiab/school.external.zone.db' , owner: "{{ dns_user }}" , mode: '0644'}
+    - { src: 'roles/network/templates/named/school.external.zone.db', dest: '/var/named-iiab/school.external.zone.db', owner: "{{ dns_user }}", mode: '0644' }
-    - { src: 'roles/network/templates/named/school.internal.zone.16.in-addr.db.j2', dest: '/var/named-iiab/school.internal.zone.16.in-addr.db' , owner: "{{ dns_user }}" , mode: '0644'}
+    - { src: 'roles/network/templates/named/school.internal.zone.16.in-addr.db.j2', dest: '/var/named-iiab/school.internal.zone.16.in-addr.db', owner: "{{ dns_user }}", mode: '0644' }
-    - { src: 'roles/network/templates/named/school.internal.zone.32.in-addr.db.j2', dest: '/var/named-iiab/school.internal.zone.32.in-addr.db' , owner: "{{ dns_user }}" , mode: '0644'}
+    - { src: 'roles/network/templates/named/school.internal.zone.32.in-addr.db.j2', dest: '/var/named-iiab/school.internal.zone.32.in-addr.db', owner: "{{ dns_user }}", mode: '0644' }
-    - { src: 'roles/network/templates/named/school.internal.zone.48.in-addr.db.j2', dest: '/var/named-iiab/school.internal.zone.48.in-addr.db' , owner: "{{ dns_user }}" , mode: '0644'}
+    - { src: 'roles/network/templates/named/school.internal.zone.48.in-addr.db.j2', dest: '/var/named-iiab/school.internal.zone.48.in-addr.db', owner: "{{ dns_user }}", mode: '0644' }
 # the following two files are not writeable by named, but bind 9.4 cannot discover that fact correctly
-    - { src: 'roles/network/templates/named/school.internal.zone.db', dest: '/var/named-iiab/school.internal.zone.db' , owner: "root" , mode: '0644'}
+    - { src: 'roles/network/templates/named/school.internal.zone.db', dest: '/var/named-iiab/school.internal.zone.db', owner: "root", mode: '0644' }
-    - { src: 'roles/network/templates/named/school.local.zone.db', dest: '/var/named-iiab/school.local.zone.db' , owner: "root" , mode: '0644'}
+    - { src: 'roles/network/templates/named/school.local.zone.db', dest: '/var/named-iiab/school.local.zone.db', owner: "root", mode: '0644' }
-    - { src: 'roles/network/templates/named/school.internal.zone.in-addr.db.j2', dest: '/var/named-iiab/school.internal.zone.in-addr.db' , owner: "{{ dns_user }}" , mode: '0644'}
+    - { src: 'roles/network/templates/named/school.internal.zone.in-addr.db.j2', dest: '/var/named-iiab/school.internal.zone.in-addr.db', owner: "{{ dns_user }}", mode: '0644' }
-    - { src: 'roles/network/templates/named/dummy', dest: '/var/named-iiab/data/dummy' , owner: "{{ dns_user }}" , mode: '0644'}
+    - { src: 'roles/network/templates/named/dummy', dest: '/var/named-iiab/data/dummy', owner: "{{ dns_user }}", mode: '0644' }
-    - { src: 'roles/network/templates/named/named.blackhole', dest: '/var/named-iiab/named.blackhole' , owner: "{{ dns_user }}" , mode: '0644'}
+    - { src: 'roles/network/templates/named/named.blackhole', dest: '/var/named-iiab/named.blackhole', owner: "{{ dns_user }}", mode: '0644' }
 - name: Substitute our unit file which uses $OPTIONS from sysconfig
-  template: src=roles/network/templates/named/{{ dns_service }}.service
+  template:
-            dest=/etc/systemd/system/{{ dns_service }}.service
+    src: "roles/network/templates/named/{{ dns_service }}.service"
-            mode=0644
+    dest: "/etc/systemd/system/{{ dns_service }}.service"
    mode: 0644
- name: The dns-jail redirect requires the named.blackhole,disabling recursion
+- name: The dns-jail redirect requires the named.blackhole, disabling recursion
 #        in named-iiab.conf, and the redirection of 404 error documents to /
-  template: src=roles/network/templates/named/dns-jail.conf dest=/etc/{{ apache_config_dir }}/
+  template:
    src: roles/network/templates/named/dns-jail.conf
    dest: "/etc/{{ apache_config_dir }}/"
  when: dns_jail_enabled
- name: Separate enabling required for debuntu
+- name: Separate enabling required (debuntu)
-  file: src=/etc/{{ apache_config_dir }}/dns-jail.conf
+  file:
-        path=/etc/{{ apache_service }}/sites-enabled/dns-jail.conf
+    src: "/etc/{{ apache_config_dir }}/dns-jail.conf"
-        state=link
+    path: "/etc/{{ apache_service }}/sites-enabled/dns-jail.conf"
    state: link
  when: is_debuntu and dns_jail_enabled
- name: Separate enabling/disabling required (debuntu)
+- name: Separate disabling required (debuntu)
-  file: src=/etc/{{ apache_config_dir }}/dns-jail.conf
+  file: 
-        path=/etc/{{ apache_service }}/sites-enabled/dns-jail.conf
+    path: "/etc/{{ apache_service }}/sites-enabled/dns-jail.conf"
-        state=absent
+    state: absent
  when: is_debuntu and not dns_jail_enabled
 - name: Separate enabling/disabling required (OS's that are not debuntu)
-  file: path=/etc/{{ apache_config_dir }}/dns-jail.conf
+  file:
-        state=absent
+    path: "/etc/{{ apache_config_dir }}/dns-jail.conf"
    state: absent
  when: not is_debuntu and not dns_jail_enabled
 - name: Start named after copying files
-  service: name={{ dns_service }} state=started
+  service:
    name: "{{ dns_service }}"
    state: started
--- a/roles/network/tasks/restart.yml
+++ b/roles/network/tasks/restart.yml
@ -1,4 +1,4 @@
- name: restart hostapd when wifi is present
+- name: Restart hostapd when WiFi is present
  systemd:
    name: hostapd
    state: restarted
--- a/roles/network/tasks/rpi_debian.yml
+++ b/roles/network/tasks/rpi_debian.yml
@ -20,7 +20,7 @@
    dest: /etc/dhcpcd.conf
    src: network/dhcpcd.conf.j2
- name: New raspbian requires counry code -- check for it
+- name: New raspbian requires country code -- check for it
  shell: grep country /etc/wpa_supplicant/wpa_supplicant.conf
  register: country_code
  ignore_errors: True
--- a/roles/network/templates/captive_portal/captive_portal.py.j2
+++ b/roles/network/templates/captive_portal/captive_portal.py.j2
@ -0,0 +1,97 @@
 #!/usr/bin/python
 # Captive portal script adapted from https://github.com/nikosft/captive-portal
 import subprocess
 import BaseHTTPServer
 import cgi
 # These variables are used as settings
 PORT       = int("{{ py_captive_portal_port }}")        # the port in which the captive portal web server listens
 IFACE      = "{{ iiab_lan_iface }}"       # the interface that captive portal protects
 IP_ADDRESS = "{{ lan_ip }}"  # the ip address of the captive portal (it can be the IP of IFACE)
 '''
 This it the http server used by the the captive portal
 '''
 class CaptivePortal(BaseHTTPServer.BaseHTTPRequestHandler):
    #this is the index of the captive portal
    #it simply redirects the user to the to login page
    html_redirect = """
    <html>
    <head>
        <meta http-equiv="refresh" content="0; url=http://%s:%s/login" />
    </head>
    <body>
        <b>Redirecting to login page</b>
    </body>
    </html>
    """%(IP_ADDRESS, PORT)
    #the login page
    html_login = """
    <html>
    <body>
        <b>Login Form</b>
        <form method="POST" action="do_login">
        Username: <input type="text" name="username"><br>
        Password: <input type="password" name="password"><br>
        <input type="submit" value="Submit">
        </form>
    </body>
    </html>
    """
    '''
    if the user requests the login page show it, else
    use the redirect page
    '''
    def do_GET(self):
        path = self.path
        self.send_response(200)
        self.send_header("Content-type", "text/html")
        self.end_headers()
        if path == "/login":
            self.wfile.write(self.html_login)
        else:
            self.wfile.write(self.html_redirect)
    '''
    this is called when the user submits the login form
    '''
    def do_POST(self):
        self.send_response(200)
        self.send_header("Content-type", "text/html")
        self.end_headers()
        form = cgi.FieldStorage(
            fp=self.rfile,
            headers=self.headers,
            environ={'REQUEST_METHOD':'POST',
                     'CONTENT_TYPE':self.headers['Content-Type'],
                     })
        username = form.getvalue("username")
        password = form.getvalue("password")
        #dummy security check
        if username == '{{ py_captive_portal_username }}' and password == '{{ py_captive_portal_password }}':
            #authorized user
            remote_IP = self.client_address[0]
            print 'New authorization from '+ remote_IP
            print 'Updating IP tables'
            subprocess.call(["iptables","-t", "nat", "-I", "PREROUTING","1", "-s", remote_IP, "-j" ,"ACCEPT"])
            subprocess.call(["iptables", "-I", "FORWARD", "-s", remote_IP, "-j" ,"ACCEPT"])
            self.wfile.write("You are now authorized. Navigate to any URL")
        else:
            #show the login form
            self.wfile.write(self.html_login)
    #the following function makes server produce no output
    #comment it out if you want to print diagnostic messages
    #def log_message(self, format, *args):
    #    return
 print "Starting captive portal web server"
 httpd = BaseHTTPServer.HTTPServer(('', PORT), CaptivePortal)
 try:
    httpd.serve_forever()
 except KeyboardInterrupt:
    pass
 httpd.server_close()
--- a/roles/network/templates/captive_portal/captive_portal.service.j2
+++ b/roles/network/templates/captive_portal/captive_portal.service.j2
@ -0,0 +1,15 @@
 [Unit]
 Description=Captive portal
 After=syslog.target
 [Service]
 Type=simple
 User=root
 Group=root
 WorkingDirectory=/opt/iiab/captive-portal
 ExecStart=/opt/iiab/captive-portal/captive_portal.py
 StandardOutput=syslog
 StandardError=syslog
 [Install]
 WantedBy=multi-user.target
--- a/roles/network/templates/gateway/iiab-gen-iptables
+++ b/roles/network/templates/gateway/iiab-gen-iptables
@ -57,11 +57,13 @@ services_externally_visible={{ services_externally_visible }}
 calibre_port={{ calibre_port }}
 kiwix_port={{ kiwix_port }}
 kalite_server_port={{ kalite_server_port }}
 kolibri_http_port={{ kolibri_http_port }}
 sugarizer_port={{ sugarizer_port }}
 block_DNS={{ block_DNS }}
 captive_portal_enabled={{ captive_portal_enabled }}
 py_captive_portal_enabled={{ py_captive_portal_enabled }}
-echo "Lan is $lan and WAN is $wan"
+echo "LAN is $lan and WAN is $wan"
