diff --git a/.travis.yml b/.travis.yml
index 83c627442..119893b55 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,27 +1,32 @@
----
 language: python
-python: "2.7"
+python: 3.8    # "3.8" also works
+dist: focal
 
-# Use the new container infrastructure
-dist: trusty
-sudo: false
-
-# Install ansible
 addons:
   apt:
+    sources:
+      - sourceline: ppa:ansible/ansible
     packages:
-    - python-pip
+#      - python-pip    # @arky had used this starting in 2018
+      - ansible-base    # Install latest ansible-base e.g. 2.10.6+, similar to https://github.com/iiab/iiab/blob/master/scripts/ansible
+#      - python3-pymysql    # These 7-or-8 packages are not needed during this very rapid --syntax-check
+#      - python3-psycopg2
+#      - python3-passlib
+#      - python3-pip
+#      - python3-setuptools
+      - python3-packaging    # To avoid warning "packaging Python module unavailable; unable to validate collection..."
+#      - python3-venv
+#      - virtualenv
 
 install:
-  # Install ansible
-  - pip install ansible
-
-  # Create ansible.cfg with correct roles_path and local_tmp
-  - "{ echo '[defaults]'; echo 'roles_path = ./roles/'; } >> ansible.cfg"
+#  - scripts/ansible    # See #2105: fails to install latest Ansible (& ~4 Ansible Collections from collections.yml) due to Travis VM's disk layout/perms being different
+#  - pip install ansible    # SLOW/OVERWEIGHT: installs Ansible 3.0.0+ with ~80 Ansible Collections
+#  - pip install ansible-base    # ALSO WORKS e.g. if the above addons: / apt: section is commented out.  To install latest ansible-base e.g. 2.10.6+, similar to https://github.com/iiab/iiab/blob/master/scripts/ansible
+  - ansible-galaxy collection install -r collections.yml    # Install ~4 Ansible Collections
+  - "{ echo 'roles_path = ./roles/'; } >> ansible.cfg"    # Add correct roles_path to ansible.cfg, appending to https://github.com/iiab/iiab/blob/master/ansible.cfg
+#  - "{ echo '[defaults]'; echo 'roles_path = ./roles/'; } >> ansible.cfg"    # 2021-02-24: suddenly no longer works, with the newer ansible-base install methods above (error arises due to '[defaults]' appearing twice)
+#  - cat ansible.cfg    # UNCOMMENT TO VERIFY!
+  - apt -a list ansible-base    # VERIFY ansible-base VERSIONS OFFERED BY apt
 
 script:
-  #  Basic role syntax check
   - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
-
-#notifications:
-#  webhooks:  https://galaxy.ansible.com/api/v1/notifications/
diff --git a/collections.yml b/collections.yml
new file mode 100644
index 000000000..f65d3a552
--- /dev/null
+++ b/collections.yml
@@ -0,0 +1,14 @@
+# IIAB requires the Ansible Collections listed below.  Explanations here:
+# http://FAQ.IIAB.IO > "What is Ansible and what version should I use?"
+# https://github.com/iiab/iiab/blob/master/scripts/ansible.md
+
+---
+collections:
+  - name: community.general
+  - name: community.mysql
+  - name: community.postgresql
+  - name: ansible.posix    # 2020-11-28: For ~3 modules below...
+
+# selinux WAS in /opt/iiab/iiab/roles/1-prep/tasks/main.yml
+# sysctl      in /opt/iiab/iiab/roles/2-common/tasks/main.yml
+# synchronize in /opt/iiab/iiab-admin-console/roles/js-menu/tasks/main.yml
diff --git a/iiab-install b/iiab-install
index 261893cf3..f4d45d05c 100755
--- a/iiab-install
+++ b/iiab-install
@@ -8,7 +8,7 @@ INVENTORY=ansible_hosts
 IIAB_STATE_FILE=/etc/iiab/iiab_state.yml
 ARGS=""
 CWD=`pwd`
-OS=`grep ^ID= /etc/*release|cut -d= -f2`
+OS=`grep ^ID= /etc/os-release | cut -d= -f2`
 OS=${OS//\"/}
 MIN_RPI_KERN=4.19.97       # If using Raspbian, 'rpi-update' should no longer be nec -- please use Raspbian 2020-02-13 or higher: https://github.com/iiab/iiab/issues/1993
 MIN_ANSIBLE_VER=2.8.11     # Ansible 2.8.3 and 2.8.6 have serious bugs, preventing their use with IIAB.
diff --git a/roles/0-init/tasks/main.yml b/roles/0-init/tasks/main.yml
index 1ac502f7b..0a212c215 100644
--- a/roles/0-init/tasks/main.yml
+++ b/roles/0-init/tasks/main.yml
@@ -137,8 +137,9 @@
       value: "{{ ansible_memtotal_mb }}"
     - option: swap_mb
       value: "{{ ansible_swaptotal_mb }}"
-    - option: product_id
-      value: "{{ ansible_product_uuid }}"
+    # 2021-01-28: Non-existent var, so fails with ansible-base 2.10.5 (#2669)
+    #- option: product_id
+    #  value: "{{ ansible_product_uuid }}"
     - option: gw_active
       value: "{{ gw_active }}"
     - option: internet_available
diff --git a/roles/0-init/tasks/validate_vars.yml b/roles/0-init/tasks/validate_vars.yml
index 5c79cc537..25b0fda19 100644
--- a/roles/0-init/tasks/validate_vars.yml
+++ b/roles/0-init/tasks/validate_vars.yml
@@ -36,6 +36,11 @@
 # 2020-07-08 - Excellent analysis & summary by Jon Spriggs: "In Ansible,
 # determine the type of a value, and casting those values to other types"
 # https://jon.sprig.gs/blog/post/1801
+#
+# 2021-01-29 - ansible-base 2.10.5 (1) is more strict about empty string vars
+# (2) no longer supports "when: myvar is boolean", "is integer" & "is float"
+# (3) brings yet more "Ansible Collections" dependency changes (undocumented!)
+# Details: https://github.com/iiab/iiab/pull/2672 (see also #2669)
 
 # 3. "How do i fail a task in Ansible if the variable contains a boolean value?
 # I want to perform input validation for Ansible playbooks"
diff --git a/roles/1-prep/tasks/main.yml b/roles/1-prep/tasks/main.yml
index 4cf2ba2cd..273aedc94 100644
--- a/roles/1-prep/tasks/main.yml
+++ b/roles/1-prep/tasks/main.yml
@@ -7,6 +7,7 @@
   include_tasks: roles/network/tasks/dnsmasq.yml
   #when: dnsmasq_install    # Flag might be used in future?
 
+
 - name: Install uuid-runtime package (debuntu)
   package:
     name: 
@@ -37,13 +38,6 @@
   set_fact:
     uuid: "{{ stored_uuid.stdout_lines[0] }}"
 
-#- name: Does directory /ro exist? (indicating OS is Ubermix)
-#  stat:
-#    path: /ro
-#  register: ro_dir
-
-#- debug:
-#    var: ro_dir
 
 - name: Does 'ubermix' exist in /etc/lsb-release?
   shell: grep -i ubermix /etc/lsb-release    # Pipe to cat to avoid red errors?
@@ -52,9 +46,6 @@
   #ignore_errors: True
   #check_mode: no
 
-#- debug:
-#    var: grep_ubermix
-
 - name: If so, install /etc/tmpfiles.d/iiab.conf to create /var/log subdirs on each boot, so {Apache, MongoDB, Munin} run on Ubermix
   copy:
     src: roles/1-prep/files/iiab.conf
@@ -64,7 +55,6 @@
     # mode: '0644'
     force: yes
   when: grep_ubermix.rc == 0    # 1 if absent in file, 2 if file doesn't exist
-  #when: ro_dir.stat.exists
 
 # 2020-03-19: for KA Lite, but moved from roles/kalite/tasks/install.yml
 # This effectively does nothing at all on Ubuntu & Raspbian, where libgeos-*
@@ -75,6 +65,7 @@
   shell: apt -y remove "libgeos-*"
   when: grep_ubermix.rc == 0    # 1 if absent in file, 2 if file doesn't exist
 
+
 # Required by OpenVPN below.  Also run by roles/4-server-options/tasks/main.yml
 - name: SSHD
   include_role:
@@ -91,6 +82,7 @@
     name: openvpn
   when: openvpn_install
 
+
 # Debian 10 "Buster" is apparently enabling AppArmor in 2019:
 # https://wiki.debian.org/AppArmor/Progress
 # https://wiki.debian.org/AppArmor/HowToUse
@@ -98,6 +90,7 @@
 # Curiously this has NOT stopped IIAB 7.0/master from working on Debian 10
 # pre-releases, during @floydianslips' March 2019 testing anyway!  SEE #1387
 
+# PR #2654 - AppArmor works w/ IIAB on Debian 10/11, so also now on Ubuntu?
 #- name: Disable AppArmor -- override OS default (ubuntu)
 #  systemd:
 #    name: apparmor
@@ -106,6 +99,7 @@
 #  when: is_ubuntu
 #  ignore_errors: True
 
