Merge branch 'master' into mitra

install-support

@@ -1,6 +1,14 @@
 #!/bin/bash
 
-PLAYBOOK="iiab-support.yml"
+echo -e "\n\n\e[41m             DEPRECATED           PLEASE RUN 'iiab-support' INSTEAD             \e[0m\n\n"
+
+read -p "Continue? [y/N] " ans
+if [ "$ans" != "y" ]; then
+    echo
+    exit
+fi
+
+PLAYBOOK="install-support.yml"
 INVENTORY="ansible_hosts"
 CWD=`pwd`
 
@@ -12,7 +20,7 @@ if [ ! -f $PLAYBOOK ]; then
     exit 1
 fi
 
-sed -i -e "s/openvpn_install: False/openvpn_install: True/" /etc/iiab/local_vars.yml
+sed -i -e "s/^openvpn_install:.*/openvpn_install: True/" /etc/iiab/local_vars.yml
-sed -i -e "s/openvpn_enabled: False/openvpn_enabled: True/" /etc/iiab/local_vars.yml
+sed -i -e "s/^openvpn_enabled:.*/openvpn_enabled: True/" /etc/iiab/local_vars.yml
 
 ansible-playbook -i $INVENTORY $PLAYBOOK --connection=local

install-support.yml

@@ -1,4 +1,3 @@
----
 - hosts: all
   become: yes
 
@@ -11,4 +10,5 @@
     - { role: 0-init, tags: ['0-init'] }
     #- { role: 1-prep, tags: ['1-prep', 'platform', 'base'] }
     - { role: 1-prep, tags: ['1-prep'] }
-    #- { role: openvpn, tags: ['openvpn'] }    # no longer nec, as 1-prep calls role openvpn (2018-09-19)
+    #- { role: openvpn, tags: ['openvpn'] }    # FASTER ALTERNATIVE THAN 1-prep (if 1-prep was already run!)
+    # BETTER YET, SEE: /usr/bin/iiab-support for a much friendlier UX, that only runs 1-prep when necessary.

roles/0-init/defaults/main.yml

@@ -1,6 +1,7 @@
-# Use these to tag a release at a point in time, for {{ iiab_env_file }}
+# (PRE-)release version number, for {{ iiab_env_file }} = /etc/iiab/iiab.env
-iiab_base_ver: 7.0
+# iiab_base_ver: 7.0
-iiab_revision: 0
+# iiab_revision: 0
+# ABOVE MOVED TO /opt/iiab/iiab/vars/default_vars.yml
 
 # These entries should never be changed in this file.
 # These are defaults for boolean routines.
@@ -8,7 +9,7 @@ first_run: False
 rpi_model: none
 is_rpi: False
 xo_model: none
-gw_active: none
+gw_active: False
 internet_available: False
 discovered_wan_iface: none
 

roles/0-init/tasks/hostname.yml

@@ -13,7 +13,7 @@
 
 - name: 'Turn the crank for systemd: hostnamectl set-hostname "{{ iiab_hostname }}.{{ iiab_domain }}" (debuntu)'
   shell: hostnamectl set-hostname "{{ iiab_hostname }}.{{ iiab_domain }}"
-  when: is_debuntu
+  when: is_debuntu | bool
 
 - name: Install /etc/sysconfig/network from template (redhat)
   template:
@@ -22,7 +22,7 @@
     owner: root
     group: root
     mode: 0644
-  when: is_redhat
+  when: is_redhat | bool
 
 - name: Put hostnames "127.0.0.1 localhost.localdomain localhost box {{ iiab_hostname }}" in /etc/hosts
   lineinfile:

roles/0-init/tasks/main.yml

@@ -14,7 +14,7 @@
 # sections once and only once to preserve the install date and git hash.
 - name: Create IIAB directory structure and {{ iiab_ini_file }}, if first_run
   include_tasks: first_run.yml
-  when: first_run
+  when: first_run | bool
 
 #- name: Loading computed_vars
 #  include_tasks: roles/0-init/tasks/computed_vars.yml
@@ -92,7 +92,7 @@
 - name: Set port 443 for Admin Console if adm_cons_force_ssl
   set_fact:
     gui_port: 443
-  when: adm_cons_force_ssl
+  when: adm_cons_force_ssl | bool
 
 - name: Turn on both vars for MySQL (mandatory in Stage 3!)
   set_fact:
@@ -109,7 +109,7 @@
 #  set_fact:
 #    mongodb_install: True
 #    mongodb_enabled: True
-#  when: sugarizer_enabled
+#  when: sugarizer_enabled | bool
 
 # There might be other db's
 - name: Turn on both vars for PostgreSQL if moodle_enabled or pathagar_enabled
@@ -127,12 +127,12 @@
 - name: "Set python_path: /lib/python2.7/site-packages/ (redhat)"
   set_fact:
     python_path: /lib/python2.7/site-packages/
-  when: is_redhat
+  when: is_redhat | bool
 
 - name: "Set python_path: /usr/local/lib/python2.7/dist-packages/ (debuntu)"
   set_fact:
     python_path: /usr/local/lib/python2.7/dist-packages/
-  when: is_debuntu
+  when: is_debuntu | bool
 
 # For various reasons the mysql service cannot be enabled on Fedora 20, but
 # 'mariadb', which is its real name can.  On Fedora 18 we need to use 'mysqld'.
@@ -154,7 +154,7 @@
 #- name: "Set mysql_service: mysql (debuntu)"
 #  set_fact:
 #    mysql_service: mysql
-#  when: is_debuntu
+#  when: is_debuntu | bool
 
 - name: "Set iiab_fqdn: {{ iiab_hostname }}.{{ iiab_domain }}"
   set_fact:
@@ -168,7 +168,7 @@
 
 - name: Set hostname if FQDN_changed
   include_tasks: hostname.yml
-  when: FQDN_changed
+  when: FQDN_changed | bool
 
 - name: Add 'runtime' variable values to {{ iiab_ini_file }}
   ini_file:
@@ -202,21 +202,21 @@
     - option: product_id
       value: "{{ ansible_product_uuid }}"
     - option: gw_active
-      value:  "{{ gw_active }}"
+      value: "{{ gw_active }}"
     - option: internet_available
-      value:  "{{ internet_available }}"
+      value: "{{ internet_available }}"
     - option: is_rpi
-      value:  "{{ is_rpi }}"
+      value: "{{ is_rpi }}"
     - option: first_run
-      value:  "{{ first_run }}"
+      value: "{{ first_run }}"
     - option: local_tz
-      value:  "{{ local_tz }}"
+      value: "{{ local_tz }}"
     - option: no_NM_reload
       value: "{{ no_NM_reload }}"
     - option: is_F18
       value: "{{ is_F18 }}"
     - option: FQDN_changed
-      value:  "{{ FQDN_changed }}"
+      value: "{{ FQDN_changed }}"
 