 #
 # delete all existing rules.
 #
@ -89,6 +91,7 @@ fi
 if [ "$services_externally_visible" == "True" ]; then
    $IPTABLES -A INPUT -p tcp --dport $kiwix_port -m state --state NEW -i $wan -j ACCEPT
    $IPTABLES -A INPUT -p tcp --dport $kalite_server_port -m state --state NEW -i $wan -j ACCEPT
    $IPTABLES -A INPUT -p tcp --dport $kolibri_http_port -m state --state NEW -i $wan -j ACCEPT
    $IPTABLES -A INPUT -p tcp --dport $calibre_port -m state --state NEW -i $wan -j ACCEPT
    $IPTABLES -A INPUT -p tcp --dport $sugarizer_port -m state --state NEW -i $wan -j ACCEPT
 fi
@ -101,12 +104,13 @@ $IPTABLES -A FORWARD -i $wan -o $lan -m state --state ESTABLISHED,RELATED -j ACC
 #Block https traffic except if directed at server
 if [  "$gw_block_https" == "True" ]; then
-    $IPTABLES -A FORWARD -p tcp ! -d 172.18.96.1 --dport 443 -j DROP
+    $IPTABLES -A FORWARD -p tcp ! -d {{ lan_ip }} --dport 443 -j DROP
 fi
 # Allow outgoing connections from the LAN side.
-$IPTABLES -A FORWARD -i $lan -o $wan -j ACCEPT
+if ! [ "$py_captive_portal_enabled" == "True" ];then
-
+    $IPTABLES -A FORWARD -i $lan -o $wan -j ACCEPT
 fi
 # Don't forward from the outside to the inside.
 $IPTABLES -A FORWARD -i $wan -o $lan -j DROP
 $IPTABLES -A INPUT -i $wan -j DROP
@ -122,8 +126,11 @@ if [ "$captive_portal_enabled" == "True" ];then
   $IPTABLES -t mangle -A internet -j MARK --set-mark 99
   $IPTABLES -t nat -A PREROUTING -i {{ iiab_lan_iface }} -p tcp -m mark --mark 99 -m tcp --dport 80 -j DNAT --to-destination {{ lan_ip }}
 elif [ "py_$captive_portal_enabled" == "True" ];then
    $IPTABLES  -t nat  -A PREROUTING -i $lan -p tcp --dport 80 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:{{ py_captive_portal_port }}
 elif [ "$HTTPCACHE_ON" == "True" ]; then
-    $IPTABLES  -t nat  -A PREROUTING -i $lan -p tcp --dport 80 ! -d 172.18.96.1 -j DNAT --to 172.18.96.1:3128
+    $IPTABLES  -t nat  -A PREROUTING -i $lan -p tcp --dport 80 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:3128
 fi
 # Enable routing.
--- a/roles/network/templates/network/dnsmasq.conf.j2
+++ b/roles/network/templates/network/dnsmasq.conf.j2
@ -4,7 +4,7 @@ bogus-priv
 #server=/{{ iiab_domain }}/{{ iiab_hostname }}
 # Add local-only domains here, queries in these domains are answered　from /etc/hosts or DHCP only.
 local=/{{ iiab_domain }}/
-{% if captive_portal_enabled == "True" %}
+{% if dns_jail_enabled %}
 # Make all host names resolve to the Raspberry Pi's IP address
 address=/#/{{ lan_ip }}
 {% endif %}
--- a/roles/nextcloud/tasks/main.yml
+++ b/roles/nextcloud/tasks/main.yml
@ -18,6 +18,7 @@
    url: "{{ nextcloud_dl_url }}/{{ nextcloud_orig_src_file }}"
    dest: "{{ downloads_dir }}/{{ nextcloud_src_file }}"
    force: yes
    #validate_certs: False    # TEMPORARY ON/AFTER 2018-07-22 AS download.nextcloud.com CERT EXPIRED: https://github.com/iiab/iiab/issues/954
    timeout: "{{ download_timeout }}"
  when: internet_available and nextcloud_force_install
  async: 900
--- a/roles/nextcloud/templates/nextcloud.conf.j2
+++ b/roles/nextcloud/templates/nextcloud.conf.j2
@ -6,7 +6,7 @@ Alias {{ nextcloud_url }} {{ nextcloud_prefix }}/nextcloud
    <IfModule mod_authz_core.c>
    # Apache 2.4
    Require host localhost
-    Require ip 127.0.0.1 {{ lan_ip }}/{{ lan_netmask }} {{ nextcloud_required_ip }}
+    Require ip 127.0.0.1 {{ lan_ip }}/{{ lan_netmask }} {{ nextcloud_required_ip }} {{ openvpn_server_virtual_ip }}/255.255.255.0
    </IfModule>
    <IfModule !mod_authz_core.c>
    # Apache 2.2
--- a/roles/osm/tasks/main.yml
+++ b/roles/osm/tasks/main.yml
@ -1,6 +1,7 @@
- name: Install OSM required packages
+- name: Install OSM required packages (debuntu)
-  package: name={{ item }}
+  package:
-           state=present
+    name: "{{ item }}"
    state: present
  with_items:
    - gcc
    - python-dev
@ -9,9 +10,10 @@
    - libapache2-mod-xsendfile
  when: is_debuntu
- name: Install OSM required packages
+- name: Install OSM required packages (not debuntu)
-  package: name={{ item }}
+  package:
-           state=present
+    name: "{{ item }}"
    state: present
  with_items:
    - python-pip
    - gcc
@ -22,27 +24,30 @@
  when: not is_debuntu
 # OSM wants a specific version do that first
- name: Install Whoosh 2.6
+- name: Install Whoosh 2.6 (debuntu)
-  pip: name=whoosh
+  pip:
-       virtualenv={{ osm_venv }}
+    name: whoosh
-       virtualenv_site_packages=no
+    virtualenv: "{{ osm_venv }}"
-       version=2.6
+    virtualenv_site_packages: no
-       extra_args="--no-cache-dir"
+    version: 2.6
    extra_args: "--no-cache-dir"
  when: internet_available and is_debuntu
- name: Install Flask 0.12X
+- name: Install Flask 0.12X (debuntu)
-  pip: name=Flask
+  pip:
-       virtualenv={{ osm_venv }}
+    name: Flask
-       virtualenv_site_packages=no
+    virtualenv: "{{ osm_venv }}"
-       version=0.12.4
+    virtualenv_site_packages: no
-       extra_args="--no-cache-dir"
+    version: 0.12.4
    extra_args: "--no-cache-dir"
  when: internet_available and is_debuntu
- name: Install OSM with dependencies
+- name: Install OSM with dependencies (debuntu)
-  pip: name={{ item }}
+  pip:
-       virtualenv={{ osm_venv }}
+    name: "{{ item }}"
-       virtualenv_site_packages=no
+    virtualenv: "{{ osm_venv }}"
-       extra_args="--no-cache-dir"
+    virtualenv_site_packages: no
    extra_args: "--no-cache-dir"
  with_items:
    - MarkupSafe
    - pytz
@ -50,26 +55,29 @@
  when: internet_available and is_debuntu
 # OSM wants a specific version do that first
- name: Install Whoosh 2.6
+- name: Install Whoosh 2.6 (not debuntu)
-  pip: name=whoosh
+  pip:
-       virtualenv={{ osm_venv }}
+    name: whoosh
-       virtualenv_site_packages=no
+    virtualenv: "{{ osm_venv }}"
-       version=2.6
+    virtualenv_site_packages: no
    version: 2.6
 #       extra_args="--no-cache-dir"
  when: internet_available and not is_debuntu
- name: Install Flask 0.12X
+- name: Install Flask 0.12X (not debuntu)
-  pip: name=Flask
+  pip:
-       virtualenv={{ osm_venv }}
+    name: Flask
-       virtualenv_site_packages=no
+    virtualenv: "{{ osm_venv }}"
-       version=0.12.4
+    virtualenv_site_packages: no
    version: 0.12.4
 #       extra_args="--no-cache-dir"
  when: internet_available and not is_debuntu
- name: Install OSM with dependencies
+- name: Install OSM with dependencies (not debuntu)
-  pip: name={{ item }}
+  pip:
-       virtualenv={{ osm_venv }}
+    name: "{{ item }}"
-       virtualenv_site_packages=no
+    virtualenv: "{{ osm_venv }}"
    virtualenv_site_packages: no
 #       extra_args="--no-cache-dir"
  with_items:
    - MarkupSafe
@ -77,81 +85,92 @@
    - Internet-in-a-Box
  when: internet_available and not is_debuntu
- name: Set osm_path
+- name: Set osm_path (redhat)
  set_fact:
-     osm_path: "{{ osm_venv }}/{{ python_path }}/iiab"
+    osm_path: "{{ osm_venv }}/{{ python_path }}/iiab"
  when: osm_enabled and is_redhat
- name: Set osm_path
+- name: Set osm_path (debuntu)
  set_fact:
-     osm_path: "{{ osm_venv }}/lib/python2.7/site-packages/iiab"
+    osm_path: "{{ osm_venv }}/lib/python2.7/site-packages/iiab"
  when: osm_enabled and is_debuntu
 - name: Point wsgi to virtual environment (all OS's)
-  lineinfile: dest={{ osm_venv }}/bin/iiab.wsgi
+  lineinfile:
-              regexp="path_to_virtualenv = None"
+    dest: "{{ osm_venv }}/bin/iiab.wsgi"
-              line="path_to_virtualenv = '/usr/local/osm'"
+    regexp: "path_to_virtualenv = None"
-              state=present
+    line: "path_to_virtualenv = '/usr/local/osm'"
    state: present
 - name: Copy OSM config file (all OS's)
-  template: backup=no
+  template:
-            src=osm.conf.j2
+    src: osm.conf.j2
-            dest=/etc/{{ apache_config_dir }}/osm.conf
+    dest: "/etc/{{ apache_config_dir }}/osm.conf"
-            owner=root
+    owner: root
-            group=root
+    group: root
-            mode=0644
+    mode: 0644
    backup: no
  when: osm_enabled
 - name: Create a link from sites-enabled to sites-available (debuntu)
-  file: src=/etc/{{ apache_config_dir }}/osm.conf
+  file:
-        dest=/etc/apache2/sites-enabled/osm.conf
+    src: "/etc/{{ apache_config_dir }}/osm.conf"
-        state=link
+    dest: /etc/apache2/sites-enabled/osm.conf
    state: link
  when: osm_enabled and is_debuntu
 - name: Remove the link from sites-enabled to sites-available (debuntu)
-  file: dest=/etc/apache2/sites-enabled/osm.conf
+  file:
-        state=absent
+    dest: /etc/apache2/sites-enabled/osm.conf
    state: absent
  when: not osm_enabled and is_debuntu
 - name: Remove the osm.conf (redhat)
-  file: dest=/{{ apache_config_dir }}/osm.conf
+  file:
-        state=absent
+    dest: "/{{ apache_config_dir }}/osm.conf"
    state: absent
  when: not osm_enabled and is_redhat
 - name: Remove link to cgi (all OS's)
-  file: dest={{ doc_root }}/osm.wsgi
+  file:
-        state=absent
+    dest: "{{ doc_root }}/osm.wsgi"
    state: absent