+# PR #2648 - Can be restored in future if truly nec, w ansible.posix collection
 #- name: Disable SELinux on next boot (OS's other than debuntu)
 #  selinux:
 #    state: disabled
@@ -116,8 +110,10 @@
 #  command: setenforce Permissive
 #  when: not is_debuntu and selinux_disabled is defined and selinux_disabled.changed
 
+
 ##  DISCOVER PLATFORMS ######
 # Put conditional actions for hardware platforms here
+
 - include_tasks: raspberry_pi.yml
   when: first_run and rpi_model != "none"
 
@@ -133,7 +129,8 @@
     timeout: "{{ download_timeout }}"
   when: internet_available and usb_NUC6.stdout|int > 0
 
-# this script can be sourced to get IIAB location
+
+# This script can be sourced to get IIAB path/location
 - name: Recording STAGE 1 HAS COMPLETED ============================
   template:
     src: roles/1-prep/templates/iiab.env.j2
diff --git a/roles/calibre-web/defaults/main.yml b/roles/calibre-web/defaults/main.yml
index a57ecfcc7..903b3b6e5 100644
--- a/roles/calibre-web/defaults/main.yml
+++ b/roles/calibre-web/defaults/main.yml
@@ -14,7 +14,7 @@
 # All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml
 # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
 
-calibreweb_version: 0.6.9    # WAS: master, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.6.8
+calibreweb_version: master    # WAS: master, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.6.8, 0.6.9
 
 calibreweb_venv_path: /usr/local/calibre-web-py3
 calibreweb_exec_path: "{{ calibreweb_venv_path }}/cps.py"
diff --git a/roles/calibre-web/tasks/install.yml b/roles/calibre-web/tasks/install.yml
index 9f58f1383..b6411b7f4 100644
--- a/roles/calibre-web/tasks/install.yml
+++ b/roles/calibre-web/tasks/install.yml
@@ -13,13 +13,13 @@
     line: '  <policy domain="coder" rights="read" pattern="PDF" />'
     state: present
 
-- name: "Create 3 Calibre-Web folders to store data and config files: {{ calibreweb_home }}, {{ calibreweb_venv_path }}, {{ calibreweb_config }} (all set to {{ calibreweb_user }}:{{ apache_user }}, '0755')"
+- name: "Create 3 Calibre-Web folders to store data and config files: {{ calibreweb_home }}, {{ calibreweb_venv_path }}, {{ calibreweb_config }} (all set to {{ calibreweb_user }}:{{ apache_user }})"
   file:
     state: directory
     path: "{{ item }}"
     owner: "{{ calibreweb_user }}"    # root
     group: "{{ apache_user }}"        # www-data on debuntu
-    mode: '0755'
+    #mode: '0755'
   with_items:
     - "{{ calibreweb_home }}"         # /library/calibre-web
     - "{{ calibreweb_config }}"       # /library/calibre-web/config
@@ -74,7 +74,7 @@
     dest: "{{ calibreweb_home }}"     # /library/calibre-web
     owner: "{{ calibreweb_user }}"    # root
     group: "{{ apache_user }}"        # www-data on debuntu
-    mode: '0644'
+    #mode: '0644'
     backup: yes
   with_items:
     - roles/calibre-web/files/metadata.db
@@ -88,7 +88,7 @@
     dest: "{{ calibreweb_config }}"    # /library/calibre-web/config
     owner: "{{ calibreweb_user }}"     # root
     group: "{{ apache_user }}"         # www-data on debuntu
-    mode: '0644'
+    #mode: '0644'
     backup: yes
   when: not metadatadb.stat.exists
   #when: calibreweb_provision
diff --git a/roles/elgg/defaults/main.yml b/roles/elgg/defaults/main.yml
index f19bf3e29..66404ba00 100644
--- a/roles/elgg/defaults/main.yml
+++ b/roles/elgg/defaults/main.yml
@@ -8,7 +8,7 @@
 # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
 
 elgg_xx: elgg
-elgg_version: 2.3.15
+elgg_version: 2.3.16
 
 # elgg_mysql_password: defined in default_vars
 elgg_url: /elgg
diff --git a/roles/firmware/tasks/main.yml b/roles/firmware/tasks/main.yml
index 6b4a5c497..a199f2630 100644
--- a/roles/firmware/tasks/main.yml
+++ b/roles/firmware/tasks/main.yml
@@ -1,7 +1,7 @@
 # Please set 'wifi_hotspot_capacity_rpi_fix: True' in /etc/iiab/local_vars.yml
-# to restore support for 30-32 WiFi client devices on any Raspberry Pi that
-# has internal WiFi.  This installs firmware 7.45.18.0 for Zero W and RPi 3
-# and firmware 7.45.98.65 for RPi 3 B+ and RPi 4.  Capacity testing writeup:
+# to restore support for 30-32 WiFi client devices on most Raspberry Pis that
+# have internal WiFi.  This installs firmware 7.45.98.65 for Zero W and RPi 3
+# and firmware 7.45.18.0 for RPi 3 B+ and RPi 4.  Capacity testing writeup:
 # https://github.com/iiab/iiab/issues/823#issuecomment-662285202
 
 - name: Install firmware (for RPi internal WiFi)
diff --git a/roles/gitea/defaults/main.yml b/roles/gitea/defaults/main.yml
index 8d1d9a9ac..877783476 100644
--- a/roles/gitea/defaults/main.yml
+++ b/roles/gitea/defaults/main.yml
@@ -9,7 +9,7 @@
 
 # Info needed to install Gitea:
 
-gitea_version: 1.12.6
+gitea_version: 1.13    # 2021-03-07: Had been fine-grained, e.g. 1.13.4
 iset_suffixes:
   i386: 386
   x86_64: amd64
diff --git a/roles/kalite/README.rst b/roles/kalite/README.rst
index 354017eb8..6a121db67 100644
--- a/roles/kalite/README.rst
+++ b/roles/kalite/README.rst
@@ -7,7 +7,7 @@ This role installs KA Lite, an offline version of Khan Academy (https://www.khan
 
 KA Lite downloads Khan Academy videos to your Internet-in-a-Box for offline use, with exercises and accounts if students want to track their own progress.
 
-[Originally KA Lite had two servers, a light httpd server that serves Khan Academy videos, and a cron server that sets up cron jobs to download language packs and KA videos from the internet.  There were separate flags to enable these two servers.]
+[Originally KA Lite had two servers, a light httpd server that served Khan Academy videos, and a cron server that set up cron jobs to download language packs and KA videos from the internet.  There were separate flags to enable these two servers.]
 
 Using It
 --------
@@ -36,11 +36,13 @@ Look at `role/kalite/defaults/main.yml <https://github.com/iiab/iiab/blob/master
 Troubleshooting
 ---------------
 
+*In late 2017, Internet-in-a-Box added a virtual environment (/usr/local/kalite/venv/) to keep KA Lite's Python package/dependency risks under control.  As such the command* `/usr/bin/kalite <https://github.com/iiab/iiab/blob/master/roles/kalite/templates/kalite.sh.j2>`_ *is a wrapper to this virtualenv*.  **Consequently, the following steps are no longer needed:**
+
 Starting with KA Lite 0.15 (October 2015) you could run the server manually with the following commands:
 
 * systemctl stop kalite-serve (make sure the systemd service is not running)
 * export KALITE_HOME=/library/ka-lite (point kalite to the right environment)
-* kalite start (start the server; can take more than 10 minutes in some environments)
+* kalite start (start the server; took several minutes on older environments)
 
 To return to using the systemd unit:
 
@@ -48,8 +50,6 @@ To return to using the systemd unit:
 * kalite stop
 * systemctl start kalite-serve
 
-*In late 2017, Internet-in-a-Box added a virtual environment (/usr/local/kalite/venv/) to keep KA Lite's Python package/dependency risks under control.  As such the command* `/usr/bin/kalite <https://github.com/iiab/iiab/blob/master/roles/kalite/templates/kalite.sh.j2>`_ *is a wrapper to this virtualenv.*
-
 More Tips & Tricks
 ------------------
 
diff --git a/roles/kalite/tasks/install.yml b/roles/kalite/tasks/install.yml
index 6960f73fd..16a9a1341 100644
--- a/roles/kalite/tasks/install.yml
+++ b/roles/kalite/tasks/install.yml
@@ -5,7 +5,7 @@
     timeout: "{{ download_timeout }}"
   when: internet_available
 
-# 2020-01-19: https://github.com/piwheels/packages/issues/74 says the following is not longer needed...
+# 2020-01-19: https://github.com/piwheels/packages/issues/74 says the following is no longer needed...
 #- name: Run 'mv /etc/pip.conf /etc/pip.conf.see-iiab-issue-2139' as "TEMPORARY" workaround (2020-01-17) for piwheels.org's setuptools Python 2/3 brokenness on RPi (https://github.com/iiab/iiab/issues/2139)
 #  command: mv /etc/pip.conf /etc/pip.conf.see-iiab-issue-2139
 #  ignore_errors: yes
@@ -14,16 +14,15 @@
 - name: Install python2, if Raspbian/Debian > 10 or Ubuntu > 19
   package:
     name:
-    - python2
-    - python-setuptools # provides setuptools-44 last version compatible with python2
+      - python2
+      - python-setuptools # provides setuptools-44 last version compatible with python2
     state: present
   when: not (is_debian_9 or is_debian_10 or is_ubuntu_16 or is_ubuntu_17 or is_ubuntu_18 or is_ubuntu_19)
   # 2020-03-31: Testing for {is_raspbian_9, is_raspbian_10} is not currently nec, as testing for {is_debian_9, is_debian_10} covers that already.
 