 - name: Add 'runtime' variable 'is_VM' value if defined, to {{ iiab_ini_file }}
   ini_file:
@@ -226,7 +226,7 @@
     value: "{{ item.value }}"
   with_items:
     - option: is_VM
-      value:  "yes"
+      value: "yes"
   when: is_VM is defined
 
 - name: STAGE 0 HAS COMPLETED ======================================

roles/1-prep/tasks/main.yml

@@ -9,7 +9,7 @@
       - uuid-runtime
       - sudo
     state: present
-  when: is_debuntu
+  when: is_debuntu | bool
 
 - name: Does /etc/iiab/uuid file exist?
   stat:
@@ -44,8 +44,8 @@
 - name: Does 'ubermix' exist in /etc/lsb-release?
   shell: grep -i ubermix /etc/lsb-release    # Pipe to cat to avoid red errors?
   register: grep_ubermix
-  failed_when: false    # Universal way to hide alarmist red errors!
+  failed_when: False    # Universal way to hide alarmist red errors!
-  #ignore_errors: true
+  #ignore_errors: True
   #check_mode: no
 
 #- debug:
@@ -77,7 +77,7 @@
 - name: OPENVPN
   include_role:
     name: openvpn
-  when: openvpn_install
+  when: openvpn_install | bool
   tags: openvpn
 
 # for rpi, without rtc, we need time as soon as possible
@@ -100,14 +100,14 @@
 # https://wiki.debian.org/AppArmor/HowToUse
 # https://packages.debian.org/buster/apparmor
 # Curiously this has NOT stopped IIAB 7.0/master from working on Debian 10
-# pre-releases, during @floydianslips' March 2019 testing anyway!
+# pre-releases, during @floydianslips' March 2019 testing anyway!  SEE #1387
 - name: Disable AppArmor -- override OS default (ubuntu)
   service:
     name: apparmor
     enabled: False
     state: stopped
-  when: is_ubuntu
+  when: is_ubuntu | bool
-  ignore_errors: true
+  ignore_errors: True
 
 - name: Disable SELinux on next boot (OS's other than debuntu)
   selinux:
@@ -127,7 +127,7 @@
 - name: Check if the identifier for Intel's NUC6 built-in WiFi is present
   shell: "lsusb | grep 8087:0a2b | wc | awk '{print $1}'"
   register: usb_NUC6
-  ignore_errors: true
+  ignore_errors: True
 
 - name: Download {{ iiab_download_url }}/iwlwifi-8000C-13.ucode to /lib/firmware for built-in WiFi on NUC6    # iiab_download_url is http://download.iiab.io/packages
   get_url:

roles/1-prep/tasks/raspberry_pi.yml

@@ -37,14 +37,14 @@
     path: /etc/dphys-swapfile
     regexp: "^CONF_SWAPSIZE"
     line: CONF_SWAPSIZE=500
-  when: is_debuntu
+  when: is_debuntu | bool
 
 - name: Restart swap service "dphys-swapfile" (debuntu)
   #command: /etc/init.d/dphys-swapfile restart
   service:    # A rare/legacy service that is NOT systemd
     name: dphys-swapfile
     state: restarted
-  when: is_debuntu
+  when: is_debuntu | bool
 
 - name: Install RPi rootfs resizing (iiab-rpi-max-rootfs.sh) and its systemd service (iiab-rpi-root-resize.service), from templates
   template:

roles/2-common/tasks/fl.yml

@@ -14,8 +14,10 @@
     - "{{ downloads_dir }}"
     - /library/downloads/zims
     - /library/downloads/rachel
+    - /library/downloads/maps
     - /library/working/zims
     - /library/working/rachel
+    - /library/working/maps
     - "{{ iiab_zim_path }}/content"
     - "{{ iiab_zim_path }}/index"
     - "{{ doc_root }}/local_content"

roles/2-common/tasks/iptables.yml

@@ -35,7 +35,7 @@
   package:
     name: iptables-persistent
     state: present
-  when: is_debuntu
+  when: is_debuntu | bool
   tags:
     - download
 
@@ -60,4 +60,4 @@
     src: iptables
     dest: /etc/network/if-pre-up.d/iptables
     mode: 0755
-  when: is_debuntu
+  when: is_debuntu | bool

roles/2-common/tasks/packages.yml

@@ -12,7 +12,7 @@
       - xml-common
       - yum-utils
     state: present
-  when: is_redhat
+  when: is_redhat | bool
 
 - name: Install {{ iiab_download_url }}/usbmount_0.0.14.1_all.deb, missing from Debian (debian-9 or debian-10, if NOT rpi)
   apt:
@@ -31,7 +31,7 @@
       - libnss-mdns
       - wpasupplicant
     state: present
-  when: is_debuntu
+  when: is_debuntu | bool
 
 - name: "Install 22 common packages: acpid, bridge-utils, bzip2, curl, gawk, hostapd, htop, i2c-tools, logrotate, make, mlocate, netmask, net-tools, ntfs-3g, pandoc, rsync, sudo, tar, unzip, usbmount, usbutils, wget"
   package:

roles/2-common/tasks/yum-historical.yml

@@ -13,18 +13,18 @@
 - name: get the createrepo program
   package: name=createrepo
            state=present
-  when: is_redhat
+  when: is_redhat | bool
 
 - name: Create local repo
   shell: createrepo {{ yum_packages_dir }}
-  when: is_redhat
+  when: is_redhat | bool
 
 - name: Install local repo file.
   template: dest=/etc/yum.repos.d/iiab-local.repo
             src=local.repo
             owner=root
             mode=0644
-  when: is_redhat
+  when: is_redhat | bool
 
 - name: Install yum packages
   package: name={{ item }}
@@ -36,7 +36,7 @@
    - linux-firmware
    - syslog
    - xml-common
-  when: is_redhat
+  when: is_redhat | bool
 
 - name: Install yum packages for Debian
   package: name={{ item }}
@@ -44,7 +44,7 @@
   with_items:
     - inetutils-syslogd
     - wpasupplicant
-  when: is_debuntu
+  when: is_debuntu | bool
 