  when: not osm_enabled
 - name: Create link to cgi (all OS's)
-  file: src={{ osm_venv }}/bin/iiab.wsgi
+  file:
-        dest={{ doc_root }}/osm.wsgi
+    src: "{{ osm_venv }}/bin/iiab.wsgi"
-        owner=root
+    dest: "{{ doc_root }}/osm.wsgi"
-        group=root
+    owner: root
-        state=link
+    group: root
    state: link
  when: osm_enabled
 - name: Create the knowledge data set folders
-  file: path=/library/knowledge/modules
+  file:
-        state=directory
+    path: /library/knowledge/modules
-        owner={{ apache_user }}
+    state: directory
-        group={{ apache_user }}
+    owner: "{{ apache_user }}"
    group: "{{ apache_user }}"
 # the following was brought into OSM playbook from iiab-factory osm-fix script
 - name: Copy the files
-  template: src={{ item.src }} dest={{ item.dest }}
+  template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
  with_items:
-     - { src: 'defaults.ini', dest: "{{ osm_path }}/" }
+    - { src: 'defaults.ini', dest: "{{ osm_path }}/" }
-     - { src: 'etc.iiab.conf', dest: '/etc/iiab.conf' }
+    - { src: 'etc.iiab.conf', dest: '/etc/iiab.conf' }
-     - { src: 'map_search.py', dest: "{{ osm_path }}/map_search.py" }
+    - { src: 'map_search.py', dest: "{{ osm_path }}/map_search.py" }
-     - { src: 'map.html', dest: "{{ osm_path }}/static/map.html" }
+    - { src: 'map.html', dest: "{{ osm_path }}/static/map.html" }
-     - { src: 'l.control.geosearch.js', dest: "{{ osm_path }}/static/lib/leaflet/geosearch/l.control.geosearch.js" }
+    - { src: 'l.control.geosearch.js', dest: "{{ osm_path }}/static/lib/leaflet/geosearch/l.control.geosearch.js" }
-     - { src: '{{ osm_path }}/static/map.html', dest: "{{ osm_path }}/static/index.html" }
+    - { src: "{{ osm_path }}/static/map.html", dest: "{{ osm_path }}/static/index.html" }
  when: osm_enabled
 - name: Restart httpd service
-  service: name={{ apache_service }}
+  service:
-           state=restarted
+    name: "{{ apache_service }}"
    state: restarted
 - name: Add 'osm' to list of services at /etc/iiab/iiab.ini
  ini_file:
--- a/roles/phpmyadmin/defaults/main.yml
+++ b/roles/phpmyadmin/defaults/main.yml
@ -1,4 +1,4 @@
 phpmyadmin_install: False
 phpmyadmin_enabled: False
-phpmyadmin_name: "phpMyAdmin-4.8.1-all-languages"
+phpmyadmin_name: "phpMyAdmin-4.8.2-all-languages"
 phpmyadmin_name_zip: "{{ phpmyadmin_name }}.zip"
--- a/roles/rachel/README.rst
+++ b/roles/rachel/README.rst
@ -13,7 +13,7 @@ Do the following:
 * cd /library/rachel
 * mv /library/rachelusb_32EN_3.1.4/RACHEL/bin .
 * you should see /library/rachel/bin/www/index.php
-* re-run ansible (making sure that rachel_enabled: True has been set in vars/local_vars.yml
+* re-run ansible (making sure that rachel_enabled: True has been set in /etc/iiab/local_vars.yml
 Locations
 ---------
--- a/roles/sugarizer/defaults/main.yml
+++ b/roles/sugarizer/defaults/main.yml
@ -1,6 +1,15 @@
 sugarizer_install: True
 sugarizer_enabled: False
-sugarizer_location: /opt/iiab
+
-sugarizer_version: 'sugarizer-1.0'
+sugarizer_location: "{{ iiab_base }}"    # /opt/iiab
-sugarizer_server_version: 'sugarizer-server-1.0'
+
-npm_exists: False
+sugarizer_version: sugarizer-1.0
 sugarizer_git_version: v1.0.1
 # PLEASE HELP MONITOR https://github.com/llaske/sugarizer/releases
 sugarizer_server_version: sugarizer-server-1.0
 sugarizer_server_git_version: v1.0.1    # "master" worked over July 11-14, 2018
 # PLEASE HELP MONITOR https://github.com/llaske/sugarizer-server/releases
 # Unused as of 2018-07-14
 # node_modules_exists: False
--- a/roles/sugarizer/tasks/main.yml
+++ b/roles/sugarizer/tasks/main.yml
@ -1,94 +1,168 @@
- name: Wipe any previous sugarizer installation
+# 0. CLEAN UP PRIOR VERSIONS OF SUGARIZER (NEEDS WORK!)
 - name: Wipe /library/www/html/sugarizer* if installing sugarizer-1.0
  shell: "rm -rf {{ doc_root }}/sugarizer*"
  when: sugarizer_version == "sugarizer-1.0"
- name: Download latest stable Sugarizer from location we control
+# 1. DOWNLOAD+LINK /opt/iiab/sugarizer
-  get_url:
+
-    url: "{{ iiab_download_url }}/{{ sugarizer_version }}.tar.gz"
+- name: Clone llaske/sugarizer ({{ sugarizer_git_version }}) from GitHub to /opt/iiab (MAY DOWNLOAD 600+ MB)
-    dest: "{{ downloads_dir }}/{{ sugarizer_version }}.tar.gz"
+  git:
-    timeout: "{{ download_timeout }}"
+    repo: https://github.com/llaske/sugarizer
    dest: "{{ sugarizer_location }}/{{ sugarizer_version }}"
    version: "{{ sugarizer_git_version }}"
    force: yes
    depth: 1
  when: internet_available
- name: Untar to {{ sugarizer_version }}
+- name: Create symbolic link /opt/iiab/sugarizer -> /opt/iiab/{{ sugarizer_version }}
  unarchive:
    src: "{{ downloads_dir }}/{{ sugarizer_version }}.tar.gz"
    dest: "{{ sugarizer_location }}"
    creates: "{{ sugarizer_location }}/{{ sugarizer_version }}/index.html"
 #  command: tar xzf {{ downloads_dir }}/{{ sugarizer_version }}.tar.gz -C {{ sugarizer_location }}
 #           creates="{{ sugarizer_location }}/{{ sugarizer_version }}/index.html"
 - name: Download latest stable Server from location we control
  get_url:
    url: "{{ iiab_download_url }}/{{ sugarizer_server_version }}.tar.gz"
    dest: "{{ downloads_dir }}/{{ sugarizer_server_version }}.tar.gz"
    timeout: "{{ download_timeout }}"
  when: internet_available
 - name: Untar to /{{ sugarizer_version }}
  unarchive:
    src: "{{ downloads_dir }}/{{ sugarizer_version }}.tar.gz"
    dest: "{{ sugarizer_location }}"
    creates: "{{ sugarizer_location }}/{{ sugarizer_version }}/index.html"
 - name: Create symbolic link /library/www/html/sugarizer
  file:
    src: "{{ sugarizer_location }}/{{ sugarizer_version }}"
    dest: "{{ sugarizer_location }}/sugarizer"
    state: link
- name: Untar to /library/www/html/{{ sugarizer_server_version }}
+# 2. DOWNLOAD+LINK /opt/iiab/sugarizer-server
-  unarchive:
+
-    src: "{{ downloads_dir }}/{{ sugarizer_server_version }}.tar.gz"
+# 2018-07-11: http://download.iiab.io/packages/sugarizer-server-1.0.tar.gz
-    dest: "{{ sugarizer_location }}"
+# was flawed, as documented at:
-    creates: "{{ sugarizer_location }}/{{ sugarizer_server_version }}/index.html"
+#    https://github.com/iiab/iiab/pull/814#issuecomment-404211098
- name: Create symbolic link /library/www/html/sugarizer
+# Versions of MongoDB, npm (& Node.js ?) matter!  Sugarizer 1.0 Context:
 #    https://github.com/iiab/iiab/issues/798
 # Going forward let's "git clone" IIAB's preferred versions, of sugarizer
 # AND sugarizer-server, as specified in roles/sugarizer/defaults/main.yml
 # 2018-07-14 BLOAT: git works well BUT even with "depth: 1"
 # - 229MB is unfort downloaded to /opt/iiab/sugarizer/.git
 # - 1.4MB is unfort downloaded to /opt/iiab/sugarizer-server/.git
 # CLARIF: during repeat runs of "./runrole sugarizer", this git sync shows
 # "changed" (whereas above git sync shows "ok").  Reason: "npm install"
 # (below) modifies /opt/iiab/sugarizer-server/node_modules
 - name: Clone llaske/sugarizer-server ({{ sugarizer_server_git_version }}) from GitHub to /opt/iiab
  git:
    repo: https://github.com/llaske/sugarizer-server
    dest: "{{ sugarizer_location }}/{{ sugarizer_server_version }}"
    version: "{{ sugarizer_server_git_version }}"
    force: yes
    depth: 1
  when: internet_available
 - name: Create symbolic link /opt/iiab/sugarizer-server -> /opt/iiab/{{ sugarizer_server_version }}
  file:
    src: "{{ sugarizer_location }}/{{ sugarizer_server_version }}"
    dest: "{{ sugarizer_location }}/sugarizer-server"
    state: link
- name: Set up Node.js 6.x apt sources (debuntu)
+# 3. INSTALL A GOOD VERSION OF Node.js AND npm
-  shell: curl -sL https://deb.nodesource.com/setup_6.x | bash -
+
 - name: Set up Node.js 8.x apt sources (debuntu, but avoid ubuntu-18)
  shell: curl -sL https://deb.nodesource.com/setup_8.x | bash -
  when: internet_available and is_debuntu and not is_ubuntu_18
- name: Install latest Node.js which includes /usr/bin/npm (debuntu)
+- name: Install latest Node.js which includes /usr/bin/npm (debuntu, but avoid ubuntu-18)
  package:
    name: nodejs
    # name: nodejs=8.x
    state: latest
-# package: name=nodejs=6.*
+    # state: present
 #          state=present
  when: internet_available and is_debuntu and not is_ubuntu_18
- name: Install npm (OS's other than debuntu)
+# 2018-07-14: BOTH STEPS ABOVE TAKE TIME, but Raspbian (apt offers npm
-  package:
+# 1.4.21) & Debian 9 (apt offers no npm!) STILL NEED the above
-    name: "{{ item }}"
+# nodesource.com approach to get a version of npm that works with Sugarizer:
-    state: present
+# https://github.com/iiab/iiab/issues/798#issuecomment-404324530
-  when: internet_available and not is_debuntu
+#
-  with_items:
+# MORE POSITIVELY: this nodesource.com approach (brings in npm 5.6.0 with
-    - nodejs
+# nodejs 8.11.3 for now, to any OS) would also work on Ubuntu 18.04, and
-    - npm
+# might even bring about a sane consistency across mainline OS's?