 - name: Use pip to pin setuptools to 44 in {{ kalite_venv }} if Raspbian/Debian > 10 or Ubuntu > 19
   pip:
-    name:
-    - setuptools==44
+    name: setuptools==44
     virtualenv: "{{ kalite_venv }}"    # /usr/local/kalite/venv
     virtualenv_site_packages: no
     virtualenv_command: /usr/bin/virtualenv
@@ -32,7 +31,7 @@
   when: not (is_debian_9 or is_debian_10 or is_ubuntu_16 or is_ubuntu_17 or is_ubuntu_18 or is_ubuntu_19)
   # long form of (is_debian_11+ or is_ubuntu_20+)
 
-- name: Use pip to install KA Lite static to {{ kalite_venv }}
+- name: Use pip to install ka-lite-static to {{ kalite_venv }}
   pip:
     name: ka-lite-static
     version: "{{ kalite_version }}"
@@ -43,7 +42,7 @@
     extra_args: "--no-cache-dir"
   when: internet_available
 
-- name: "Install from templates: venv wrapper /usr/bin/kalite, systemd unit file kalite-serve.service"
+- name: "Install from templates: venv wrapper /usr/bin/kalite, unit file /etc/systemd/system/kalite-serve.service"
   template:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
@@ -52,13 +51,15 @@
     - { src: 'kalite.sh.j2', dest: '/usr/bin/kalite', mode: '0755' }
     - { src: 'kalite-serve.service.j2', dest: '/etc/systemd/system/kalite-serve.service', mode: '0644' }
 
-- name: "Install from template: /etc/{{ apache_conf_dir }}/kalite.conf"
+# Useless stanza, for 2 reasons: (1) http://box/kalite was never made to work
+# (2) /etc/apache2/sites-available does not exist on many IIAB's w/o Apache
+- name: "Install from template: /etc/{{ apache_conf_dir }}/kalite.conf (useless, as http://box/kalite was never made to work)"
   template:
     src: kalite.conf
     dest: "/etc/{{ apache_conf_dir }}"    # apache2/sites-available on debuntu
   when: apache_installed is defined
 
-- name: Fix KA Lite bug in regex parsing ifconfig output, for @m-anish's network names that contain dashes, if Raspbian/Debian < 11 or Ubuntu < 20
+- name: Fix KA Lite bug in regex parsing ifconfig output (ifcfg/parser.py) for @m-anish's network names that contain dashes, if Raspbian/Debian < 11 or Ubuntu < 20
   replace:
     path: /usr/local/kalite/venv/local/lib/python2.7/site-packages/kalite/packages/dist/ifcfg/parser.py
     regexp: 'a-zA-Z0-9'
@@ -66,21 +67,21 @@
   when: is_debian_9 or is_debian_10 or is_ubuntu_16 or is_ubuntu_17 or is_ubuntu_18 or is_ubuntu_19
   # 2020-03-31: Testing for {is_raspbian_9, is_raspbian_10} is not currently nec, as testing for {is_debian_9, is_debian_10} covers that already.
 
-- name: Fix KA Lite bug in regex parsing ifconfig output, for @m-anish's network names that contain dashes, if Raspbian/Debian > 10 or Ubuntu > 19
+- name: Fix KA Lite bug in regex parsing ifconfig output (ifcfg/parser.py) for @m-anish's network names that contain dashes, if Raspbian/Debian > 10 or Ubuntu > 19
   replace:
     path: /usr/local/kalite/venv/lib/python2.7/site-packages/kalite/packages/dist/ifcfg/parser.py
     regexp: 'a-zA-Z0-9'
     replace: 'a-zA-Z0-9\-'
   when: not (is_debian_9 or is_debian_10 or is_ubuntu_16 or is_ubuntu_17 or is_ubuntu_18 or is_ubuntu_19)
   # 2020-03-31: Testing for {is_raspbian_9, is_raspbian_10} is not currently nec, as testing for {is_debian_9, is_debian_10} covers that already.
-  # JV why not just is_ubuntu_20?
+  # JV: why not just is_ubuntu_20? AH: to make this work on Ubuntu 21+ and ideally Debian/RaspiOS 11+ too?
 
 - name: Create dir {{ kalite_root }}
   file:
     state: directory
     path: "{{ kalite_root }}/httpsrv/static"    # /library/ka-lite
 
-- name: Run 'kalite manage setup ...'
+- name: Run '{{ kalite_program }} manage setup ...'
   command: "{{ kalite_program }} manage setup --username={{ kalite_admin_user }} --password={{ kalite_admin_password }} --noinput"    # Runs /usr/local/kalite/venv/bin/kalite
   environment:
     KALITE_HOME: "{{ kalite_root }}"    # /library/ka-lite
diff --git a/roles/mediawiki/defaults/main.yml b/roles/mediawiki/defaults/main.yml
index 6f9827e61..75954c71d 100644
--- a/roles/mediawiki/defaults/main.yml
+++ b/roles/mediawiki/defaults/main.yml
@@ -5,7 +5,7 @@
 # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
 
 mediawiki_major_version: 1.35    # "1.35" also works
-mediawiki_minor_version: 0
+mediawiki_minor_version: 1
 mediawiki_version: "{{ mediawiki_major_version }}.{{ mediawiki_minor_version }}"
 
 mediawiki_download_base_url: "https://releases.wikimedia.org/mediawiki/{{ mediawiki_major_version }}"
diff --git a/roles/moodle/defaults/main.yml b/roles/moodle/defaults/main.yml
index d3163b3d5..ab16dea1b 100644
--- a/roles/moodle/defaults/main.yml
+++ b/roles/moodle/defaults/main.yml
@@ -7,10 +7,9 @@
 # All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml
 # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
 
-moodle_version: 39
+moodle_version: 310
 moodle_repo_url: https://github.com/moodle/moodle.git
 #moodle_repo_url: git://git.moodle.org/moodle.git    # 2020-10-16: VERY Slow!
 moodle_base: "{{ iiab_base }}/moodle"    # /opt/iiab
-#moodle_user: moodle
-moodle_data: "{{ content_base }}/moodle"    # /library/moodle
+moodle_data: "{{ content_base }}/moodle"    # /library
 moodle_database_name: moodle
diff --git a/roles/moodle/tasks/apache.yml b/roles/moodle/tasks/apache.yml
index b0a59d6df..b990f25a8 100644
--- a/roles/moodle/tasks/apache.yml
+++ b/roles/moodle/tasks/apache.yml
@@ -1,8 +1,8 @@
-- name: Enable http://box/moodle via Apache
+- name: 'Enable http://box/moodle via Apache: create link /etc/apache2/sites-enabled/022-moodle.conf'
   command: a2ensite 022-moodle.conf
   when: moodle_enabled
 
-- name: Disable http://box/moodle via Apache
+- name: 'Disable http://box/moodle via Apache: remove link /etc/apache2/sites-enabled/022-moodle.conf'
   command: a2dissite 022-moodle.conf
   when: not moodle_enabled
 
diff --git a/roles/moodle/tasks/install.yml b/roles/moodle/tasks/install.yml
index f28594d10..f15289ce1 100644
--- a/roles/moodle/tasks/install.yml
+++ b/roles/moodle/tasks/install.yml
@@ -18,42 +18,26 @@
     name: postgresql
 
 
-# - name: "Install packages: python-psycopg2, php-pgsql (OS's other than debuntu)"
-#   package:
-#     name:
-#       - python-psycopg2
-#       - php-pgsql
-#     state: present
-#   when: not is_debuntu
-
-- name: Install 4 php packages (debuntu)
+- name: Install 8 php packages (debuntu)
   package:
     name:
       - php{{ php_version }}-pgsql
       - php{{ php_version }}-curl
       - php{{ php_version }}-zip
       - php{{ php_version }}-gd
-      - php{{ php_version }}-mbstring    # 2020-06-15: Now required by Moodle 3.9+
-      - php{{ php_version }}-cli    # 2020-06-15: In the past this included (above) mbstring? However this is not true on Ubuntu Server 20.04 LTS.
+      - php{{ php_version }}-mbstring    # 2020-06-15: Required by Moodle 3.9+
+      - php{{ php_version }}-cli     # 2020-06-15: In the past this included (above) mbstring? However this is not true on Ubuntu Server 20.04 LTS.
+      - php{{ php_version }}-intl    # 2020-12-03: Required by Moodle 3.10+
+      - php{{ php_version }}-soap    # 2020-12-03: Recommended by Moodle 3.10+
     state: present
   when: is_debuntu
 
-# - name: "Install package: php{{ php_version }}-zip (Ubuntu or Debian 9+)"
-#   package:
-#     name: "php{{ php_version }}-zip"
-#   when: is_ubuntu or (is_debian and not is_debian_8)
-
-# - name: "Install package: php-pclzip (debian-8)"
-#   package:
-#     name: php-pclzip
-#   when: is_debian_8
-
 - name: Does {{ moodle_base }}/config-dist.php exist? (indicating Moodle is/was installed)
   stat:
-    path: "{{ moodle_base }}/config-dist.php"
+    path: "{{ moodle_base }}/config-dist.php"    # /opt/iiab/moodle
   register: moodle
 