 - name: Install common packages
   package: name={{ item }}
@@ -82,7 +82,7 @@
    - glibc # CVE-2015-7547
    - bash
    - iptables
-  when: is_redhat
+  when: is_redhat | bool
 
 - name: Update common packages  (debian)
   package: name={{ item }}
@@ -91,7 +91,7 @@
    - libc6
    - bash
    - iptables
-  when: is_debuntu
+  when: is_debuntu | bool
 
 
 # instuctions state to start with a fully updated system before starting, stop using

roles/4-server-options/tasks/main.yml

@@ -5,27 +5,27 @@
 
 - name: Install dnsmasq
   include_tasks: roles/network/tasks/dnsmasq.yml
-  when: dnsmasq_install
+  when: dnsmasq_install | bool
   tags: base, domain, dnsmasq, network
 
 - name: Install named / BIND
   include_tasks: roles/network/tasks/named.yml
-  when: named_install
+  when: named_install | bool
   tags: base, named, network, domain
 
 - name: Installing captive portal
   include_tasks: roles/captive-portal/tasks/main.yml
-  when: captive_portal_install
+  when: captive_portal_install | bool
   tags: base, captive-portal, network, domain
 
 - name: Installing dhcpd
   include_tasks: roles/network/tasks/dhcpd.yml
-  when: dhcpd_install
+  when: dhcpd_install | bool
   tags: base, dhcpd, network, domain
 
 - name: Install Squid (and DansGuardian if dansguardian_install)
   include_tasks: roles/network/tasks/squid.yml
-  when: squid_install
+  when: squid_install | bool
   tags: base, squid, network, domain
 
 # NETWORK moved to the very end, after Stage 9 (9-LOCAL-ADDONS)
@@ -47,7 +47,7 @@
 - name: POSTGRESQL
   include_role:
     name: postgresql
-  when: postgresql_install
+  when: postgresql_install | bool
   tags: postgresql, pathagar, moodle
 
 # UNMAINTAINED
@@ -60,19 +60,19 @@
 - name: CUPS
   include_role:
     name: cups
-  when: cups_install
+  when: cups_install | bool
   tags: cups
 
 - name: SAMBA
   include_role:
     name: samba
-  when: samba_install
+  when: samba_install | bool
   tags: samba
 
 - name: USB-LIB
   include_role:
     name: usb-lib
-  when: usb_lib_install
+  when: usb_lib_install | bool
   tags: usb-lib
 
 - name: Run /usr/bin/iiab-refresh-wiki-docs (scraper script) to create http://box/info offline documentation.  (This script was installed at the beginning of Stage 3 = roles/3-base-server/tasks/main.yml, which ran Apache playbook = roles/httpd/tasks/main.yml)

roles/5-xo-services/tasks/main.yml

@@ -6,19 +6,19 @@
 - name: ACTIVITY-SERVER
   include_role:
     name: activity-server
-  when: activity_server_install
+  when: activity_server_install | bool
   tags: olpc, activity-server
 
 - name: EJABBERD_XS
   include_role:
     name: ejabberd_xs
-  when: ejabberd_xs_install
+  when: ejabberd_xs_install | bool
   tags: olpc, ejabberd-xs
 
 - name: IDMGR
   include_role:
     name: idmgr
-  when: idmgr_install
+  when: idmgr_install | bool
   tags: olpc, idmgr
 
 - name: Recording STAGE 5 HAS COMPLETED =====================

roles/6-generic-apps/tasks/main.yml

@@ -6,73 +6,73 @@
 - name: DOKUWIKI
   include_role:
     name: dokuwiki
-  when: dokuwiki_install
+  when: dokuwiki_install | bool
   tags: dokuwiki
 
 - name: MEDIAWIKI
   include_role:
     name: mediawiki
-  when: mediawiki_install
+  when: mediawiki_install | bool
   tags: mediawiki
 
 - name: EJABBERD
   include_role:
     name: ejabberd
-  when: ejabberd_install
+  when: ejabberd_install | bool
   tags: ejabberd
 
 - name: ELGG
   include_role:
     name: elgg
-  when: elgg_install
+  when: elgg_install | bool
   tags: elgg
 
 - name: GITEA
   include_role:
     name: gitea
-  when: gitea_install
+  when: gitea_install | bool
   tags: gitea
 
 - name: LOKOLE
   include_role:
     name: lokole
-  when: lokole_install
+  when: lokole_install | bool
   tags: lokole
 
 - name: MOSQUITTO
   include_role:
     name: mosquitto
-  when: mosquitto_install
+  when: mosquitto_install | bool
   tags: mosquitto
 
 - name: NODE-RED
   include_role:
     name: nodered
-  when: nodered_install
+  when: nodered_install | bool
   tags: nodered
 
 - name: NEXTCLOUD
   include_role:
     name: nextcloud
-  when: nextcloud_install
+  when: nextcloud_install | bool
   tags: nextcloud
 
 #- name: OWNCLOUD
 #  include_role:
 #    name: owncloud
-#  when: owncloud_install
+#  when: owncloud_install | bool
 #  tags: owncloud
 
 - name: PBX
   include_role:
     name: pbx
-  when: pbx_install
+  when: pbx_install | bool
   tags: pbx  
 
 - name: WORDPRESS
   include_role:
     name: wordpress
-  when: wordpress_install
+  when: wordpress_install | bool
   tags: wordpress
 
 - name: Recording STAGE 6 HAS COMPLETED ====================

roles/7-edu-apps/tasks/main.yml

@@ -6,39 +6,39 @@
 - name: KALITE
   include_role:
     name: kalite
-  when: kalite_install
+  when: kalite_install | bool
   tags: kalite
 
 - name: KOLIBRI
   include_role:
     name: kolibri
-  when: kolibri_install
+  when: kolibri_install | bool
   tags: kolibri
 
 - name: KIWIX
   include_role:
     name: kiwix
-  when: kiwix_install
+  when: kiwix_install | bool
   tags: kiwix
 
 - name: MOODLE
   include_role:
     name: moodle
-  when: moodle_install
+  when: moodle_install | bool
   tags: olpc, moodle
 
-- name: OSM_VECTOR
+- name: OSM-VECTOR-MAPS
   include_role:
-    name: osm-vector
+    name: osm-vector-maps
-  when: osm_vector_install is defined and osm_vector_install
+  when: osm_vector_maps_install | bool
-  tags: osm
+  tags: osm, maps
 