 #
 # BUT FOR NOW: Ubuntu 18.04's apt (approach below) brings in npm 3.5.2,
 # which appears suffic "SO FAR"?  18.04's nodejs 8.10.0 is more reassuring!
- name: Install npm (ubuntu-18)
+# CRAZY IDEA: most versions of npm can upgrade themselves to the latest
 # (6.2.0 for now) using command "npm install -g npm", if that helps us in
 # future, e.g. TK's memory issue etc?  If so, be CAREFUL this puts npm
 # in /usr/local/bin on Ubuntu 18.04 -- unlike Ubuntu 16.04 and Raspbian
 # where it upgrades /usr/bin/npm in place:
 # https://askubuntu.com/questions/1036278/npm-is-incorrect-version-on-latest-ubuntu-18-04-installation
 - name: Install Node.js and npm (ubuntu-18 or not debuntu)
  package:
    name: "{{ item }}"
    state: latest
  when: internet_available and is_ubuntu_18
  with_items:
    - npm
    - nodejs
    - npm
  when: internet_available and (is_ubuntu_18 or not is_debuntu)
-# attempting to reinstall npm is broken on Raspbian 9
+# 4. RUN "npm install" TO POPULATE ~35MB /opt/iiab/sugarizer-server/node_modules
 - name: Check for Sugarizer already installed
  stat:
    path: "{{ sugarizer_location }}/{{ sugarizer_server_version }}/node_modules"
  register: npm
  ignore_errors: true
- name: Set a flag to abort second attempt to install
+# Re-running "npm install" USED TO fail on Raspbian 9 if not other OS's ?
-  set_fact:
+# Strategies considered to avoid re-running it:
-    npm_exists: True
+# OLD WAY 1: test & set flag node_modules_exists: True
-  when: npm.stat is defined and npm.stat.exists
+# OLD WAY 2: "creates: ..." checks for non-existence of /opt/iiab/sugarizer-server-1.0/node_modules
 # OLD WAY 3: set "register: git_sug_server_output" above, then as nec delete /opt/iiab/sugarizer-server-1.0/node_modules "when: git_sug_server_output.changed" and as nec run "npm install"
- name: Create systemd files and copy our ini file
+#- name: Check for /opt/iiab/{{ sugarizer_server_version }}/node_modules
 #  stat:
 #    path: "{{ sugarizer_location }}/{{ sugarizer_server_version }}/node_modules"
 #  register: nmtest
 #  ignore_errors: true
 #
 #- name: Set a flag to prevent re-running of "npm install"
 #  set_fact:
 #    node_modules_exists: True
 #  when: nmtest.stat is defined and nmtest.stat.exists
 # NEW WAY BELOW: run "npm install --allow-root" every time, as modern versions
 # of npm are incremental, with sanity checks (all 3 may work: but npm 6.2.0
 # is better than 5.6.0. which is better than Ubuntu 18.04's 3.5.2).
 # 2018-07-15: TK Kang & Holt confirmed sudo-driven "npm install" maxes out CPU
 # for hours, on diff OS's using npm 5.6.0 and 6.2.0.  Hours later you may get
 # error: code EACCES, errno -13 (permission denied),
 # "Missing write access to /opt/iiab/sugarizer-server-1.0/node_modules"
 #
 # SOLUTION: Implement '--allow-root --unsafe-perm=true' below, as is critical
 # for 1st run of sudo-driven 'npm install' especially:
 #
 # ON DEBIAN: npm 5.6.0's --allow-root would be sufficient: causing creation
 # of /root/.npm cache & lock files to owned by root:root instead of
 # iiab-admin:iiab-admin...thus permitting it & IIAB installs to complete!
 #
 # ON RASPBIAN: npm 5.6.0's --unsafe-perm=true is *required* so that npm
 # install actually finished (in about 5 minutes).  It's possible we should
 # remove --allow-root in favore of --unsafe-perm=true alone.  But this needs
 # testing on different Linuxes before proceeding.
 #
 # CLARIF 1: Something like 'chown -R root:root /root/.npm' would do the job,
 # but cannot happen synchronously throughout the 1st run of 'npm install'
 # (when it's needed!)  Similar to what --allow-root does on Debian.
 #
 # CLARIF 2: Ubuntu 18.04 is currently unaffected due to its ancient
 # npm 3.5.2, which instead uses /home/iiab-admin/.npm (which remains owned
 # by iiab-admin:iiab-admin, even with '--allow-root', but thankfully still
 # gets the job done, for now!)
 #- name: Create the express framework for Node.js (OS's other than Fedora 18)
 - name: Run 'npm install --allow-root --unsafe-perm=true' to create /opt/iiab/{{ sugarizer_server_version }}/node_modules (CAN TAKE ~3 MINUTES)
  command: npm install --allow-root --unsafe-perm=true    # "command:" a bit safer than "shell:"
  args:
    chdir: "{{ sugarizer_location }}/{{  sugarizer_server_version }}"
    #creates: "{{ sugarizer_location }}/{{ sugarizer_server_version }}/node_modules"    # OLD WAY 2
  when: internet_available    # "npm install" generally requires Internet access
 # when: internet_available and git_sug_server_output.changed    # OLD WAY 3
 # when: internet_available and not is_F18 and not node_modules_exists    # OLD WAY 1
 #- name: Create the express framework for Node.js (Fedora 18)
 #  shell: npm install
 #  args:
 #    chdir: "{{ sugarizer_location }}/sugarizer/server"
 #  when: internet_available and is_F18 and not node_modules_exists
 # 5. PLACE CONFIG FILES
 - name: Configure sugarizer.service (systemd), sugarizer.conf (Apache) and sugarizer.ini
  template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
@ -96,47 +170,51 @@
    owner: root
    group: root
  with_items:
-    - { src: 'sugarizer.service.j2' , dest: '/etc/systemd/system/sugarizer.service', mode: '0644' }
+    - { src: 'sugarizer.ini', dest: '{{ sugarizer_location }}/{{ sugarizer_server_version }}/env/sugarizer.ini', mode: '0644' }
-    - { src: 'sugarizer.ini' , dest: '{{ sugarizer_location }}/{{ sugarizer_server_version }}/env/sugarizer.ini', mode: '0644' }
+    - { src: 'sugarizer.conf', dest: '/etc/apache2/sites-available', mode: '0644' }
-    - { src: 'sugarizer.conf' , dest: '/etc/apache2/sites-available',mode: '0644' }
+    - { src: 'sugarizer.service.j2', dest: '/etc/systemd/system/sugarizer.service', mode: '0644' }
-    - { src: 'sugarizer.js' , dest: '/opt/iiab/sugarizer-server',mode: '0644' }
+    - { src: 'sugarizer.js', dest: '/opt/iiab/sugarizer-server', mode: '0644' }
- name: Create the symlink enabling the rewrite
+- name: Create symlink for short URL http://box/sugarizer
-  file: src=/etc/apache2/sites-available/sugarizer.conf
+  file:
-        dest=/etc/apache2/sites-enabled/sugarizer.conf
+    src: /etc/apache2/sites-available/sugarizer.conf
-        state=link
+    dest: /etc/apache2/sites-enabled/sugarizer.conf
    state: link
- name: Create the express framework for Node.js (OS's other than Fedora 18)
+# 6. RESTART/STOP SYSTEMD SERVICE
  shell: npm install
  args:
    chdir: "{{ sugarizer_location }}/{{  sugarizer_server_version }}"
    creates: "{{ sugarizer_location }}/{{ sugarizer_server_version }}/server/node_modules"
  when: not is_F18 and not npm_exists
- name: Create the express framework for Node.js (Fedora 18)
+- name: Enable+restart systemd service if sugarizer_enabled, with "systemctl daemon-reload" (in case mongodb.service changed?)
-  shell: npm install
+  systemd:
-  args:
+    name: sugarizer
    chdir: "{{ sugarizer_location }}/sugarizer/server"
  when: is_F18 and not npm_exists
 - name: Enable services (all OS's)
  service:
    name: "{{ item.name }}"
    enabled: yes
    state: restarted
-  with_items:
+    daemon_reload: yes
    - { name: sugarizer }
  when: sugarizer_enabled
- name: Disable services (all OS's)
+- name: 'Disable+stop systemd service if sugarizer_enabled: False'
-  service:
+  systemd:
-    name: "{{ item.name }}"
+    name: sugarizer
    enabled: no
    state: stopped
  with_items:
    - { name: sugarizer }
  when: not sugarizer_enabled
 #- name: Enable services (all OS's)
 #  service:
 #    name: "{{ item.name }}"
 #    enabled: yes
 #    state: restarted
 #  with_items:
 ##   - { name: mongodb }    # 2018-07-14: NICE TRY, but still doesn't bring http://box:8089 to life reliably, as a reboot usually does!  (Is a "systemctl daemon-reload" or some such nec?)