-- name: Clone (i.e. use git to download) {{ moodle_repo_url }} to {{ moodle_base }}
+- name: Clone (i.e. use git to download) {{ moodle_repo_url }} to {{ moodle_base }} (~300 MB)
   git:
     repo: "{{ moodle_repo_url }}"
     dest: "{{ moodle_base }}"
@@ -68,37 +52,36 @@
   file:
     state: directory
     path: "{{ moodle_base }}"
-    owner: "{{ apache_user }}"
+    owner: "{{ apache_user }}"    # www-data
     recurse: yes
 
 - name: Create dir {{ content_base }}/dbdata/moodle owned by {{ apache_user }}
   file:
     state: directory
-    path: "{{ content_base }}/dbdata/moodle"
+    path: "{{ content_base }}/dbdata/moodle"    # /library
     owner: "{{ apache_user }}"
-    # mode: '0755'
 
-- name: Create dir {{ moodle_data }} ({{ apache_user }}:{{ apache_user }}, '0770')    # /library/moodle
+- name: Create dir {{ moodle_data }} ({{ apache_user }}:{{ apache_user }}, '0770')
   file:
     state: directory
-    path: "{{ moodle_data }}"
+    path: "{{ moodle_data }}"    # /library/moodle
     owner: "{{ apache_user }}"
     group: "{{ apache_user }}"
-    mode: '0770'
+    #mode: '0770'    # Regardless, permissions end up as: drwxrwsrwx
 
 - name: Remove stock /etc/{{ apache_conf_dir }}/moodle.conf
   file:
-    path: "/etc/{{ apache_conf_dir }}/moodle.conf"
+    path: "/etc/{{ apache_conf_dir }}/moodle.conf"    # apache2/sites-available
     state: absent
 
+# 2021-02-01: Not nec if we can hopefully migrate from Apache to NGINX soon!
 - name: Install /etc/{{ apache_conf_dir }}/022-moodle.conf from template
   template:
     src: 022-moodle.j2
     dest: "/etc/{{ apache_conf_dir }}/022-moodle.conf"
-    # owner: root
-    # group: root
-    # mode: '0644'
 
+# roles/postgresql/templates/postgresql-iiab.service WAS INSTALLED HERE:
+# /etc/systemd/system/postgresql-iiab.service
 - name: Start 'postgresql-iiab' systemd service, to configure Moodle's DB
   systemd:
     name: postgresql-iiab
@@ -134,8 +117,7 @@
   systemd:
     name: postgresql-iiab
     state: restarted
-    #enabled: yes
-  #when: moodle_enabled
+    #enabled: yes    # Service ends up enabled regardless
 
 - name: (Re)Start '{{ apache_service }}' systemd service
   systemd:
@@ -151,11 +133,12 @@
   shell: "{{ moodle_base }}/moodle_installer"
   when: config.stat.exists is defined and not config.stat.exists
 
-- name: Make {{ moodle_base }}/config.php readable, with permission '0644'
-  #command: chown -R {{ apache_user }} {{ moodle_base }}
-  file:
-    path: "{{ moodle_base }}/config.php"    # /opt/iiab/moodle
-    mode: '0644'
+# 2021-02-01: Let's stick with Moodle's default (640)
+#- name: Make {{ moodle_base }}/config.php readable, with permission '0644'
+#  #command: chown -R {{ apache_user }} {{ moodle_base }}
+#  file:
+#    path: "{{ moodle_base }}/config.php"    # /opt/iiab/moodle
+#    mode: '0644'
 
 
 # RECORD Moodle AS INSTALLED
diff --git a/roles/moodle/tasks/main.yml b/roles/moodle/tasks/main.yml
index 3189b590c..701dc3210 100644
--- a/roles/moodle/tasks/main.yml
+++ b/roles/moodle/tasks/main.yml
@@ -24,27 +24,10 @@
   when: moodle_installed is undefined
 
 
-# - name: Enable 'postgresql-iiab' systemd service, if moodle_enabled
-#   systemd:
-#     name: postgresql-iiab
-#     deamon_reload: yes
-#     state: started
-#     enabled: yes
-#   when: moodle_enabled
-#
-# # if the only service using the backend db disable if not running
-# - name: Disable 'postgresql-iiab' systemd service, if 'not moodle_enabled and not (pathagar_enabled is defined and pathagar_enabled)'
-#   systemd:
-#     name: postgresql-iiab
-#     state: stopped
-#     enabled: no
-#   when: not moodle_enabled and not (pathagar_enabled is defined and pathagar_enabled)
-
-- name: "Set 'postgresql_install: True' and 'postgresql_enabled: True' if moodle_enabled"
+- name: "Set 'postgresql_install: True' and 'postgresql_enabled: True'"
   set_fact:
     postgresql_install: True
-    postgresql_enabled: True
-  when: moodle_enabled
+    postgresql_enabled: True    # Revert just below if...
 
 - name: "Set 'postgresql_enabled: False' if 'not moodle_enabled and not (pathagar_enabled is defined and pathagar_enabled)'"
   set_fact:
@@ -56,14 +39,11 @@
     name: postgresql
 
 
-#- name: Enable/Disable/Restart Apache if primary
 - name: SHIM FOR NOW SO ALWAYS DO THE...Enable/Disable/Restart Apache
   include_tasks: apache.yml
-  #when: not nginx_enabled
 
-- name: Enable/Disable/Restart NGINX if primary
+- name: Enable/Disable/Restart NGINX
   include_tasks: nginx.yml
-  when: nginx_enabled
 
 
 - name: Add 'moodle' variable values to {{ iiab_ini_file }}
@@ -77,7 +57,7 @@
       value: Moodle
     - option: description
       value: '"Access the Moodle learning management system."'
-    - option: "moodle_base"
+    - option: moodle_base
       value: "{{ moodle_base }}"
     - option: moodle_enabled
       value: "{{ moodle_enabled }}"
diff --git a/roles/network/README.rst b/roles/network/README.rst
index 7c8225078..89b446b89 100644
--- a/roles/network/README.rst
+++ b/roles/network/README.rst
@@ -12,7 +12,7 @@ Specifically, this 'network' role is run...
 
 Many IIAB networking questions can be answered in these 2 documents:
 
-- `IIAB Networking <https://github.com/iiab/iiab/wiki/IIAB-Networking>`_ is a high-level summary, that reviews IIAB's 3 modes of operation distinguishing WAN from LAN, `common ports <https://github.com/iiab/iiab/wiki/IIAB-Networking#list-of-open-ports--services>`_, DNS name resolution and some common customizations.
+- `IIAB Networking <https://github.com/iiab/iiab/wiki/IIAB-Networking>`_ is a high-level summary, that reviews IIAB's 3 modes of operation distinguishing WAN from LAN, `common ports <https://github.com/iiab/iiab/wiki/IIAB-Networking#list-of-ports--services>`_, DNS name resolution and some common customizations.
 - http://FAQ.IIAB.IO includes answers to common questions like:
 
   - What is local_vars.yml and how do I customize it?
diff --git a/roles/network/defaults/main.yml b/roles/network/defaults/main.yml
index 186eb08c5..93e416cad 100644
--- a/roles/network/defaults/main.yml
+++ b/roles/network/defaults/main.yml
@@ -17,7 +17,7 @@
 
 # Wi-Fi - IF NECESSARY, CUSTOMIZE THESE 6 VARIABLES IN /etc/iiab/local_vars.yml
 # host_country_code: US
-# host_ssid: "Internet in a Box"
+# host_ssid: Internet in a Box
 # host_wifi_mode: g
 # host_channel: 6
 # hostapd_secure: False
@@ -53,28 +53,28 @@ wireless_lan_present: False
 strict_networking: False
 iiab_demo_mode: False
 gui_static_wan: False
-wan_cidr:
+wan_cidr: ""
 virtual_network_devices: "-e ap0 -e lo -e br0 -e tun -e br- -e docker -e bridge0 -e veth"
 
 # Set defaults for discovery process as strings
 wifi1: "not found-1"
 wifi2: "not found-2"
-exclude_devices: "none"
-device_gw: "none"
-prior_gw_device: ""
+exclude_devices: none
+device_gw: none
+prior_gw_device: unset
 
-iiab_wan_iface: "none"
-iiab_lan_iface: "none"
-discovered_lan_iface: "none"
-discovered_wired_iface: "none"
-discovered_wireless_iface: "none"
+iiab_wan_iface: none
+iiab_lan_iface: none
+discovered_lan_iface: none
+discovered_wired_iface: none
+discovered_wireless_iface: none
 
 # Red Hat
 #iiab_wired_lan_iface: "none"
 #iiab_wireless_lan_iface: "none"
 has_WAN: False
-has_ifcfg_gw: "none"
-has_wifi_gw: "none"
+has_ifcfg_gw: none
+has_wifi_gw: none
 