 # UNMAINTAINED
 - name: OSM
   include_role:
     name: osm
   when: osm_install is defined and osm_install
-  tags: osm
+  tags: osm, maps
 
 # UNMAINTAINED
 - name: PATHAGAR
@@ -50,7 +50,7 @@
 - name: SUGARIZER
   include_role:
     name: sugarizer
-  when: sugarizer_install
+  when: sugarizer_install | bool
   tags: sugarizer
 
 - name: Recording STAGE 7 HAS COMPLETED ========================

roles/8-mgmt-tools/tasks/main.yml

@@ -6,31 +6,31 @@
 - name: TRANSMISSION
   include_role:
     name: transmission
-  when: transmission_install
+  when: transmission_install | bool
   tags: transmission
 
 - name: AWSTATS
   include_role:
     name: awstats
-  when: awstats_install
+  when: awstats_install | bool
   tags: awstats
   
 - name: MONIT
   include_role:
     name: monit
-  when: monit_install
+  when: monit_install | bool
   tags: monit
 
 - name: MUNIN
   include_role:
     name: munin
-  when: munin_install
+  when: munin_install | bool
   tags: munin
 
 - name: PHPMYADMIN
   include_role:
     name: phpmyadmin
-  when: phpmyadmin_install
+  when: phpmyadmin_install | bool
   tags: phpmyadmin
 
 # UNMAINTAINED
@@ -50,7 +50,7 @@
 - name: VNSTAT
   include_role:
     name: vnstat
-  when: vnstat_install
+  when: vnstat_install | bool
   tags: vnstat
 
 # UNMAINTAINED

roles/9-local-addons/tasks/main.yml

@@ -6,19 +6,19 @@
 - name: CALIBRE
   include_role:
     name: calibre
-  when: calibre_install
+  when: calibre_install | bool
   tags: calibre
 
 - name: CALIBRE-WEB
   include_role:
     name: calibre-web
-  when: calibreweb_install
+  when: calibreweb_install | bool
   tags: calibre-web
 
 - name: MINETEST
   include_role:
     name: minetest
-  when: minetest_install
+  when: minetest_install | bool
   tags: minetest
 
 - name: INTERNETARCHIVE

roles/activity-server/tasks/main.yml

@@ -79,7 +79,7 @@
 
 - name: enable mod_expires for debian
   command: a2enmod expires
-  when: is_debuntu
+  when: is_debuntu | bool
 
 - name: create the link which enables the site
   file: src=/etc/apache2/sites-available/xs-activity-server.conf

roles/ajenti/tasks/ajenti-wondershaper.yml

@@ -1,3 +1,3 @@
 - name: Install wondershaper ajenti plugin
   pip: name="{{ iiab_download_url }}"/ajenti-plugin-wondershaper-0.3.tar.gz
-  when: internet_available
+  when: internet_available | bool

roles/ajenti/tasks/main.yml

@@ -45,7 +45,7 @@
   service: name=ajenti
            enabled=yes
            state=restarted
-  when: ajenti_enabled
+  when: ajenti_enabled | bool
 
 - name: Add 'ajenti' variable values to {{ iiab_ini_file }}
   ini_file:

roles/authserver/tasks/main.yml

@@ -4,7 +4,7 @@
 
 - name: Install xs-authserver from pypi
   pip: name=xs-authserver
-  when: internet_available
+  when: internet_available | bool
 
 - name: install gunicorn
   package: name=python-gunicorn
@@ -48,7 +48,7 @@
   service: name=xs-authserver
            state=restarted
            enabled=yes
-  when: authserver_enabled
+  when: authserver_enabled | bool
 
 - name: Add 'authserver' variable values to {{ iiab_ini_file }}
   ini_file:

roles/awstats/tasks/install.yml

@@ -14,13 +14,13 @@
       - libapache2-mod-authnz-external
       - apache2-utils
     state: present
-  when: is_debuntu
+  when: is_debuntu | bool
   tags:
     - download
 
 - name: Enable cgi execution (debuntu)
   command: a2enmod cgi
-  when: is_debuntu
+  when: is_debuntu | bool
 
 - name: 'Mandate {{ apache_user }}:{{ apache_user }} perm 0750 dirs: {{ awstats_data_dir }} (intermediate summary storage) & {{ apache_log_dir }}'    # /library/awstats & /var/log/apache2 typically
   file:
@@ -29,8 +29,8 @@
     owner: "{{ apache_user }}"
     group: "{{ apache_user }}"
     state: directory
-    recurse: true
+    recurse: yes
-    force: true
+    force: yes
   with_items:
     - "{{ awstats_data_dir }}"
     - "{{ apache_log_dir }}"
@@ -57,7 +57,7 @@
   template:
     src: logrotate.d.apache2
     dest: /etc/logrotate.d/apache2
-  when: is_debuntu
+  when: is_debuntu | bool
 
 - name: Check if package installed /etc/awstats/awstats.conf
   stat:
@@ -94,14 +94,14 @@
     owner: root
     group: root
     mode: 0644
-  when: awstats_enabled
+  when: awstats_enabled | bool
 
 - name: Create a symlink /etc/awstats/awstats.conf for access by IP address
   file:
     src: /etc/awstats/awstats.schoolserver.conf
     path: /etc/awstats/awstats.conf
     state: link
-  when: awstats_enabled
+  when: awstats_enabled | bool
 
 - name: On first enabling of AWStats, summarize httpd logs up to now (OS's other than debuntu)
   shell: /bin/perl /usr/share/awstats/wwwroot/cgi-bin/awstats.pl -config=schoolserver -update

roles/awstats/tasks/main.yml

@@ -1,6 +1,6 @@
 - name: Install AWStats if awstats_install
   include_tasks: install.yml
-  when: awstats_install
+  when: awstats_install | bool
 
 - name: Add 'awstats' variable values to {{ iiab_ini_file }}
   ini_file:

roles/calibre-web/tasks/main.yml

@@ -3,7 +3,7 @@
     name:
       - imagemagick
     state: present
-  when: is_debuntu
+  when: is_debuntu | bool
 
 - name: Allow ImageMagick to read PDFs (debuntu)
   lineinfile:
@@ -12,7 +12,7 @@
     backrefs: yes
     line: '  <policy domain="coder" rights="read" pattern="PDF" />'
     state: present
-  when: is_debuntu
+  when: is_debuntu | bool
 
 - name: Create 3 Calibre-Web folders to store data and configuration files
   file:
@@ -35,7 +35,7 @@
     #update: yes
     depth: 1
     version: master
-  when: internet_available
+  when: internet_available | bool
 