 #    - { name: sugarizer }
 #  when: sugarizer_enabled
 #- name: Disable service (all OS's)
 #  service:
 #    name: sugarizer
 #    enabled: no
 #    state: stopped
 #  when: not sugarizer_enabled
 - name: Add 'sugarizer' to list of services at /etc/iiab/iiab.ini
  ini_file:
    dest: "{{ service_filelist }}"
--- a/roles/sugarizer/templates/sugarizer.ini
+++ b/roles/sugarizer/templates/sugarizer.ini
@ -20,6 +20,7 @@ path = ../sugarizer/
 server = localhost
 port = 27018
 name = sugarizer
 waitdb = 1
 [presence]
 port = 8039
--- a/roles/sugarizer/templates/sugarizer.service.j2
+++ b/roles/sugarizer/templates/sugarizer.service.j2
@ -1,7 +1,8 @@
 [Unit]
 Description=Node.js Sugarizer Server
 Requires=mongodb.service
-After=mongodb.service       # Requires the mongodb service to run first
+After=mongodb.service
 # Requires mongodb service to run first
 [Service]
 WorkingDirectory=/opt/iiab/sugarizer-server/
--- a/roles/usb-lib/tasks/main.yml
+++ b/roles/usb-lib/tasks/main.yml
@ -26,7 +26,7 @@
    - { src: 'iiab-usb-lib-show-all-on' , dest: '/usr/bin/', mode: '0755' }
    - { src: 'iiab-usb-lib-show-all-off' , dest: '/usr/bin/', mode: '0755' }
- name: Enable exfat and ntfs
+- name: Enable exFAT and NTFS
  lineinfile: 
    regexp: '^FILESYSTEMS.*'
    line: 'FILESYSTEMS="vfat ext2 ext3 ext4 hfsplus exfat fuseblk ntfs"'
@ -53,7 +53,7 @@
    state: absent
  when: not usb_lib_enabled
- name: Put a variable in iiab.env for display of content at root of USB
+- name: Put variable in iiab.env that enables display of content at root of USB
  lineinfile:
    dest: /etc/iiab/iiab.env
    regexp: "^IIAB_USB_LIB_SHOW_ALL.*"
@ -65,14 +65,14 @@
    dest: "/etc/{{ apache_config_dir }}"
  when: usb_lib_enabled
- name: Create the link to enable (debian)
+- name: Create the link to enable (debuntu)
  file:
    src: "/etc/{{ apache_config_dir }}/content_dir.conf"
    dest: /etc/apache2/sites-enabled/content_dir.conf
    state: link
  when: is_debuntu
- name: Remove the link that enables (debian)
+- name: Remove the link that enables (debuntu)
  file:
    src: "/etc/{{ apache_config_dir }}/content_dir.conf"
    dest: /etc/apache2/sites-enabled/content_dir.conf
--- a/roles/wordpress/tasks/install.yml
+++ b/roles/wordpress/tasks/install.yml
@ -2,7 +2,7 @@
 # to /library/wordpress) should also work offline...
 #
 # ONLINE OR OFFLINE, IF YOU NEED A CLEAN REINSTALL OF WORDPRESS DURING YOUR
-# NEXT RUN OF "./runtags wordpress" OR "./iiab-install" PLEASE FIRST DO:
+# NEXT RUN OF "./runrole wordpress" OR "./iiab-install" PLEASE FIRST DO:
 #
 # - "mv /library/wordpress /library/wordpress.old"
 # - back up WordPress's database then drop it
--- a/run-one-role.yml
+++ b/run-one-role.yml
@ -5,7 +5,7 @@
  vars_files:
  - vars/default_vars.yml
  - vars/{{ ansible_local.local_facts.os_ver }}.yml
-  - vars/local_vars.yml
+  - /etc/iiab/local_vars.yml
  - /etc/iiab/config_vars.yml
  roles:
--- a/runansible.deprecated
+++ b/runansible.deprecated
--- a/runtags.deprecated
+++ b/runtags.deprecated
--- a/scripts/ansible
+++ b/scripts/ansible
@ -1,12 +1,19 @@
 #!/bin/bash -e
-echo -e '\nATTEMPTING TO INSTALL THE LATEST (RELEASED VERSION OF) ANSIBLE.'
+echo -e '\n\nSTRONGLY RECOMMENDED PREREQUISITE: (1) remove all prior versions of Ansible using "apt purge ansible" and/or "pip uninstall ansible" and (2) clear out all lines containing ansible from /etc/apt/sources.list and /etc/apt/sources.list.d/*\n'
 echo -e 'Ensure you'"'"'re online before running this! (/opt/iiab/iiab/scripts/ansible)'
 echo -e 'INSTRUCTIONS: https://github.com/iiab/iiab/wiki/IIAB-Installation#do-everything-from-scratch'
 echo -e 'ALTERNATIVES: Consider scripts/ansible-2.5.x "slow food" instead.\n'
-GOOD_VER="2.5.4"      # Ansible version for OLPC XO laptops (pip install).
+echo -e 'WARNING: repeatedly re-run "apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367" if this part of the script fails due to network/mirrors.\n'
-                      # On other OS's we install/upgrade to THE latest (released version of) Ansible.
+
 echo -e 'COMPLETE INSTALL INSTRUCTIONS:\nhttps://github.com/iiab/iiab/wiki/IIAB-Installation#do-everything-from-scratch\n'
 echo -e 'NOW ATTEMPTING TO INSTALL THE LATEST ANSIBLE:'
 echo -e 'Ensure you'"'"'re online before running this (/opt/iiab/iiab/scripts/ansible)\n'
 echo -e 'ALTERNATIVES: Run scripts/ansible-2.5.x-deprecated or scripts/ansible-2.6.x\n\n'
 GOOD_VER="2.6.2"    # Ansible version for OLPC XO laptops (pip install).
                    # On other OS's we attempt to install/upgrade THE latest from PPA, which might provide an even more recent version of Ansible.
 CURR_VER="undefined"
 # below are unused for future use
 # URL="NA"
@ -14,12 +21,12 @@ CURR_VER="undefined"
 export DEBIAN_FRONTEND=noninteractive
 if [ ! `command -v ansible-playbook` ]; then   # "command -v" is POSIX compliant; also catches built-in commands like "cd"
-    echo "Installing --- Please Wait"
+    echo "scripts/ansible will now try to install Ansible --- Please Wait"
    if [ -f /etc/centos-release ]; then
        yum -y install ca-certificates nss epel-release
        yum -y install git bzip2 file findutils gzip hg svn sudo tar which unzip xz zip libselinux-python
        yum -y install python-pip python-setuptools python-wheel patch
-        yum -y install http://releases.ansible.com/ansible/rpm/release/epel-7-x86_64/ansible-2.5.0-1.el7.ans.noarch.rpm
+        yum -y install https://releases.ansible.com/ansible/rpm/release/epel-7-x86_64/ansible-2.6.2-1.el7.ans.noarch.rpm
 #    elif [ -f /etc/fedora-release ]; then
 #        CURR_VER=`grep VERSION_ID /etc/*elease | cut -d= -f2`
 #        URL=https://github.com/jvonau/iiab/blob/ansible/vars/fedora-$CURR_VER.yml
@ -67,7 +74,7 @@ else
    #if [[ `grep -qi ansible /etc/apt/sources.list` ]] || [ -f /etc/apt/sources.list.d/ansible*.list ]; then
    elif (grep -qi ansible /etc/apt/sources.list) || (ls /etc/apt/sources.list.d/*ansible*.list >/dev/null 2>&1) ; then
        #echo "Ansible repo(s) found within /etc/apt/sources.list*"
-        echo -e 'MANUAL INTERVENTION URGED:\nANSIBLE REPO(S) FOUND WITHIN /etc/apt/sources.list AND/OR /etc/apt/sources.list.d/*ansible*.list -- MUST CONTAIN LINE "deb http://ppa.launchpad.net/ansible/ansible/ubuntu xenial main" IF YOU WANT THE LATEST ANSIBLE -- AND REMOVE ALL SIMILAR LINES TO ENSURE ANSIBLE UPDATES CLEANLY -- then re-run this script.\n'
+        echo -e 'CONSIDER MANUAL INTERVENTION:\nANSIBLE REPO(S) FOUND WITHIN /etc/apt/sources.list AND/OR /etc/apt/sources.list.d/*ansible*.list -- MUST CONTAIN LINE "deb http://ppa.launchpad.net/ansible/ansible/ubuntu xenial main" IF YOU WANT THE LATEST ANSIBLE -- AND REMOVE ALL SIMILAR LINES TO ENSURE ANSIBLE UPDATES CLEANLY -- then re-run this script.\n'
    else
        echo -e 'Upstream ansible source repo not found:\nPLEASE UNINSTALL ANSIBLE (run "apt purge ansible" or "pip uninstall ansible", depending how Ansible was originally installed) THEN RE-RUN THIS SCRIPT.'
        exit 1
--- a/scripts/ansible-2.5.x-deprecated
+++ b/scripts/ansible-2.5.x-deprecated
@ -1,11 +1,18 @@
 #!/bin/bash -e
-echo -e '\nATTEMPTING TO INSTALL THE LATEST ANSIBLE 2.5.x'
+echo -e '\n\nSTRONGLY RECOMMENDED PREREQUISITE: (1) remove all prior versions of Ansible using "apt purge ansible" and/or "pip uninstall ansible" and (2) clear out all lines containing ansible from /etc/apt/sources.list and /etc/apt/sources.list.d/*\n'
 echo -e 'Ensure you'"'"'re online before running this! (/opt/iiab/iiab/scripts/ansible-2.5.x)'
 echo -e 'INSTRUCTIONS: https://github.com/iiab/iiab/wiki/IIAB-Installation#do-everything-from-scratch'
 echo -e 'ALTERNATIVE: Consider scripts/ansible to keep up-to-date as Ansible evolves.\n'
-GOOD_VER="2.5.4"      # Ansible version for OLPC XO laptops (pip install).
+echo -e 'WARNING: repeatedly re-run "apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367" if this part of the script fails due to network/mirror.\n'
 echo -e 'COMPLETE INSTALL INSTRUCTIONS:\nhttps://github.com/iiab/iiab/wiki/IIAB-Installation#do-everything-from-scratch\n'
 echo -e 'NOW ATTEMPTING TO INSTALL THE LATEST ANSIBLE 2.5.x:'
 echo -e 'Ensure you'"'"'re online before running this (/opt/iiab/iiab/scripts/ansible-2.5.x)\n'
 echo -e 'ALTERNATIVES: Run scripts/ansible-2.6.x, or scripts/ansible for the latest.\n\n'
 GOOD_VER="2.5.6"      # Ansible version for OLPC XO laptops (pip install).
                      # On other OS's we attempt to install/upgrade/pin to the latest Ansible 2.5.x
 CURR_VER="undefined"
 # below are unused for future use
@ -19,7 +26,7 @@ if [ ! `command -v ansible-playbook` ]; then   # "command -v" is POSIX compliant
        yum -y install ca-certificates nss epel-release
        yum -y install git bzip2 file findutils gzip hg svn sudo tar which unzip xz zip libselinux-python
        yum -y install python-pip python-setuptools python-wheel patch
-        yum -y install http://releases.ansible.com/ansible/rpm/release/epel-7-x86_64/ansible-2.5.0-1.el7.ans.noarch.rpm
+        yum -y install https://releases.ansible.com/ansible/rpm/release/epel-7-x86_64/ansible-2.5.5-1.el7.ans.noarch.rpm
 #    elif [ -f /etc/fedora-release ]; then
 #        CURR_VER=`grep VERSION_ID /etc/*elease | cut -d= -f2`
 #        URL=https://github.com/jvonau/iiab/blob/ansible/vars/fedora-$CURR_VER.yml
--- a/scripts/ansible-2.6.x
+++ b/scripts/ansible-2.6.x
@ -0,0 +1,102 @@
 #!/bin/bash -e
 echo -e '\n\nSTRONGLY RECOMMENDED PREREQUISITE: (1) remove all prior versions of Ansible using "apt purge ansible" and/or "pip uninstall ansible" and (2) clear out all lines containing ansible from /etc/apt/sources.list and /etc/apt/sources.list.d/*\n'
 echo -e 'WARNING: repeatedly re-run "apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367" if this part of the script fails due to network/mirrors.\n'
 echo -e 'COMPLETE INSTALL INSTRUCTIONS:\nhttps://github.com/iiab/iiab/wiki/IIAB-Installation#do-everything-from-scratch\n'
 echo -e 'NOW ATTEMPTING TO INSTALL THE LATEST ANSIBLE 2.6.x:'
 echo -e 'Ensure you'"'"'re online before running this (/opt/iiab/iiab/scripts/ansible-2.6.x)\n'
 echo -e 'ALTERNATIVES: Run scripts/ansible-2.5.x-deprecated "slow food", or scripts/ansible for the latest.\n\n'
 GOOD_VER="2.6.2"    # Ansible version for OLPC XO laptops (pip install).