 # Debian
 dhcpcd_result: ""
@@ -83,10 +83,10 @@ network_manager_active: False
 systemd_networkd_active: False
 
 # The values here are default local variables
-gui_wan_iface: "unset"
-gui_static_wan_ip: "unset"
-wondershaper_dspeed: "4096"
-wondershaper_upspeed: "1024"
+gui_wan_iface: unset
+gui_static_wan_ip: unset
+wondershaper_dspeed: 4096
+wondershaper_upspeed: 1024
 
 # netplan
 fix_dispatcher: True
@@ -103,9 +103,9 @@ fix_dispatcher: True
 # captive_portal_install: False
 # captive_portal_enabled: False
 # Above 2 vars set in /etc/iiab/local_vars.yml
-# captive_portal_port: "9090"
+# captive_portal_port: 9090
 # Above var set in /opt/iiab/iiab/vars/default_vars.yml
-py_captive_portal_port: "9090"
-py_captive_portal_username: "Admin"
-py_captive_portal_password: "changeme"
+py_captive_portal_port: 9090
+py_captive_portal_username: Admin
+py_captive_portal_password: changeme
 # In a pinch, disable it by running: systemctl disable captive-portal
diff --git a/roles/network/templates/hostapd/50-hostapd b/roles/network/templates/hostapd/50-hostapd
index cf37bb8f9..37a363b72 100644
--- a/roles/network/templates/hostapd/50-hostapd
+++ b/roles/network/templates/hostapd/50-hostapd
@@ -1,6 +1,6 @@
 if [ "$interface" = "br0" ] && [ $if_up = "true" ]; then
-    syslog info "50-iiab IF_UP br0 restarting dnsmasq"
-    sleep 2
+    syslog info "50-iiab IF_UP br0 restarting dnsmasq - kicking ap0"
+    ip link set ap0 up
     systemctl --no-block restart dnsmasq
 fi
 
diff --git a/roles/nextcloud/tasks/install.yml b/roles/nextcloud/tasks/install.yml
index 665ede20c..0dafb198c 100644
--- a/roles/nextcloud/tasks/install.yml
+++ b/roles/nextcloud/tasks/install.yml
@@ -41,15 +41,16 @@
 
 
 # https://docs.nextcloud.com/server/18/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation
-- name: Install ffmpeg + libxml2 + 12 php packages
+- name: Install ffmpeg + libxml2 + 13 php packages
   package:
     name:
       #- dnsutils    # NOT REQUESTED by Nextcloud
       - ffmpeg       # Optional (for preview generation)
       - libxml2      # php-libxml requires libxml2 >= 2.7.0
       #- libapache2-mod-php    # 2020-02-15: NO LONGER NEEDED?
+      - php{{ php_version }}-bcmath        # Highly recommended by Nextcloud 21 for "improved performance and better compatibility"
       - php{{ php_version }}-bz2           # Optional (for extraction of apps)
-      - php{{ php_version }}-cli           # Like optional?  @jvonau says this drags in php{{ php_version }}-common as @m-anish wanted in PR #2119 / #2258
+      - php{{ php_version }}-cli           # Likely optional?  @jvonau says this drags in php{{ php_version }}-common as @m-anish wanted in PR #2119 / #2258
       - php{{ php_version }}-curl
       - php{{ php_version }}-gd
       - php{{ php_version }}-gmp           # Optional (for SFTP storage)
@@ -91,13 +92,13 @@
     state: directory
     path: "{{ nextcloud_root_dir }}"    # /library/www/nextcloud
 
-- name: Unarchive {{ nextcloud_dl_url }} to {{ nextcloud_root_dir }} ({{ apache_user }}:{{ apache_user }})
+- name: Unarchive {{ nextcloud_dl_url }} (100+ MB) to {{ nextcloud_root_dir }} (400+ MB, {{ apache_user }}:{{ apache_user }})
   unarchive:
-    remote_src: yes
+    remote_src: yes    # Overwrite even if "already exists on the target"
     src: "{{ nextcloud_dl_url }}"
     #dest: "{{ nextcloud_base_dir }}"    # /library/www
     dest: "{{ nextcloud_root_dir }}"     # /library/www/nextcloud
-    owner: "{{ apache_user }}"           # apache2 on debuntu
+    owner: "{{ apache_user }}"           # www-data on debuntu
     group: "{{ apache_user }}"
     extra_opts: --strip-components=1     # Or use 'dest: /library/www' above
   when: internet_available
diff --git a/roles/nextcloud/tasks/setup.yml b/roles/nextcloud/tasks/setup.yml
index 73b52e0cc..5619beabb 100644
--- a/roles/nextcloud/tasks/setup.yml
+++ b/roles/nextcloud/tasks/setup.yml
@@ -19,7 +19,7 @@
   file:
     state: directory
     path: "{{ nextcloud_data_dir }}"    # /library/www/nextcloud/data
-    owner: "{{ apache_user }}"
+    owner: "{{ apache_user }}"          # www-data on debuntu
     group: "{{ apache_user }}"
 
 # 1 of 3: Very Old Way... from OwnCloud days
diff --git a/roles/phpmyadmin/defaults/main.yml b/roles/phpmyadmin/defaults/main.yml
index 359673189..9cfea8dfc 100644
--- a/roles/phpmyadmin/defaults/main.yml
+++ b/roles/phpmyadmin/defaults/main.yml
@@ -4,7 +4,6 @@
 # All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml
 # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
 
-phpmyadmin_version: 5.0.4
+phpmyadmin_version: 5.1.0
 phpmyadmin_name: "phpMyAdmin-{{ phpmyadmin_version }}-all-languages"
-phpmyadmin_name_zip: "{{ phpmyadmin_name }}.zip"
-phpmyadmin_dl_url: "https://files.phpmyadmin.net/phpMyAdmin/{{ phpmyadmin_version }}/{{ phpmyadmin_name_zip }}"
+phpmyadmin_dl_url: "https://files.phpmyadmin.net/phpMyAdmin/{{ phpmyadmin_version }}/{{ phpmyadmin_name }}.tar.xz"
diff --git a/roles/phpmyadmin/tasks/install.yml b/roles/phpmyadmin/tasks/install.yml
index 5c2bbc567..9b8cf357c 100644
--- a/roles/phpmyadmin/tasks/install.yml
+++ b/roles/phpmyadmin/tasks/install.yml
@@ -8,58 +8,36 @@
     name: httpd
 
 
-- name: Download {{ phpmyadmin_dl_url }} to {{ downloads_dir }}
-  get_url:
-    url: "{{ phpmyadmin_dl_url }}"    # e.g. https://files.phpmyadmin.net/phpMyAdmin/5.0.4/phpMyAdmin-5.0.4-all-languages.zip
-    dest: "{{ downloads_dir }}"    # /opt/iiab/downloads
-    timeout: "{{ download_timeout }}"    # 200
-  when: internet_available
-
-- name: Does {{ downloads_dir }}/{{ phpmyadmin_name_zip }} exist?
-  stat:
-    path: "{{ downloads_dir }}/{{ phpmyadmin_name_zip }}"    # e.g. /opt/iiab/downloads/phpMyAdmin-5.0.4-all-languages.zip
-  register: phpmyadmin_dl
-
-- name: FAIL (force Ansible to exit) IF {{ downloads_dir }}/{{ phpmyadmin_name_zip }} doesn't exist
-  fail:
-    msg: "{{ downloads_dir }}/{{ phpmyadmin_name_zip }} is REQUIRED in order to install phpMyAdmin."
-  when: not phpmyadmin_dl.stat.exists
-
-- name: Unzip to permanent location /opt/{{ phpmyadmin_name }}, owned by {{ apache_user }}:root    # e.g. /opt/phpMyAdmin-5.0.4-all-languages, owned by www-data:root
+- name: Unarchive {{ phpmyadmin_dl_url }} (7+ MB) to /opt (60+ MB)
   unarchive:
-    src: "{{ downloads_dir }}/{{ phpmyadmin_name_zip }}"
+    remote_src: yes    # Overwrite even if "already exists on the target"
+    src: "{{ phpmyadmin_dl_url }}"    # e.g. https://files.phpmyadmin.net/phpMyAdmin/5.1.0/phpMyAdmin-5.1.0-all-languages.tar.xv
     dest: /opt
-    owner: "{{ apache_user }}"
+    owner: "{{ apache_user }}"    # www-data on debuntu
+    group: "{{ apache_user }}"
+    #timeout: "{{ download_timeout }}" # Use get_url if timeout (200s) required
+  when: internet_available
 
 - name: Symlink /opt/phpmyadmin -> {{ phpmyadmin_name }}
   file:
     src: "{{ phpmyadmin_name }}"
     path: /opt/phpmyadmin
-    owner: "{{ apache_user }}"    # Some Linux's ignore symlink owners?
+    #owner: "{{ apache_user }}"    # Generally not used by Linux
+    #group: "{{ apache_user }}"    # Generally not used by Linux
     state: link
 
-- name: Install /opt/phpmyadmin/config.inc.php owned by {{ apache_user }}:root, from template
+- name: Install /opt/phpmyadmin/config.inc.php owned by {{ apache_user }}:{{ apache_user }}, from template
   template:
     src: config.inc.php
     dest: /opt/phpmyadmin/config.inc.php
     owner: "{{ apache_user }}"
+    group: "{{ apache_user }}"
 