 ## Ansible Pip Bug: Cannot use 'chdir' with 'env' https://github.com/ansible/ansible/issues/37912 (Patch landed)
 #- name: Download calibre-web dependencies into vendor subdirectory.
@@ -51,7 +51,7 @@
     requirements: "{{ calibreweb_venv_path }}/requirements.txt"
     virtualenv: "{{ calibreweb_venv_path }}"
     virtualenv_site_packages: no
-  when: internet_available
+  when: internet_available | bool
 
 - name: Symlink {{ calibreweb_venv_path }}/vendor to {{ calibreweb_venv_path }}/lib/python2.7/site-packages to keep cps.py happy
   file:
@@ -87,7 +87,7 @@
     - roles/calibre-web/files/metadata.db
     - roles/calibre-web/files/metadata_db_prefs_backup.json
   when: not metadatadb.stat.exists
-  #when: calibreweb_provision
+  #when: calibreweb_provision | bool
 
 - name: Provision/Copy default admin settings to {{ calibreweb_config }}/app.db IF metadata.db did not exist    # {{ calibreweb_config }} is /library/calibre-web/config
   copy:
@@ -98,7 +98,7 @@
     mode: 0644
     backup: yes
   when: not metadatadb.stat.exists
-  #when: calibreweb_provision
+  #when: calibreweb_provision | bool
 
 - name: Enable & Restart 'calibre-web' systemd service
   systemd:
@@ -106,17 +106,17 @@
     daemon_reload: yes
     enabled: yes
     state: restarted
-  when: calibreweb_enabled
+  when: calibreweb_enabled | bool
 
 # Default: http://box/books
 # SEE ALSO: https://github.com/janeczku/calibre-web/wiki/Setup-Reverse-Proxy
 - name: Enable http://box{{ calibreweb_url }} with Apache
   command: a2ensite calibre-web.conf
-  when: calibreweb_enabled
+  when: calibreweb_enabled | bool
 
 #- name: Restart Apache after enabling calibre-web httpd2 site
 #  command: apachectl -k graceful
-#  when: calibreweb_enabled
+#  when: calibreweb_enabled | bool
 
 - name: Disable 'calibre-web' systemd service
   systemd:

roles/calibre/tasks/main.yml

@@ -64,7 +64,7 @@
     state: stopped
     #enabled: no
   #register: command_result    # gist.github.com/tyrells/0a79681de339237cb04c
-  #failed_when: false          # Never Fail during "systemctl stop calibre-serve" (even if service doesn't exist!)
+  #failed_when: False          # Never Fail during "systemctl stop calibre-serve" (even if service doesn't exist!)
   #when: calibre_svc.stat.exists
 
 # 3. CREATE USER DATABASE
@@ -121,7 +121,7 @@
     name: calibre-serve
     enabled: yes
     state: started
-  when: calibre_enabled
+  when: calibre_enabled | bool
   #async: 900
   #poll: 5
 

roles/calibre/tasks/py-installer.yml

@@ -12,7 +12,7 @@
     backup: yes
     timeout: "{{ download_timeout }}"
   register: calibre_download_output
-  when: internet_available
+  when: internet_available | bool
 
 # ALWAYS DEFINED, DESPITE get_url DOCUMENTATION CLAIM...
 # - debug:
@@ -53,4 +53,4 @@
   shell: "{{ downloads_dir }}/calibre-installer.py >> /dev/null"
   #args:
   #  creates: /usr/bin/calibre-uninstall
-  when: internet_available
+  when: internet_available | bool

roles/captive-portal/tasks/main.yml

@@ -10,7 +10,7 @@
   package:
     name: libapache2-mod-wsgi
     state: present
-  when: is_debuntu
+  when: is_debuntu | bool
 
 - name: Install mod_wsgi (not debuntu)
   package:
@@ -70,7 +70,7 @@
     owner: root
     group: root
     mode: 0644
-  when: captive_portal_enabled
+  when: captive_portal_enabled | bool
 
 - name: Enable Apache's captive-portal.conf if captive_portal_enabled (debuntu)
   file:
@@ -92,7 +92,7 @@
 #    daemon-reload: yes
 #    enabled: yes
 #    state: started
-#  when: captive_portal_enabled
+#  when: captive_portal_enabled | bool
 
 #- name: Disable & Stop captive-portal.service if not captive_portal_enabled
 #  systemd:
@@ -128,7 +128,7 @@
 #  systemd:
 #    name: dnsmasq
 #    state: restarted
-#  when: dnsmasq_enabled
+#  when: dnsmasq_enabled | bool
 
 # ABOVE DOES NOT WORK ON UBUNTU 16.04 -- what follows is a crude hack (seems to work!)
 
@@ -136,11 +136,11 @@
   systemd:
     name: dnsmasq
     state: stopped
-  when: dnsmasq_enabled
+  when: dnsmasq_enabled | bool
 
 - name: Start dnsmasq
   systemd:
     name: dnsmasq
     state: started
-  when: dnsmasq_enabled
+  when: dnsmasq_enabled | bool
   

roles/cups/tasks/main.yml

@@ -3,7 +3,7 @@
   package:
     name: cups
     state: present
-  when: cups_install
+  when: cups_install | bool
   tags:
     - download
 
@@ -43,7 +43,7 @@
 
 - name: Permit headless admin of CUPS -- only works when CUPS daemon is running
   shell: "cupsctl --remote-admin"
-  when: cups_enabled
+  when: cups_enabled | bool
 
 - name: Disable both CUPS services (OS's other than Fedora 18)
   systemd:

roles/docker/tasks/main.yml

@@ -4,7 +4,7 @@
   with_items:
     - docker
     - python-docker-py
-  when: docker_install
+  when: docker_install | bool
   tags: download
 
 - name: put the systemd startup file in place
@@ -32,7 +32,7 @@
   service: name=docker
            state=started
            enabled=true
-  when: docker_enabled
+  when: docker_enabled | bool
 
 - name: Disable docker
   service: name=docker

roles/dokuwiki/tasks/install.yml

@@ -3,7 +3,7 @@
     url: "{{ iiab_download_url }}/{{ dokuwiki_version }}.tgz"
     dest: "{{ downloads_dir }}/"
     timeout: "{{ download_timeout }}"
-  when: internet_available
+  when: internet_available | bool
 