                    # On other OS's we attempt to install/upgrade/pin to the latest 2.6.x from PPA, which might provide an even more recent version of Ansible.
 CURR_VER="undefined"
 # below are unused for future use
 # URL="NA"
 export DEBIAN_FRONTEND=noninteractive
 if [ ! `command -v ansible-playbook` ]; then   # "command -v" is POSIX compliant; also catches built-in commands like "cd"
    echo "scripts/ansible-2.6.x will now try to install Ansible --- Please Wait"
    if [ -f /etc/centos-release ]; then
        yum -y install ca-certificates nss epel-release
        yum -y install git bzip2 file findutils gzip hg svn sudo tar which unzip xz zip libselinux-python
        yum -y install python-pip python-setuptools python-wheel patch
        yum -y install https://releases.ansible.com/ansible/rpm/release/epel-7-x86_64/ansible-2.6.2-1.el7.ans.noarch.rpm
 #    elif [ -f /etc/fedora-release ]; then
 #        CURR_VER=`grep VERSION_ID /etc/*elease | cut -d= -f2`
 #        URL=https://github.com/jvonau/iiab/blob/ansible/vars/fedora-$CURR_VER.yml
 #        dnf -y install ansible git bzip2 file findutils gzip hg svn sudo tar which unzip xz zip libselinux-python
 #        dnf -y install python-pip python-setuptools python-wheel patch
    elif [ -f /etc/olpc-release ]; then
        yum -y install ca-certificates nss
        yum -y install git bzip2 file findutils gzip hg svn sudo tar which unzip xz zip libselinux-python
        yum -y install python-pip python-setuptools python-wheel patch
        pip install --upgrade pip setuptools wheel #EOL just do it
        pip install ansible==$GOOD_VER --disable-pip-version-check
    # Parens are optional, but greatly clarify :)
    elif (grep -qi ubuntu /etc/lsb-release 2> /dev/null) || (grep -qi ubuntu /etc/os-release); then
        apt -y install python-pip python-setuptools python-wheel patch
        #apt-add-repository -y ppa:ansible/ansible
        apt-add-repository -y ppa:ansible/ansible-2.6
    # elif UBUNTU MUST REMAIN ABOVE (as Ubuntu ALSO contains /etc/debian_version, which would trigger the line just below)
    elif [ -f /etc/debian_version ] || (grep -qi raspbian /etc/*elease) ; then
        if ( ! grep -qi ansible /etc/apt/sources.list) && [ ! -f /etc/apt/sources.list.d/ansible ]; then
            apt update
            #apt -y install dirmngr python-pip python-setuptools python-wheel patch
            apt -y install dirmngr
            #echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu xenial main" \
            #     >> /etc/apt/sources.list.d/iiab-ansible.list
            echo "deb http://ppa.launchpad.net/ansible/ansible-2.6/ubuntu xenial main" \
                 >> /etc/apt/sources.list.d/iiab-ansible.list
            apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367
        fi
    else
        echo "WARN: Could not detect distro or distro unsupported"
        exit 1
    fi
 else
    #CURR_VER=`ansible --version | head -n 1 | cut -f 2 -d " "`
    CURR_VER=`ansible --version | head -1 | awk '{print $2}'`  # to match iiab-install
    echo "Currently installed Ansible version is: $CURR_VER"
    echo -e "INTERNET-IN-A-BOX GENERALLY REQUIRES ANSIBLE VERSION: $GOOD_VER or higher\n"
    if [ -f /etc/centos-release ] || [ -f /etc/fedora-release ]; then
        echo "Please use your system's package manager (or pip if nec) to update Ansible."
        exit 0
    elif [ -f /etc/olpc-release ]; then
        echo "Please use pip package manager to update Ansible."
        exit 0
    #fi
    #if [[ `grep -qi ansible /etc/apt/sources.list` ]] || [ -f /etc/apt/sources.list.d/ansible*.list ]; then
    elif (grep -qi ansible /etc/apt/sources.list) || (ls /etc/apt/sources.list.d/*ansible*.list >/dev/null 2>&1) ; then
        #echo "Ansible repo(s) found within /etc/apt/sources.list*"
        echo -e 'CONSIDER MANUAL INTERVENTION:\nANSIBLE REPO(S) FOUND WITHIN /etc/apt/sources.list AND/OR /etc/apt/sources.list.d/*ansible*.list -- MUST CONTAIN LINE "deb http://ppa.launchpad.net/ansible/ansible-2.6/ubuntu xenial main" IF YOU WANT THE LATEST ANSIBLE 2.6.x -- AND REMOVE ALL SIMILAR LINES TO ENSURE ANSIBLE UPDATES CLEANLY -- then re-run this script.\n'
    else
        echo -e 'Upstream ansible source repo not found:\nPLEASE UNINSTALL ANSIBLE (run "apt purge ansible" or "pip uninstall ansible", depending how Ansible was originally installed) THEN RE-RUN THIS SCRIPT.'
        exit 1
    fi
 fi
 if [ ! -f /etc/centos-release ] && [ ! -f /etc/fedora-release ] && [ ! -f /etc/olpc-release ]; then
    # Align IIAB with Ansible community's latest official release
    echo "Using apt to check for updates, then install/upgrade ansible"
    apt update
    apt -y --allow-downgrades install ansible=2.6*
    # TEMPORARILY USE ANSIBLE 2.4.4 (REMOVE IT WITH "pip uninstall ansible")
    #pip install ansible==2.4.4
    # TEMPORARILY USE ANSIBLE 2.4.2 DUE TO 2.4.3 MEMORY BUG. DETAILS @ https://github.com/iiab/iiab/issues/669
    #echo "Install http://download.iiab.io/packages/ansible_2.4.2.0-1ppa~xenial_all.deb"
    #cd /tmp
    #wget http://download.iiab.io/packages/ansible_2.4.2.0-1ppa~xenial_all.deb
    #apt -y --allow-downgrades install ./ansible_2.4.2.0-1ppa~xenial_all.deb
 fi
 # needed?
 mkdir -p /etc/ansible/
 echo -e '[local]\nlocalhost\n' > /etc/ansible/hosts
--- a/scripts/calibre-install-latest-rpi-plus.sh
+++ b/scripts/calibre-install-latest-rpi-plus.sh
@ -0,0 +1,32 @@
 #!/bin/bash
 # Calibre 3.27.1 .deb's were released for Raspbian 2018-07-22 but requires
 # python-pyqt5 from debian testing, to overcome error:
 #
 #    The following packages have unmet dependencies:
 #    calibre : Depends: python-pyqt5 (>= 5.11.2+dfsg-1) but 5.10.1+dfsg-2+rpi1 is to be installed
 #
 # More details @ https://github.com/iiab/iiab/issues/948 and
 # https://www.mobileread.com/forums/showthread.php?p=3729117#post3729117
 # Thanks to Jerry Vonau (https://github.com/jvonau) who made this critical
 # breakthrough possible!
 #
 # SEE COMMENTS AT THE TOP OF scripts/calibre-install-packages.sh
 export DEBIAN_FRONTEND=noninteractive
 # Prepares to update from debian testing
 apt-key adv --recv-key --keyserver keyserver.ubuntu.com 7638D0442B90D010
 echo "deb http://deb.debian.org/debian testing main" >> /etc/apt/sources.list.d/debian-testing.list
 apt update
 apt -y install python-pyqt5
 rm /etc/apt/sources.list.d/debian-testing.list
 # Prepares to update from raspbian testing
 echo "deb http://raspbian.raspberrypi.org/raspbian/ testing main" > /etc/apt/sources.list.d/rpi-testing.list
 apt update
 apt -y install calibre calibre-bin
 rm /etc/apt/sources.list.d/rpi-testing.list
 # Clears the cache of testing
 apt update
--- a/scripts/calibre-install-latest-rpi.sh
+++ b/scripts/calibre-install-latest-rpi.sh
@ -6,11 +6,12 @@
 # SEE COMMENTS AT THE TOP OF scripts/calibre-install-packages.sh
 export DEBIAN_FRONTEND=noninteractive
-# Prepares to update to latest from testing
+# Prepares to update to latest from raspbian testing
 echo "deb http://raspbian.raspberrypi.org/raspbian/ testing main" > /etc/apt/sources.list.d/rpi-testing.list
 apt update
 apt -y install calibre calibre-bin
-# Removes last line, safer than: rm /etc/apt/sources.list.d/rpi-testing.list
+## Removes last line, safer than: rm /etc/apt/sources.list.d/rpi-testing.list
-sed -i '$ d' /etc/apt/sources.list.d/rpi-testing.list
+#sed -i '$ d' /etc/apt/sources.list.d/rpi-testing.list
 rm /etc/apt/sources.list.d/rpi-testing.list
 # Clears the cache of testing
 apt update
--- a/scripts/calibre-install-latest.sh
+++ b/scripts/calibre-install-latest.sh
@ -8,12 +8,13 @@
 export DEBIAN_FRONTEND=noninteractive
 # Drags in stock desktop dependencies without too much from testing below
 apt -y install dirmngr
-# Prepares to update to latest from testing
+# Prepares to update to latest from debian testing
 apt-key adv --recv-key --keyserver keyserver.ubuntu.com 7638D0442B90D010
 echo "deb http://deb.debian.org/debian testing main" >> /etc/apt/sources.list.d/debian-testing.list
 apt update
 apt -y install libqt5core5a python-lxml calibre calibre-bin
-# Removes last line, safer than: rm /etc/apt/sources.list.d/debian-testing.list
+## Removes last line, safer than: rm /etc/apt/sources.list.d/debian-testing.list