-# Above 3 stanzas set link/tree/contents ownership to {{ apache_user }}:root
-# OOPS: CHOWN BELOW CHANGED LINK ALONE (TREE/CONTENTS REMAINED root:root)
-
-# - name: Change the owner of the PHP tree to Apache
-#   shell: "chown -R {{ apache_user }} /opt/phpmyadmin"
-#   #file:
-#   #  path: "/opt/{{ phpmyadmin_name_zip }}"
-#   #  owner: "{{ apache_user }}"
-#   #  recurse: yes
-#   #  state: directory
-
-- name: Install /etc/{{ apache_conf_dir }}/phpmyadmin.conf from template, if phpmyadmin_enabled
+- name: Install /etc/{{ apache_conf_dir }}/phpmyadmin.conf from template
   template:
     src: phpmyadmin.j2
     dest: "/etc/{{ apache_conf_dir }}/phpmyadmin.conf"
-  when: apache_installed is defined
+  #when: apache_installed is defined
 
 
 # RECORD phpMyAdmin AS INSTALLED
diff --git a/roles/transmission/README.rst b/roles/transmission/README.rst
index b61385d5d..e9e2952dd 100644
--- a/roles/transmission/README.rst
+++ b/roles/transmission/README.rst
@@ -1,3 +1,14 @@
+.. |ss| raw:: html
+
+   <strike>
+
+.. |se| raw:: html
+
+   </strike>
+
+.. |nbsp| unicode:: 0xA0
+   :trim:
+
 ===================
 Transmission README
 ===================
@@ -68,7 +79,7 @@ You can also download other torrents using Transmission's web interface, or by t
 Known Issues
 ------------
 
-* Default Transmission user/group may need fixing (https://github.com/transmission/transmission/issues/537) in some circumstances.  You can set Ansible variables 'transmission_user' and 'transmission_group' e.g. in /opt/iiab/iiab/roles/transmission/defaults/main.yml (you might need 'User=' and 'Group=' in systemd unit file /lib/systemd/system/transmission-daemon.service — e.g. both might need to be set to 'debian-transmission' — if so then run 'systemctl daemon-reload' and 'systemctl restart transmission-daemon').
+* |ss| Default Transmission user/group may need fixing (https://github.com/transmission/transmission/issues/537) in some circumstances.  You can set Ansible variables 'transmission_user' and 'transmission_group' e.g. in /opt/iiab/iiab/roles/transmission/defaults/main.yml (you might need 'User=' and 'Group=' in systemd unit file /lib/systemd/system/transmission-daemon.service — e.g. both might need to be set to 'debian-transmission' — if so then run 'systemctl daemon-reload' and 'systemctl restart transmission-daemon'). |se| |nbsp| `PR #2703 <https://github.com/iiab/iiab/pull/2703>`_
 
 * Random Ports: Currently it is not possible to use random ports in the range 49152-65535.  It is difficult to open multiple ports in IIAB's iptables-based firewall.
 
diff --git a/roles/transmission/defaults/main.yml b/roles/transmission/defaults/main.yml
index 023fbc224..ae49da71b 100644
--- a/roles/transmission/defaults/main.yml
+++ b/roles/transmission/defaults/main.yml
@@ -7,7 +7,7 @@
 # Transmission download directory & general owner/group
 # transmission_download_dir: "{{ content_base }}/transmission/"    # /library/transmission/
 # transmission_user: debian-transmission
-# transmission_group: root
+# transmission_group: debian-transmission
 
 # Monitor downloads at http://box:9091 or http://box:9091/transmission using Admin/changeme
 # transmission_http_port: 9091
diff --git a/roles/transmission/tasks/enable-or-disable.yml b/roles/transmission/tasks/enable-or-disable.yml
index a5ec5b3b6..16bb091de 100644
--- a/roles/transmission/tasks/enable-or-disable.yml
+++ b/roles/transmission/tasks/enable-or-disable.yml
@@ -13,7 +13,7 @@
     -n {{ transmission_username }}:{{ transmission_password }}
     -a http://pantry.learningequality.org/downloads/ka-lite/{{ transmission_kalite_version }}/content/ka-lite-0.17-resized-videos-{{ item }}.torrent
   with_items: "{{ transmission_kalite_languages }}"
-  when: transmission_enabled and transmission_provision and transmission_kalite_languages is defined and transmission_kalite_languages is not none
+  when: transmission_enabled and transmission_provision and transmission_kalite_languages is defined and transmission_kalite_languages is not none    # '!= None' also works (i.e. to avoid var value 'null', with type 'NoneType')
   ignore_errors: yes
 
 - name: Disable & Stop 'transmission-daemon' service, if not transmission_enabled
diff --git a/roles/transmission/tasks/install.yml b/roles/transmission/tasks/install.yml
index 684b3fe14..a26361a05 100644
--- a/roles/transmission/tasks/install.yml
+++ b/roles/transmission/tasks/install.yml
@@ -9,8 +9,8 @@
   file:
     state: directory
     path: "{{ transmission_download_dir }}"    # /library/transmission
-    owner: "{{ transmission_user }}"    # debian-transmission
-    group: "{{ transmission_group }}"    # root
+    owner: "{{ transmission_user }}"     # debian-transmission
+    group: "{{ transmission_group }}"    # debian-transmission
     # mode: '0755'
 
 - name: Stop 'transmission-daemon' systemd service, before modifying its settings
@@ -23,9 +23,9 @@
   template:
     src: settings.json.j2
     dest: /etc/transmission-daemon/settings.json
-    owner: "{{ transmission_user }}"    # debian-transmission
-    group: "{{ transmission_group }}"    # root
-    # mode: '0644'
+    owner: "{{ transmission_user }}"     # debian-transmission
+    group: "{{ transmission_group }}"    # debian-transmission
+    # mode: '0600'
 
 
 # RECORD Transmission AS INSTALLED
diff --git a/scripts/ansible b/scripts/ansible
index bfd02e073..57bc906fe 100755
--- a/scripts/ansible
+++ b/scripts/ansible
@@ -1,22 +1,48 @@
 #!/bin/bash -e
+# FWIW "-e" tries to exit right away on error:
+# https://tldp.org/LDP/abs/html/options.html
+# https://stackoverflow.com/questions/9952177/whats-the-meaning-of-the-parameter-e-for-bash-shell-command-line/9952249
 
 # PLZ SEE http://FAQ.IIAB.IO > "What is Ansible and what version should I use?"
 #         https://github.com/iiab/iiab/tree/master/scripts/ansible.md
+#         https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide#ansible
 
-APT_PATH=/usr/bin    # Avoids problematic /usr/local/bin/apt on Linux Mint
-CURR_VER="undefined"    # Ansible version you currently have installed
-GOOD_VER="2.10.3"    # Orig for 'yum install [rpm]' & XO laptops (pip install)
-# We install latest 'ansible-base' from PPA: (may be more recent than GOOD-VER)
+APT_PATH=/usr/bin     # Avoids problematic /usr/local/bin/apt on Linux Mint
+CURR_VER=undefined    # Ansible version you currently have installed
+GOOD_VER=2.10.6       # Orig for 'yum install [rpm]' & XO laptops (pip install)
+
+# We install the latest 'ansible-base' from PPA, using an OS 'CODENAME' below:
 # https://launchpad.net/~ansible/+archive/ubuntu/ansible
-# https://launchpad.net/~ansible/+archive/ubuntu/ansible-2.10
-# http://ppa.launchpad.net/ansible/ansible/ubuntu/pool/main/a/ansible-base/
-# https://github.com/ansible/ansible/commits/stable-2.10/changelogs/CHANGELOG-v2.10.rst
 
-# IIAB implementers might instead consider these 2 GENERAL TECHNIQUES below
+# 'lsb_release -sc' gives Mint 20 codename 'ulyana' etc: (TOO FINE-GRAINED)
+if grep -q buster /etc/os-release /etc/debian_version; then
+    CODENAME=bionic    # Debian 10, RaspiOS 10 & Buster-like distros
+else
+    CODENAME=focal     # Debian 11+, RaspiOS 11+, Ubuntu 20.04+, Mint 20+ (ETC)
+fi
+
+# 'ansible-base' being renamed 'ansible-code' early in 2021. RELEASE LINK REFS:
+# http://ppa.launchpad.net/ansible/ansible/ubuntu/pool/main/a/ansible-base/
+# https://launchpad.net/~ansible/+archive/ubuntu/ansible-2.10
+# https://github.com/ansible/ansible/commits/stable-2.10/changelogs/CHANGELOG-v2.10.rst
+# https://github.com/ansible/ansible/blob/devel/docs/docsite/rst/roadmap/ROADMAP_2_11.rst
+# https://www.ansible.com/blog/ansible-3.0.0-qa
+# https://github.com/ansible/ansible/releases
+# https://releases.ansible.com/ansible-base/
+# https://releases.ansible.com/ansible-core/
+
+# FYI .travis.yml installs ansible-base in a slightly different way (PR #2689).
+
+# IIAB implementers might instead consider these 3 GENERAL TECHNIQUES below
 # ("in an emergency!") e.g. if you must install an older version of Ansible:
 