 - name: Unarchive (unpack) it to /library/{{ dokuwiki_version }}
   unarchive:
@@ -25,7 +25,7 @@
   template:
     src: dokuwiki.conf.j2
     dest: "/etc/{{ apache_config_dir }}/dokuwiki.conf"
-  when: dokuwiki_enabled
+  when: dokuwiki_enabled | bool
 
 - name: Symlink /etc/apache2/sites-enabled/dokuwiki.conf to /etc/apache2/sites-available/dokuwiki.conf if dokuwiki_enabled (debuntu)
   file:

roles/dokuwiki/tasks/main.yml

@@ -1,6 +1,6 @@
 - name: Install DokuWiki
   include_tasks: install.yml
-  when: dokuwiki_install
+  when: dokuwiki_install | bool
 
 - name: Add 'dokuwiki' variable values to {{ iiab_ini_file }}
   ini_file:

roles/ejabberd/tasks/main.yml

@@ -36,7 +36,7 @@
 #    src: ejabberd-iiab.init
 #    dest: /etc/init.d/ejabberd-iiab
 #    mode: 0755
-#  when: is_debuntu
+#  when: is_debuntu | bool
 
 #- name: Put the startup script in place - non debian
 #  template:
@@ -73,7 +73,7 @@
     #name: ejabberd-iiab
     state: restarted
     enabled: yes
-  when: ejabberd_enabled
+  when: ejabberd_enabled | bool
   #when: ejabberd_config.changed and ejabberd_enabled
 
 #- name: Wait for ejabberd service start

roles/elgg/tasks/main.yml

@@ -9,7 +9,7 @@
     url: "{{ iiab_download_url }}/elgg-{{ elgg_version }}.zip"
     dest: "{{ downloads_dir }}"
     timeout: "{{ download_timeout }}"
-  when: internet_available
+  when: internet_available | bool
 
 - name: Check for existence of /opt/elgg-{{ elgg_version }}/index.php
   stat:
@@ -34,7 +34,7 @@
     owner: "{{ apache_user }}"
     group: "{{ apache_user }}"
     state: link
-    force: true
+    force: yes
 
 - name: 'Install /opt/elgg/elgg-config/settings.php from template (WARNING: overwrites manual settings!)'
   template:

roles/gitea/defaults/main.yml

@@ -8,7 +8,7 @@
 # https://git.coolaj86.com/coolaj86/gitea-installer.sh
 
 # Information needed to install Gitea
-gitea_version: 1.8.0
+gitea_version: 1.7.6
 iset_suffixes:
   i386: 386
   x86_64: amd64
@@ -54,4 +54,4 @@ gitea_log_root: "{{ gitea_root_directory }}/log"
 
 # Extra configuration
 gitea_display_name: Internet-in-a-Box Gitea
-skip_install_screen: true
+skip_install_screen: true    # lowercase for Gitea's own /etc/gitea/app.ini

roles/gitea/tasks/install.yml

@@ -59,7 +59,7 @@
     mode: 0775
   tags:
     - install
-  when: internet_available
+  when: internet_available | bool
 
 - name: Download Gitea GPG signature
   get_url:
@@ -68,7 +68,7 @@
   tags:
     - never
     - verify
-  when: internet_available
+  when: internet_available | bool
 
 - name: Verify Gitea binary with GPG signature
   shell: |
@@ -131,7 +131,7 @@
     name: gitea
     enabled: yes
     state: restarted
-  when: gitea_enabled
+  when: gitea_enabled | bool
 
 - name: Disable 'gitea' service
   systemd:

roles/gitea/tasks/main.yml

@@ -1,3 +1,3 @@
 - name: Install Gitea {{ gitea_version }} if gitea_install
   include_tasks: install.yml
-  when: gitea_install
+  when: gitea_install | bool

roles/homepage/tasks/main.yml

@@ -16,4 +16,4 @@
     src: "/etc/{{ apache_config_dir }}/iiab-homepage.conf"
     path: /etc/apache2/sites-enabled/iiab-homepage.conf
     state: link
-  when: is_debuntu
+  when: is_debuntu | bool

roles/httpd/tasks/main.yml

@@ -7,7 +7,7 @@
       - "php{{ php_version }}"
       - "php{{ php_version }}-curl"
     state: present
-  when: is_debian
+  when: is_debian | bool
   tags:
     - download
 
@@ -19,7 +19,7 @@
       - apache2
       - php
     state: present
-  when: is_ubuntu
+  when: is_ubuntu | bool
   tags:
     - download
 
@@ -44,7 +44,7 @@
       - php
       - php-curl
     state: present
-  when: is_redhat
+  when: is_redhat | bool
   tags:
     - download
 
@@ -68,7 +68,7 @@
     path: "/etc/php/{{ php_version }}/{{ apache_service }}/php.ini"
     regexp: "{{ item.regexp }}"
     line: "{{ item.line }}"
-  when: apache_high_php_limits
+  when: apache_high_php_limits | bool
   with_items:
     - { regexp: '^upload_max_filesize', line: 'upload_max_filesize = 500M    ; default is 2M' }
     - { regexp: '^post_max_size', line: 'post_max_size = 500M    ; default is 8M' }
@@ -84,7 +84,7 @@
   with_items:
     - mpm_event.conf
     - mpm_event.load
-  when: is_debuntu
+  when: is_debuntu | bool
 
 - name: Create both mpm_prefork symlinks from /etc/apache2/mods-enabled to /etc/apache2/mods-available (debuntu)
   file:
@@ -94,7 +94,7 @@
   with_items:
     - mpm_prefork.conf
     - mpm_prefork.load
-  when: is_debuntu
+  when: is_debuntu | bool
 
 - name: 'Turn on mod_proxy using a2enmod with: proxy, proxy_html, headers, rewrite (debuntu)'
   command: a2enmod {{ item }}
@@ -103,14 +103,14 @@
     - proxy_html
     - headers
     - rewrite
-  when: is_debuntu
+  when: is_debuntu | bool
 
 - name: Enable our site, creating 010-iiab.conf symlink from sites-enabled to sites-available (debuntu)
   file:
     src: "/etc/{{ apache_config_dir }}/010-iiab.conf"
     path: /etc/apache2/sites-enabled/010-iiab.conf
     state: link
-  when: is_debuntu
+  when: is_debuntu | bool
 
 - name: Remove 000-default.conf from /etc/apache2 and /etc/apache2/sites-enabled (debuntu)
   file:
@@ -119,7 +119,7 @@
   with_items:
     - /etc/apache2/000-default.conf    # Not nec on Raspbian.  Is this really still needed elsewhere?
     - /etc/apache2/sites-enabled/000-default.conf
-  when: is_debuntu
+  when: is_debuntu | bool
 