-sed -i '$ d' /etc/apt/sources.list.d/debian-testing.list
+#sed -i '$ d' /etc/apt/sources.list.d/debian-testing.list
 rm /etc/apt/sources.list.d/debian-testing.list
 # Clears the cache of testing
 apt update
--- a/scripts/calibre-install-packages.sh
+++ b/scripts/calibre-install-packages.sh
@ -32,12 +32,12 @@
 #    https://github.com/iiab/iiab/pull/833    # WORKED ON RPI 3 AND RPI 3 B+ BUT...
 #    https://github.com/iiab/iiab/issues/835  # FAILED ON RPI ZERO W, possibly due to libc6 (IF ABOVE STEP 2 NOT RUN!)
-# FYI Calibre 3.26.0 is the latest available from testing as of 2018-06-21:
+# FYI Calibre 3.26.1 and 3.27.1 are the latest available from testing as of 2018-07-10:
 #
 #   http://raspbian.raspberrypi.org/raspbian/pool/main/c/calibre/
 #   http://archive.raspbian.org/raspbian/pool/main/c/calibre/
 #   https://packages.debian.org/search?keywords=calibre
-#   http://deb.debian.org/debian/pool/main/c/calibre/
+#   http://deb.debian.org/debian/pool/main/c/calibre/ ~= http://cdn-fastly.deb.debian.org/debian/pool/main/c/calibre/
 #
 # Might break future updates; you have been warned.
--- a/scripts/local_facts.fact
+++ b/scripts/local_facts.fact
@ -23,6 +23,7 @@ case $OS_VER in
    "fedora-22" | \
    "debian-8"  | \
    "debian-9"  | \
    "debian-10" | \
    "ubuntu-16" | \
    "ubuntu-17" | \
    "ubuntu-18" | \
--- a/vars/debian-10.yml
+++ b/vars/debian-10.yml
@ -0,0 +1,24 @@
 is_debuntu: True
 is_debian: True
 is_debian_10: True
 dns_service: bind9
 dhcp_service: isc-dhcp-server
 dns_user: bind
 proxy: squid
 proxy_user: proxy
 apache_service: apache2
 apache_config_dir: apache2/sites-available
 apache_user: www-data
 apache_log_dir: /var/log/apache2
 smb_service: smbd
 nmb_service: nmbd
 systemctl_program: /bin/systemctl
 mysql_service: mariadb
 apache_log: /var/log/apache2/access.log
 sshd_service: ssh
 php_version: 7.1
 postgresql_version: 10
 systemd_location: /lib/systemd/system
 # Upgrade OS's own Calibre to very latest:
 calibre_via_debs: True
 calibre_via_python: False
--- a/vars/default_vars.yml
+++ b/vars/default_vars.yml
@ -1,7 +1,7 @@
 # WARNING: DO NOT MODIFY THIS FILE.
 # CHANGES WILL BE LOST IF YOU DO A GIT PULL OR FETCH.
-# Instead put changes in local_vars.yml which is not tracked by git:
+# Instead put changes in your own /etc/iiab/local_vars.yml
-# http://wiki.iiab.io/local_vars.yml
+# See http://wiki.iiab.io/local_vars.yml to learn more!
 # By convention we use True/False to indicate boolean constants.
@ -22,6 +22,7 @@ download_timeout: 200
 # Configuration File(s)
 iiab_config_file: /etc/iiab/iiab.ini
 iiab_local_vars_file: /etc/iiab/local_vars.yml
 service_filelist: "{{ iiab_config_file }}"
 # The following variable may be useful in debugging
@ -52,8 +53,9 @@ local_tz: "{{ ansible_date_time.tz }}"
 # Read https://github.com/iiab/iiab/wiki/IIAB-Networking
 # Also readable offline @ http://box/info/IIAB-Networking.html
-# NETWORK PARAMETERS FOLLOW ACROSS THE NEXT 60 LINES, as enabled by Ansible's
+# NETWORK PARAMETERS FOLLOW ACROSS THE NEXT 65 LINES, as enabled by Ansible's
-# NETWORK role (/opt/iiab/iiab/roles/network/*) in 4-SERVER-OPTIONS.
+# NETWORK role (/opt/iiab/iiab/roles/network/*) in 4-SERVER-OPTIONS below.
 # SEE ALSO: /opt/iiab/iiab/roles/network/defaults/main.yml
 iiab_hostname: box
 iiab_domain: lan
@ -63,7 +65,7 @@ lan_netmask: 255.255.224.0
 # Internal Wi-Fi Access Point
 # Values are used if there is an internal Wi-Fi adapter and hostapd is enabled
 # The platform variable adapts install to specific hardware (raspberry pi=rpi2)
-# Raspbian req WiFi country since March 2018.  CHANGE IT IN vars/local_vars.yml
+# Raspbian req WiFi country since March 2018.  CHANGE IT IN /etc/iiab/local_vars.yml
 host_country_code: US
 host_ssid: "Internet in a Box"
 host_wifi_mode: g
@ -105,13 +107,20 @@ named_enabled: True
 block_DNS: False
 # dnsmasq
-dnsmasq_install: False
+dnsmasq_install: True
 dnsmasq_enabled: False
-# Captive Portal highly experimental as of June 2018: https://github.com/iiab/iiab/issues/608
+# Enable in local_vars.yml AFTER installing IIAB!  Then run "cd /opt/iiab/iiab; ./iiab-network"
 dns_jail_enabled: False
 # For @tim-moody's Nodogsplash approach to Captive Portal?  High experimental as of June 2018: github.com/iiab/iiab/issues/608
 captive_portal_install: False
 captive_portal_enabled: False
 # Simple python Captive Portal, that @m-anish & @jvonau are experimenting with in July 2018: github.com/iiab/iiab/pull/870
 py_captive_portal_install: True
 py_captive_portal_enabled: False
 # Squid
 squid_install: False
 squid_enabled: False
@ -158,8 +167,8 @@ schooltool_enabled: False
 # 3-BASE-SERVER
-# Needed if you want http://box/common/services/power_off.php to work
+# Make this False to disable http://box/common/services/power_off.php button:
-allow_apache_sudo: False
+allow_apache_sudo: True
 # roles/httpd runs here
@ -179,6 +188,7 @@ sshd_enabled: True
 # OpenVPN
 vpn_presence: xscenet.net
 openvpn_server_port: 1194
 openvpn_server_virtual_ip: 10.8.0.1
 openvpn_cron_enabled: False
 openvpn_install: True
 openvpn_enabled: False
@ -186,15 +196,15 @@ openvpn_enabled: False
 # roles/network runs here (MANY SETTINGS ABOVE)
 # Homepage
 # Default to the GUI where the selection is made or override in local_vars.yml
 iiab_home_url: /home
-# You can change iiab_home_url in local_vars.yml in order to get a different
+# You can change iiab_home_url in /etc/iiab/local_vars.yml to get a different
-# homepage.  For example one of the following: (assuming they are enabled)
+# homepage.  For example one of the following: (if its service is enabled!)
 # iiab_home_url: /home
 # iiab_home_url: /wordpress
-# iiab_home_url: /wiki - either dokuwiki or mediawiki
+# iiab_home_url: /wiki      # for dokuwiki
 # iiab_home_url: /mediawiki
 # PostgreSQL auto-installed by Moodle &/or Pathagar as nec, no need to touch!
 # roles/1-prep/tasks/computed_vars.yml, roles/4-server-options/tasks/main.yml
@ -295,14 +305,21 @@ wordpress_enabled: False
 # KA Lite
 kalite_install: True
 kalite_enabled: False
 kalite_server_port: 8008
 kalite_root: "/library/ka-lite"
 # Unused in 2018; but remain as placeholders for Fedora 18 legacy (XO laptops)
 kalite_cron_enabled: False
 kalite_user: kalite
 kalite_password_hash: $6$<salt>$KHET0XRRsgAY.wOWyTOI3W7dyDh0ESOr48uI5vtk2xdzsU7aw0TF4ZkNuM34RmHBGMJ1fTCmOyVobo0LOhBlJ/
 kalite_password: kalite
-kalite_server_name: kalite
+# Unused in 2018
-kalite_server_port: 8008
+# kalite_server_name: kalite
-kalite_enabled: False
+
-kalite_cron_enabled: False
+# Kolibri
 kolibri_install: False
 kolibri_enabled: False
 kolibri_http_port: 8009
 # Kiwix
 kiwix_install: True
@ -326,6 +343,8 @@ pathagar_install: False
 pathagar_enabled: False
 # Sugarizer
 # Might stall MongoDB on Power Failure: github.com/xsce/xsce/issues/879
 # Sugarizer 1.0.1+ strategies to solve? github.com/iiab/iiab/pull/957
 sugarizer_install: True
 sugarizer_enabled: False
 sugarizer_port: 8089
@ -399,9 +418,10 @@ xovis_chart_heading: "My School: Usage Data Visualization"
 # wide to narrow
 is_debuntu: False
 is_ubuntu: False
 is_ubuntu_16: False
 is_ubuntu_18: False
 is_ubuntu_16: False
 is_debian: False
 is_debian_10: False
 is_debian_9: False
 is_debian_8: False
 is_rpi: False
--- a/vars/local_vars_big.yml
+++ b/vars/local_vars_big.yml
@ -1,4 +1,4 @@
-# This is local_vars_big.yml -- copy it to local_vars.yml then...
+# This is local_vars_big.yml -- copy it to /etc/iiab/local_vars.yml then...
 # Put variables herein to override /opt/iiab/iiab/vars/default_vars.yml
@ -39,8 +39,6 @@ host_channel: 6
 hostapd_secure: False
 hostapd_password: changeme
 dns_jail_enabled: False
 # Enables "campus access" to kiwix (3000), kalite (8008) & calibre (8010 or
 # 8080) on WAN side of server. See network/templates/gateway/iiab-gen-iptables
 # within github.com/iiab/iiab/blob/master/roles/
@ -49,8 +47,16 @@ services_externally_visible: True
 # Make this True if client machines should have access to WAN/Internet:
 iiab_gateway_enabled: False
-# Make this False to disable http://box/common/services/power_off.php button:
+# dnsmasq
-allow_apache_sudo: True
+dnsmasq_install: True
 dnsmasq_enabled: False
 # Enable AFTER installing IIAB!  Then run "cd /opt/iiab/iiab; ./iiab-network"
 dns_jail_enabled: False
 # Simple python Captive Portal, that @m-anish & @jvonau are experimenting with in July 2018: github.com/iiab/iiab/pull/870
 py_captive_portal_install: True
 py_captive_portal_enabled: False
 # Stages 3 & 4 must be run (using iiab-install or runrole) if changing these:
 squid_install: True
@ -69,6 +75,9 @@ dansguardian_enabled: True
 # 3-BASE-SERVER
 # Make this False to disable http://box/common/services/power_off.php button:
 allow_apache_sudo: True
 # roles/mysql runs here (mandatory)
 # 4-SERVER-OPTIONS
@ -159,8 +168,12 @@ wordpress_enabled: True
 kalite_install: True
 kalite_enabled: True
 # Unused in 2018; but remains as placeholder for Fedora 18 legacy (XO laptops)
 kalite_cron_enabled: True
 kolibri_install: True
 kolibri_enabled: True
 kiwix_install: True
 kiwix_enabled: True
@ -177,11 +190,9 @@ pathagar_install: False
 pathagar_enabled: False
 # Might stall MongoDB on Power Failure: github.com/xsce/xsce/issues/879
 # Sugarizer 1.0.1+ strategies to solve? github.com/iiab/iiab/pull/957
 sugarizer_install: True
 sugarizer_enabled: True
 # sugarizer_enabled is currently IGNORED as basic Sugarizer works w/o Journal!
 # https://github.com/iiab/iiab/issues/193 Subsequent "./runrole sugarizer" fail
 # https://github.com/iiab/iiab/issues/240 Sugarizer 0.8 to 0.9 ongoing issues
 # 8-MGMT-TOOLS
--- a/vars/local_vars_big_vpn.yml
+++ b/vars/local_vars_big_vpn.yml
@ -1,4 +1,4 @@
-# This is local_vars_big_vpn.yml -- copy it to local_vars.yml then...