-# TEMPORARILY USE ANSIBLE 2.9.13 (REMOVE IT WITH "pip uninstall ansible")
-#pip install ansible==2.9.13
+# TEMPORARILY USE ansible-base 2.10.6 (REMOVE W/ "pip3 uninstall ansible-base")
+#pip3 install ansible-base==2.10.6   # Start new shell, so /usr/local/bin works
+#ansible-galaxy collection install -r collections.yml
+
+# TEMPORARILY USE ANSIBLE 2.9.18 (REMOVE IT WITH "pip uninstall ansible")
+#apt install python-pip
+#pip install ansible==2.9.18
 
 # TEMPORARILY USE ANSIBLE 2.4.2 DUE TO 2.4.3 MEMORY BUG. Details: iiab/iiab#669
 #echo "Install http://download.iiab.io/packages/ansible_2.4.2.0-1ppa~xenial_all.deb"
@@ -34,7 +60,7 @@ echo -e "\n\nYOU ARE RUNNING: /opt/iiab/iiab/scripts/ansible (TO INSTALL ANSIBLE
 echo -e "RECOMMENDED PREREQUISITES:"
 echo -e "(1) Verify you're online"
 echo -e "(2) Remove all prior versions of Ansible using..."
-echo -e "    'apt purge ansible-base'  and/or  'pip uninstall ansible-base'  and/or"
+echo -e "    'apt purge ansible-base'  and/or  'pip3 uninstall ansible-base'  and/or"
 echo -e "    'apt purge ansible'       and/or  'pip uninstall ansible'"
 echo -e "(3) Remove all lines containing 'ansible' from..."
 echo -e "    /etc/apt/sources.list and /etc/apt/sources.list.d/*\n"
@@ -52,7 +78,7 @@ echo -e "(Internet-in-a-Box requests ansible-base $GOOD_VER or higher)\n"
 
 # Code above designed to work on all Linux distributions, to preserve options,
 # in support of any volunteer(s) wanting to port IIAB to a new Linux/distro.
-if [ ! -f /etc/debian_version ]; then    # e.g. Raspbian, Ubuntu, Mint & Debian
+if [ ! -f /etc/debian_version ]; then    # e.g. RaspiOS, Ubuntu, Mint & Debian
     echo -e "\nEXITING: /etc/debian_version FILE NOT FOUND.  Linux OS support info here:"
     echo -e "           https://github.com/iiab/iiab/wiki/IIAB-Platforms\n"
     exit 1
@@ -61,7 +87,7 @@ fi
 echo -e "\napt update; install dirmngr; PPA to /etc/apt/sources.list.d/iiab-ansible.list\n"
 $APT_PATH/apt update
 $APT_PATH/apt -y install dirmngr
-echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu bionic main" \
+echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu $CODENAME main" \
      > /etc/apt/sources.list.d/iiab-ansible.list
 # In future we might instead consider 'add-apt-repository ppa:ansible/ansible'
 # or 'apt-add-repository ppa:ansible/bionic/ansible' etc, e.g. for streamlined
@@ -78,7 +104,7 @@ echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu bionic main" \
 
 echo -e '\nIF YOU FACE ERROR "signatures couldn'"'"'t be verified because the public key is not available" THEN REPEATEDLY RE-RUN "sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 93C4A3FD7BB9C367"\n'
 apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 93C4A3FD7BB9C367
-echo -e 'PPA source "deb http://ppa.launchpad.net/ansible/ansible/ubuntu bionic main"'
+echo -e 'PPA source "deb http://ppa.launchpad.net/ansible/ansible/ubuntu '$CODENAME' main"'
 echo -e "successfully saved to /etc/apt/sources.list.d/iiab-ansible.list\n"
 echo -e "IF *OTHER* ANSIBLE SOURCES APPEAR BELOW, PLEASE MANUALLY REMOVE THEM TO"
 echo -e 'ENSURE ANSIBLE UPDATES CLEANLY: (then re-run this script to be sure!)\n'
@@ -93,14 +119,17 @@ $APT_PATH/apt -y --allow-downgrades install ansible-base \
 
 # (Re)running collection installs appears safe, with --force-with-deps to force
 # upgrade of collection and dependencies it pulls in.  Note Ansible may support
-# upgrading all collections cleanly in future.  See PR #2652 (links) & PR #2653
-echo -e "\n\nIIAB requires these 3 Ansible Collections: (we upgrade them here if possible!)\n"
-ansible-galaxy collection install --force-with-deps community.general
-ansible-galaxy collection install --force-with-deps community.mysql
-ansible-galaxy collection install --force-with-deps ansible.posix # For 3 below
-# selinux WAS in /opt/iiab/iiab/roles/1-prep/tasks/main.yml
-# sysctl in      /opt/iiab/iiab/roles/2-common/tasks/main.yml
-# synchronize in /opt/iiab/iiab-admin-console/roles/js-menu/tasks/main.yml
+# explicit upgrading of collections (--upgrade / -U flag) in version "2.11"
+# with PR ansible/ansible#73336.  See also IIAB PRs #2647 #2652 #2653 #2655.
+echo -e "\n\nIIAB requires these ~4 Ansible Collections: (we upgrade them here if possible!)\n"
+ansible-galaxy collection install --force-with-deps \
+               -r /opt/iiab/iiab/collections.yml \
+               -p /usr/share/ansible/collections
+# 2021-02-24: 'ansible-galaxy collection list' lists those installed. (#2659)
+# 2020-11-28: The ~3 Ansible Collections used by IIAB (~37MB) once lived here:
+#    /root/.ansible/collections/ansible_collections
+# But going forward they'll be stored herein:
+#    /usr/share/ansible/collections/ansible_collections
 
 echo -e "\n\nCreating/verifying directory /etc/ansible & installing /etc/ansible/hosts\n"
 mkdir -p /etc/ansible
diff --git a/scripts/calibre-install-packages.sh.unusued b/scripts/calibre-install-packages.sh.unused
similarity index 100%
rename from scripts/calibre-install-packages.sh.unusued
rename to scripts/calibre-install-packages.sh.unused
diff --git a/scripts/iiab-diagnostics b/scripts/iiab-diagnostics
index 2354ae9c0..242fc8b60 100755
--- a/scripts/iiab-diagnostics
+++ b/scripts/iiab-diagnostics
@@ -31,28 +31,28 @@ outfile=/etc/iiab/diag/${IIAB_RELEASE}_${OS_VER}_${YMDT}_$nickname
 # roles/0-init/tasks/main.yml.  A bit like system logs, but only on request.
 
 function cat_file_raw() {    # $1 = path/filename; $2 = # of lines, for tail
-    if [ -f $1 ]; then
-        ls -l $1 >> $outfile
-        if [ ! -s $1 ]; then
+    if [ -f "$1" ]; then
+        ls -l "$1" >> $outfile
+        if [ ! -s "$1" ]; then
             echo >> $outfile
             echo "FILE EXISTS BUT IS EMPTY!" >> $outfile
         elif [ $# -eq 1 ]; then
             echo >> $outfile
             # Redact most passwords from /etc/iiab/local_vars.yml, /etc/hostapd/hostapd.conf, /etc/wpa_supplicant/wpa_supplicant.conf, /etc/netplan/*, /etc/network/interfaces, /etc/network/interfaces.d/* ETC -- not much to worry about in /etc/iiab/iiab.ini (' = ')
-            cat $1 | sed 's/^\(\s*[[:alnum:]_-]*\(psk\|passphrase\|password\):\).*/\1 [REDACTED]/; s/^\(\s*[[:alnum:]_-]*\(psk\|passphrase\|password\)[= \t]\).*/\1[REDACTED]/' | iconv -t UTF-8//IGNORE >> $outfile
+            cat "$1" | sed 's/^\(\s*[[:alnum:]#_-]*\(psk\|passphrase\|password\):\).*/\1 [REDACTED]/; s/^\(\s*[[:alnum:]#_-]*\(psk\|passphrase\|password\)[= \t]\).*/\1[REDACTED]/' | iconv -t UTF-8//IGNORE >> $outfile
         else    # e.g. last 100 lines, maximum
             echo "                        ...ITS LAST $2 LINES FOLLOW..." >> $outfile
             echo >> $outfile
-	    tail -$2 $1 | sed 's/^\(\s*[[:alnum:]_-]*\(psk\|passphrase\|password\):\).*/\1 [REDACTED]/; s/^\(\s*[[:alnum:]_-]*\(psk\|passphrase\|password\)[= \t]\).*/\1[REDACTED]/' | iconv -t UTF-8//IGNORE >> $outfile
+            tail -$2 "$1" | sed 's/^\(\s*[[:alnum:]#_-]*\(psk\|passphrase\|password\):\).*/\1 [REDACTED]/; s/^\(\s*[[:alnum:]#_-]*\(psk\|passphrase\|password\)[= \t]\).*/\1[REDACTED]/' | iconv -t UTF-8//IGNORE >> $outfile
         fi
         echo >> $outfile
-    elif [ -h $1 ]; then
-        ls -l $1 >> $outfile
+    elif [ -h "$1" ]; then
+        ls -l "$1" >> $outfile
         echo >> $outfile
         echo "SYMLINK DOES NOT LEAD TO A REGULAR FILE!" >> $outfile
         echo >> $outfile
-    elif [ -d $1 ]; then
-        ls -ld $1 >> $outfile
+    elif [ -d "$1" ]; then
+        ls -ld "$1" >> $outfile
         echo >> $outfile
         echo "THIS IS A DIRECTORY NOT A FILE!" >> $outfile
         echo >> $outfile
@@ -64,7 +64,7 @@ function cat_file_raw() {    # $1 = path/filename; $2 = # of lines, for tail
 function cat_file() {
     echo "     $1"
     echo "=IIAB==========================================================================" >> $outfile
-    cat_file_raw $1
+    cat_file_raw "$1"
 }
 