 - name: Create Apache's pid dir /var/run/{{ apache_user }}
   file:
@@ -178,7 +178,7 @@
     path: /etc/apache2/sites-enabled/osm.conf
     #path: "/etc/{{ apache_service }}/sites-enabled/osm.conf"
     state: link
-  when: is_debuntu
+  when: is_debuntu | bool
 
 - include_tasks: html.yml
   tags:
@@ -200,7 +200,7 @@
     src: 020_apache_poweroff.j2
     dest: /etc/sudoers.d/020_apache_poweroff
     mode: 0755
-  when: apache_allow_sudo
+  when: apache_allow_sudo | bool
 
 - name: Remove {{ apache_user }} (per variable apache_user) permission to poweroff, removing /etc/sudoers.d/020_apache_poweroff
   file:

roles/httpd/tasks/php-stem.yml

@@ -5,7 +5,7 @@
 
 #- name: Download php-stem.rpi.tar
 #  command: cd /; wget http://download.iiab.io/packages/php-stem.rpi.tar
-#  when: is_rpi
+#  when: is_rpi | bool
 
 #- name: Download php-stem.x86.tar
 #  command: cd /; wget http://download.iiab.io/packages/php-stem.x64.tar
@@ -19,7 +19,7 @@
     group: root
     #mode: ????
     remote_src: yes
-  when: is_rpi
+  when: is_rpi | bool
 
 - name: Unarchive http://download.iiab.io/packages/php-stem.x64.tar to / (debian-9 on x86_64 only)
   unarchive:

roles/idmgr/tasks/main.yml

@@ -44,7 +44,7 @@
   with_items:
     - idmgr
     - xinetd
-  when: xo_services_enabled
+  when: xo_services_enabled | bool
 
 - name: Disable idmgr service
   service: name={{ item }}

roles/iiab-admin/tasks/admin-user.yml

@@ -14,7 +14,7 @@
   group:
     name: sudo
     state: present
-  when: is_redhat
+  when: is_redhat | bool
 
 - name: 'Add user {{ iiab_admin_user }} to groups: wheel, sudo'
   user:

roles/iiab-admin/tasks/main.yml

@@ -1,7 +1,7 @@
 - include_tasks: admin-user.yml
   tags:
     - base
-  when: iiab_admin_user_install
+  when: iiab_admin_user_install | bool
 
 - include_tasks: access.yml
   tags:

roles/kalite/tasks/install-f18.yml

@@ -7,7 +7,7 @@
   with_items:
     - python-psutil
     - expect
-  when: is_F18
+  when: is_F18 | bool
 
 - name: Install dependent pip packages (Fedora 18)
   pip:

roles/kalite/tasks/install.yml

@@ -12,7 +12,7 @@
     url: "{{ kalite_requirements }}"
     dest: "{{ pip_packages_dir }}/kalite.txt"
     timeout: "{{ download_timeout }}"
-  when: internet_available
+  when: internet_available | bool
 
 #- name: Install KA Lite non-static + reqs file with pip - (debuntu)
 #  pip: requirements={{ pip_packages_dir }}/kalite.txt

roles/kalite/tasks/main.yml

@@ -5,7 +5,7 @@
 - name: Set KA Lite's SQLite filename (Fedora 18)
   set_fact:
     kalite_db_name: "{{ kalite_root }}/kalite/database/data.sqlite"
-  when: is_F18
+  when: is_F18 | bool
 
 - name: Set KA Lite's SQLite filename (OS's other than Fedora 18)
   set_fact:

roles/kiwix/defaults/main.yml

@@ -10,9 +10,9 @@
 # Which kiwix-tools to download from http://download.iiab.io/packages/
 # As obtained from http://download.kiwix.org/release/kiwix-tools/ or http://download.kiwix.org/nightly/
 
-kiwix_version_armhf: "kiwix-tools_linux-armhf-1.2.0"
+kiwix_version_armhf: "kiwix-tools_linux-armhf-1.2.1"
-kiwix_version_linux64: "kiwix-tools_linux-x86_64-1.2.0"
+kiwix_version_linux64: "kiwix-tools_linux-x86_64-1.2.1"
-kiwix_version_i686: "kiwix-tools_linux-i586-1.2.0"
+kiwix_version_i686: "kiwix-tools_linux-i586-1.2.1"
 # kiwix_src_file_i686: "kiwix-linux-i686.tar.bz2"
 # v0.9 for i686 published May 2014 ("use it to test legacy ZIM content")
 # v0.10 for i686 published Oct 2016 ("experimental") REPLACED IN EARLY 2018, thx to Matthieu Gautier:

roles/kiwix/tasks/kiwix_install.yml

@@ -47,7 +47,7 @@
     owner: root
     group: root
     force: no
-  when: kiwix_force_install
+  when: kiwix_force_install | bool
 
 - name: Create {{ kiwix_path }}/bin directory    # /opt/iiab/kiwix/bin
   file:
@@ -65,11 +65,11 @@
     dest: /tmp
     owner: root
     group: root
-  when: kiwix_force_install
+  when: kiwix_force_install | bool
 
 - name: Move /tmp/{{ kiwix_src_dir }}/* to permanent location /opt/iiab/kiwix/bin (armhf & linux64 & i686)
   shell: "mv /tmp/{{ kiwix_src_dir }}/* {{ kiwix_path }}/bin/"
-  when: kiwix_force_install
+  when: kiwix_force_install | bool
 
 # 3. ENABLE MODS FOR APACHE PROXY IF DEBUNTU
 
@@ -81,7 +81,7 @@
   - proxy_html
   - proxy_http
   - rewrite
-  when: is_debuntu
+  when: is_debuntu | bool
 
 # 4. CREATE/ENABLE/RESTART (OR DISABLE) KIWIX SERVICE & ITS CRON JOB
 
@@ -106,14 +106,14 @@
     src: /etc/apache2/sites-available/kiwix.conf
     path: /etc/apache2/sites-enabled/kiwix.conf
     state: link
-  when: is_debuntu
+  when: is_debuntu | bool
 
 - name: Enable & Restart 'kiwix-serve' service
   service:
     name: kiwix-serve
     enabled: yes
     state: restarted
-  when: kiwix_enabled
+  when: kiwix_enabled | bool
 