+# This is local_vars_big_vpn.yml -- copy it to /etc/iiab/local_vars.yml then...
 # Put variables herein to override /opt/iiab/iiab/vars/default_vars.yml
@ -39,8 +39,6 @@ host_channel: 6
 hostapd_secure: False
 hostapd_password: changeme
 dns_jail_enabled: False
 # Enables "campus access" to kiwix (3000), kalite (8008) & calibre (8010 or
 # 8080) on WAN side of server. See network/templates/gateway/iiab-gen-iptables
 # within github.com/iiab/iiab/blob/master/roles/
@ -49,8 +47,16 @@ services_externally_visible: True
 # Make this True if client machines should have access to WAN/Internet:
 iiab_gateway_enabled: False
-# Make this False to disable http://box/common/services/power_off.php button:
+# dnsmasq
-allow_apache_sudo: True
+dnsmasq_install: True
 dnsmasq_enabled: False
 # Enable AFTER installing IIAB!  Then run "cd /opt/iiab/iiab; ./iiab-network"
 dns_jail_enabled: False
 # Simple python Captive Portal, that @m-anish & @jvonau are experimenting with in July 2018: github.com/iiab/iiab/pull/870
 py_captive_portal_install: True
 py_captive_portal_enabled: False
 # Stages 3 & 4 must be run (using iiab-install or runrole) if changing these:
 squid_install: True
@ -69,6 +75,9 @@ dansguardian_enabled: True
 # 3-BASE-SERVER
 # Make this False to disable http://box/common/services/power_off.php button:
 allow_apache_sudo: True
 # roles/mysql runs here (mandatory)
 # 4-SERVER-OPTIONS
@ -159,8 +168,12 @@ wordpress_enabled: True
 kalite_install: True
 kalite_enabled: True
 # Unused in 2018; but remains as placeholder for Fedora 18 legacy (XO laptops)
 kalite_cron_enabled: True
 kolibri_install: True
 kolibri_enabled: True
 kiwix_install: True
 kiwix_enabled: True
@ -177,11 +190,9 @@ pathagar_install: False
 pathagar_enabled: False
 # Might stall MongoDB on Power Failure: github.com/xsce/xsce/issues/879
 # Sugarizer 1.0.1+ strategies to solve? github.com/iiab/iiab/pull/957
 sugarizer_install: True
 sugarizer_enabled: True
 # sugarizer_enabled is currently IGNORED as basic Sugarizer works w/o Journal!
 # https://github.com/iiab/iiab/issues/193 Subsequent "./runrole sugarizer" fail
 # https://github.com/iiab/iiab/issues/240 Sugarizer 0.8 to 0.9 ongoing issues
 # 8-MGMT-TOOLS
--- a/vars/local_vars_medium.yml
+++ b/vars/local_vars_medium.yml
@ -1,4 +1,4 @@
-# This is local_vars_medium.yml -- copy it to local_vars.yml then...
+# This is local_vars_medium.yml -- copy it to /etc/iiab/local_vars.yml then...
 # Put variables herein to override /opt/iiab/iiab/vars/default_vars.yml
@ -39,8 +39,6 @@ host_channel: 6
 hostapd_secure: False
 hostapd_password: changeme
 dns_jail_enabled: False
 # Enables "campus access" to kiwix (3000), kalite (8008) & calibre (8010 or
 # 8080) on WAN side of server. See network/templates/gateway/iiab-gen-iptables
 # within github.com/iiab/iiab/blob/master/roles/
@ -49,8 +47,16 @@ services_externally_visible: True
 # Make this True if client machines should have access to WAN/Internet:
 iiab_gateway_enabled: False
-# Make this False to disable http://box/common/services/power_off.php button:
+# dnsmasq
-allow_apache_sudo: True
+dnsmasq_install: True
 dnsmasq_enabled: False
 # Enable AFTER installing IIAB!  Then run "cd /opt/iiab/iiab; ./iiab-network"
 dns_jail_enabled: False
 # Simple python Captive Portal, that @m-anish & @jvonau are experimenting with in July 2018: github.com/iiab/iiab/pull/870
 py_captive_portal_install: True
 py_captive_portal_enabled: False
 # Stages 3 & 4 must be run (using iiab-install or runrole) if changing these:
 squid_install: False
@ -69,6 +75,9 @@ dansguardian_enabled: False
 # 3-BASE-SERVER
 # Make this False to disable http://box/common/services/power_off.php button:
 allow_apache_sudo: True
 # roles/mysql runs here (mandatory)
 # 4-SERVER-OPTIONS
@ -159,8 +168,12 @@ wordpress_enabled: True
 kalite_install: True
 kalite_enabled: True
 # Unused in 2018; but remains as placeholder for Fedora 18 legacy (XO laptops)
 kalite_cron_enabled: True
 kolibri_install: False
 kolibri_enabled: False
 kiwix_install: True
 kiwix_enabled: True
@ -177,11 +190,9 @@ pathagar_install: False
 pathagar_enabled: False
 # Might stall MongoDB on Power Failure: github.com/xsce/xsce/issues/879
 # Sugarizer 1.0.1+ strategies to solve? github.com/iiab/iiab/pull/957
 sugarizer_install: True
 sugarizer_enabled: True
 # sugarizer_enabled is currently IGNORED as basic Sugarizer works w/o Journal!
 # https://github.com/iiab/iiab/issues/193 Subsequent "./runrole sugarizer" fail
 # https://github.com/iiab/iiab/issues/240 Sugarizer 0.8 to 0.9 ongoing issues
 # 8-MGMT-TOOLS
--- a/vars/local_vars_medium_vpn.yml
+++ b/vars/local_vars_medium_vpn.yml
@ -1,4 +1,4 @@
-# This is local_vars_medium_vpn.yml -- copy it to local_vars.yml then...
+# This is local_vars_medium_vpn.yml -- copy it to /etc/iiab/local_vars.yml then...
 # Put variables herein to override /opt/iiab/iiab/vars/default_vars.yml
@ -39,8 +39,6 @@ host_channel: 6
 hostapd_secure: False
 hostapd_password: changeme
 dns_jail_enabled: False
 # Enables "campus access" to kiwix (3000), kalite (8008) & calibre (8010 or
 # 8080) on WAN side of server. See network/templates/gateway/iiab-gen-iptables
 # within github.com/iiab/iiab/blob/master/roles/
@ -49,8 +47,16 @@ services_externally_visible: True
 # Make this True if client machines should have access to WAN/Internet:
 iiab_gateway_enabled: False
-# Make this False to disable http://box/common/services/power_off.php button:
+# dnsmasq
-allow_apache_sudo: True
+dnsmasq_install: True
 dnsmasq_enabled: False
 # Enable AFTER installing IIAB!  Then run "cd /opt/iiab/iiab; ./iiab-network"
 dns_jail_enabled: False
 # Simple python Captive Portal, that @m-anish & @jvonau are experimenting with in July 2018: github.com/iiab/iiab/pull/870
 py_captive_portal_install: True
 py_captive_portal_enabled: False
 # Stages 3 & 4 must be run (using iiab-install or runrole) if changing these:
 squid_install: False
@ -69,6 +75,9 @@ dansguardian_enabled: False
 # 3-BASE-SERVER
 # Make this False to disable http://box/common/services/power_off.php button:
 allow_apache_sudo: True
 # roles/mysql runs here (mandatory)
 # 4-SERVER-OPTIONS
@ -159,8 +168,12 @@ wordpress_enabled: True
 kalite_install: True
 kalite_enabled: True
 # Unused in 2018; but remains as placeholder for Fedora 18 legacy (XO laptops)
 kalite_cron_enabled: True
 kolibri_install: False
 kolibri_enabled: False
 kiwix_install: True
 kiwix_enabled: True
@ -177,11 +190,9 @@ pathagar_install: False
 pathagar_enabled: False
 # Might stall MongoDB on Power Failure: github.com/xsce/xsce/issues/879
 # Sugarizer 1.0.1+ strategies to solve? github.com/iiab/iiab/pull/957
 sugarizer_install: True
 sugarizer_enabled: True
 # sugarizer_enabled is currently IGNORED as basic Sugarizer works w/o Journal!
 # https://github.com/iiab/iiab/issues/193 Subsequent "./runrole sugarizer" fail
 # https://github.com/iiab/iiab/issues/240 Sugarizer 0.8 to 0.9 ongoing issues
 # 8-MGMT-TOOLS
--- a/Show more
+++ b/Show more
`@ -1,4 +1,4 @@`
	`# Internet-in-a-Box (IIAB) [![Build Status](https://travis-ci.org/iiab/iiab.svg?branch=master)](https://travis-ci.org/iiab/iiab)`	`# Internet-in-a-Box (IIAB)`

	`Welcome to the Git repository of the Internet-in-a-Box (IIAB) project. This is a community-based project developed and supported by volunteers from around the world. The Internet-in-a-Box (IIAB) is small, inexpensive device which provides essential Internet resources (like Wikipedia, OpenStreetMap, Khan Academy and others) without any Internet connection. It provides a local content server of the world’s Free Knowledge.`	`Welcome to the Git repository of the Internet-in-a-Box (IIAB) project. This is a community-based project developed and supported by volunteers from around the world. The Internet-in-a-Box (IIAB) is small, inexpensive device which provides essential Internet resources (like Wikipedia, OpenStreetMap, Khan Academy and others) without any Internet connection. It provides a local content server of the world’s Free Knowledge.`