 function cat_dir() {
@@ -72,9 +72,10 @@ function cat_dir() {
     echo "=IIAB==========================================================================" >> $outfile
     if [ -d "$1" ]; then
         echo "DIRECTORY $1 FILES WILL FOLLOW...IF THEY EXIST" >> $outfile
-        for f in $(ls $1); do
+        shopt -s nullglob    # To avoid looping over empty directories
+        for f in "$1"/*; do
             echo "-IIAB--------------------------------------------------------------------------" >> $outfile
-            cat_file_raw $1/$f 100
+            cat_file_raw "$f" 100
         done
     else
         echo "DIRECTORY DOES NOT EXIST: $1" >> $outfile
@@ -84,7 +85,7 @@ function cat_dir() {
 function cat_cmd() {                        # $1 = command + params, $2 = explanation
     echo "     $1  # $2"
     echo "=IIAB==========================================================================" >> $outfile
-    cmd=$(echo $1 | sed 's/\s.*$//')        # Keep command on left; Drop params on right
+    cmd=$(echo "$1" | sed 's/\s.*$//')        # Keep command on left; Drop params on right
     pth=$(which $cmd | sed 's/[^/]*$//')    # Keep only path on left; Drop command on right
     echo "COMMAND: $pth$1    # $2" >> $outfile
     echo >> $outfile
@@ -99,7 +100,7 @@ function cat_cmd() {                        # $1 = command + params, $2 = explan
 function cat_tail() {     # $1 = path/filename; $2 = # of lines, for tail
     echo "     $1"
     echo "=IIAB==========================================================================" >> $outfile
-    cat_file_raw $1 $2    # e.g. last 100 lines, maximum
+    cat_file_raw "$1" $2    # e.g. last 100 lines, maximum
 }
 
 # START BUILDING UP THE FILE THAT'LL CONTAIN THE DIAGNOSTICS!
diff --git a/scripts/iiab-diagnostics.README.md b/scripts/iiab-diagnostics.README.md
index 3bf5cfdb2..00ae4ddc7 100644
--- a/scripts/iiab-diagnostics.README.md
+++ b/scripts/iiab-diagnostics.README.md
@@ -62,4 +62,4 @@ But first off, the file is compiled by harvesting 1 + 6 kinds of things:
 
 ## Source Code
 
-Please look over the bottom of [iiab-diagnostics](iiab-diagnostics) (lines 105-221 especially) to learn more about which common IIAB files and commands make this rapid troubleshooting possible.
+Please look over the bottom of [iiab-diagnostics](iiab-diagnostics) (lines 106-222 especially) to learn more about which common IIAB files and commands make this rapid troubleshooting possible.
diff --git a/scripts/local_facts.fact b/scripts/local_facts.fact
index 311a00136..2a6458a35 100755
--- a/scripts/local_facts.fact
+++ b/scripts/local_facts.fact
@@ -92,9 +92,9 @@ tmp=$(ansible --version) &&
     ANSIBLE_VERSION=$(echo "$tmp" | head -n 1 | cut -f 2 -d " ")
 
 
-# THESE LAST 3 ARE DIFFEENT as "systemctl is-enabled" unhelpfully returns the
-# same rerror code (i.e. 1) REGARDLESS whether service is (A) disabled or
-# (B) doesn't exist.  SO WE TEST THE STRING OUTPUT INSTEAD OF THE RETURN CODE.
+# THE LAST 3 BELOW ARE DIFFERENT as "systemctl is-enabled" unhelpfully returns
+# the same error code (i.e. 1) REGARDLESS whether the service is (A) disabled
+# or (B) doesn't exist. SO WE TEST THE STRING OUTPUT INSTEAD OF THE RETURN CODE
 
 tmp=$(systemctl is-enabled dhcpcd)
 [[ $tmp != "" ]] &&
diff --git a/vars/default_vars.yml b/vars/default_vars.yml
index 3afc1edb1..b85cea197 100644
--- a/vars/default_vars.yml
+++ b/vars/default_vars.yml
@@ -115,8 +115,8 @@ host_country_code: US
 host_ssid: Internet in a Box
 host_wifi_mode: g
 host_channel: 6
-hostapd_secure: False
-hostapd_password: changeme
+hostapd_secure: False # 2021-03-02 #2696 WiFi EAPOL fails if hotspot passwords,
+hostapd_password: changeme # eg if firmware wifi_hotspot_capacity_rpi_fix: True
 hostapd_install: True    # 2020-01-21: this var MIGHT be implemented in future.
 hostapd_enabled: True
 wifi_hotspot_capacity_rpi_fix: True    # Restores the ability of RPi internal
@@ -507,11 +507,11 @@ transmission_password: changeme
 # Transmission download directory & general owner/group
 transmission_download_dir: "{{ content_base }}/transmission/"    # /library/transmission/
 transmission_user: debian-transmission
-transmission_group: root
+transmission_group: debian-transmission
 
 # Monitor downloads at http://box:9091 or http://box:9091/transmission using Admin/changeme
 transmission_http_port: 9091
-transmission_url : /transmission/
+transmission_url: /transmission/
 transmission_peer_port: 51413
 
 # Provision Transmission with torrent(s) from http://pantry.learningequality.org/downloads/ka-lite/0.17/content/
diff --git a/vars/local_vars_big.yml b/vars/local_vars_big.yml
index 9ad8bf016..e33de6fa1 100644
--- a/vars/local_vars_big.yml
+++ b/vars/local_vars_big.yml
@@ -63,8 +63,8 @@ host_country_code: US
 host_ssid: Internet in a Box
 host_wifi_mode: g
 host_channel: 6
-hostapd_secure: False
-hostapd_password: changeme
+hostapd_secure: False # 2021-03-02 #2696 WiFi EAPOL fails if hotspot passwords,
+hostapd_password: changeme # eg if firmware wifi_hotspot_capacity_rpi_fix: True
 wifi_hotspot_capacity_rpi_fix: True    # Restores the ability of RPi internal
 # WiFi hotspots to service 30-to-32 client devices.  Background explanation:
 # https://github.com/iiab/iiab/issues/823#issuecomment-662285202 and PR #2472.
diff --git a/vars/local_vars_medium.yml b/vars/local_vars_medium.yml
index 878c98733..710dfbf17 100644
--- a/vars/local_vars_medium.yml
+++ b/vars/local_vars_medium.yml
@@ -63,8 +63,8 @@ host_country_code: US
 host_ssid: Internet in a Box
 host_wifi_mode: g
 host_channel: 6
-hostapd_secure: False
-hostapd_password: changeme
+hostapd_secure: False # 2021-03-02 #2696 WiFi EAPOL fails if hotspot passwords,
+hostapd_password: changeme # eg if firmware wifi_hotspot_capacity_rpi_fix: True
 wifi_hotspot_capacity_rpi_fix: True    # Restores the ability of RPi internal
 # WiFi hotspots to service 30-to-32 client devices.  Background explanation:
 # https://github.com/iiab/iiab/issues/823#issuecomment-662285202 and PR #2472.
diff --git a/vars/local_vars_min.yml b/vars/local_vars_min.yml
index 8a26cc1a2..023139f29 100644
--- a/vars/local_vars_min.yml
+++ b/vars/local_vars_min.yml
@@ -63,8 +63,8 @@ host_country_code: US
 host_ssid: Internet in a Box
 host_wifi_mode: g
 host_channel: 6
-hostapd_secure: False
-hostapd_password: changeme
+hostapd_secure: False # 2021-03-02 #2696 WiFi EAPOL fails if hotspot passwords,
+hostapd_password: changeme # eg if firmware wifi_hotspot_capacity_rpi_fix: True
 wifi_hotspot_capacity_rpi_fix: True    # Restores the ability of RPi internal
 # WiFi hotspots to service 30-to-32 client devices.  Background explanation:
 # https://github.com/iiab/iiab/issues/823#issuecomment-662285202 and PR #2472.
diff --git a/vars/raspbian-10.yml b/vars/raspbian-10.yml
index 3086c0a2c..ecd1494b8 100644
--- a/vars/raspbian-10.yml
+++ b/vars/raspbian-10.yml
@@ -32,5 +32,6 @@ minetest_server_bin: /library/games/minetest/bin/minetestserver
 minetest_working_dir: /library/games/minetest
 minetest_game_dir: /library/games/minetest/games/minetest_game
 minetest_rpi_src_tar: minetest.5.1.1.tar.gz
-minetest_rpi_src_url: "http://www.nathansalapat.com/downloads/{{ minetest_rpi_src_tar }}"
+#minetest_rpi_src_url: "http://www.nathansalapat.com/downloads/{{ minetest_rpi_src_tar }}"
+minetest_rpi_src_url: "http://d.iiab.io/packages/{{ minetest_rpi_src_tar }}"
 minetest_rpi_src_untarred: Minetest