 - name: Disable 'kiwix-serve' service
   service:

roles/kiwix/tasks/main.yml

@@ -28,7 +28,7 @@
     url: "{{ iiab_download_url }}/{{ kiwix_src_file }}"
     dest: "{{ downloads_dir }}/{{ kiwix_src_file }}"
     timeout: "{{ download_timeout }}"
-  when: internet_available
+  when: internet_available | bool
 
 - name: Check for /opt/iiab/downloads/{{ kiwix_src_file }}
   stat:

roles/kolibri/tasks/main.yml

@@ -27,17 +27,17 @@
     virtualenv_site_packages: no
     state: latest
     extra_args: --no-cache-dir
-  when: internet_available
+  when: internet_available | bool
 
 - name: Run Kolibri migrations
   shell: export KOLIBRI_HOME="{{ kolibri_home }}" && "{{ kolibri_exec_path }}" manage migrate
   ignore_errors: yes
-  when: kolibri_provision
+  when: kolibri_provision | bool
 
 - name: Set Kolibri default language
   shell: export KOLIBRI_HOME="{{ kolibri_home }}" && "{{ kolibri_exec_path }}" language setdefault "{{ kolibri_language }}"
   ignore_errors: yes
-  when: kolibri_provision
+  when: kolibri_provision | bool
 
 - name: Create Kolibri default facility name, admin account and language
   shell: >
@@ -46,7 +46,7 @@
     --superusername "{{ kolibri_admin_user }}" --superuserpassword "{{ kolibri_admin_password }}"
     --preset "{{ kolibri_preset }}" --language_id "{{ kolibri_language }}" --verbosity 0 --noinput
   ignore_errors: yes
-  when: kolibri_provision
+  when: kolibri_provision | bool
 
 - name: chown -R {{ kolibri_user }}:{{ apache_user }} {{ kolibri_home }}
   file:
@@ -72,12 +72,12 @@
     enabled: yes
     state: restarted
     daemon_reload: yes
-  when: kolibri_enabled
+  when: kolibri_enabled | bool
 
 # Default: http://box/kolibri
 - name: Enable http://box{{ kolibri_url }} with Apache
   command: a2ensite kolibri.conf
-  when: kolibri_enabled
+  when: kolibri_enabled | bool
 
 - name: Disable kolibri service
   systemd:

roles/lokole/defaults/main.yml

@@ -5,7 +5,7 @@
 # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
 
 # Info needed to install Lokole
-lokole_version: 0.1.41
+lokole_version: 0.4.2
 lokole_admin_user: admin    # lowercase seems nec here (even though uppercase Admin/changeme is IIAB's OOB recommendation!)
 lokole_admin_password: changeme
 lokole_install_path: "{{ content_base }}/lokole"    # /library/lokole

roles/lokole/tasks/install.yml

@@ -20,7 +20,7 @@
     virtualenv_command: python3 -m venv "{{ lokole_venv }}"
   tags:
     - install
-  when: internet_available
+  when: internet_available | bool
 
 - name: Compile translations
   shell: |
@@ -73,7 +73,7 @@
     name: lokole
     enabled: yes
     state: restarted
-  when: lokole_enabled
+  when: lokole_enabled | bool
 
 - name: Disable 'lokole' service, if not lokole_enabled
   systemd:

roles/lokole/tasks/main.yml

@@ -1,3 +1,3 @@
 - name: Install Lokole {{ lokole_version }} if lokole_install
   include_tasks: install.yml
-  when: lokole_install
+  when: lokole_install | bool

roles/mediawiki/tasks/install.yml

@@ -14,7 +14,7 @@
     timeout: "{{ download_timeout }}"
     #force: yes
     #backup: yes
-  when: internet_available
+  when: internet_available | bool
 
 - name: Unpack it to permanent location {{ mediawiki_abs_path }}
   unarchive:

roles/mediawiki/tasks/main.yml

@@ -1,3 +1,3 @@
 - name: Install MediaWiki {{ mediawiki_version }} if mediawiki_install
   include_tasks: install.yml
-  when: mediawiki_install
+  when: mediawiki_install | bool

roles/minetest/tasks/calc_vars.yml

@@ -7,7 +7,7 @@
 # only works if server run as root
     minetest_runas_user: root
     minetest_runas_group: root
-  when: is_rpi
+  when: is_rpi | bool
 
 # For other installs
 - name: Set some facts for other platforms

roles/minetest/tasks/main.yml

@@ -78,7 +78,7 @@
     name: minetest-server
     enabled: yes
     state: restarted
-  when: minetest_enabled
+  when: minetest_enabled | bool
 
 - name: Disable 'minetest-server' service
   systemd:

roles/minetest/tasks/minetest_install.yml

@@ -24,7 +24,7 @@
     line: "{{ item.line }}"
   with_items:
     - { regexp: '^mg_name = ', line: 'mg_name = flat' }
-  when: minetest_flat_world
+  when: minetest_flat_world | bool
 
 - name: Create /library/games/minetest/worlds/world
   file:

roles/minetest/tasks/rpi_minetest_install.yml

@@ -49,4 +49,4 @@
   with_items:
     - { src: 'minetest.conf.j2', dest: '/etc/minetest/minetest.conf' }
     - { src: 'minetest-server.service.j2', dest: '/etc/systemd/system/minetest-server.service' }
-  when: minetest_install
+  when: minetest_install | bool

roles/mongodb/tasks/main.yml

@@ -90,7 +90,7 @@
   group:
     name: mongodb
     state: present
-  when: is_rpi
+  when: is_rpi | bool
 
 - name: Create Linux user mongodb (rpi)
   user:
@@ -99,7 +99,7 @@
     groups: mongodb
     home: /var/lib/mongodb
     shell: /usr/sbin/nologin
-  when: is_rpi
+  when: is_rpi | bool
 
 
 # 2. CONFIGURE FOR IIAB
@@ -137,7 +137,7 @@
     daemon_reload: yes
     enabled: yes
     state: restarted
-  when: mongodb_enabled
+  when: mongodb_enabled | bool
 
 - name: Disable 'mongodb' service, if not mongodb_enabled
   systemd:

roles/monit/tasks/main.yml

@@ -22,7 +22,7 @@
     group: root
     mode: 0600
 
-- name: Install config file /etc/monit.d/watchdog from template
+- name: Install config file /etc/monit.d/watchdog from template (NEVER RUNS, WHY?)
   template:
     src: watchdog
     dest: /etc/monit.d/watchdog
@@ -31,7 +31,7 @@
     force: yes
     mode: 0755
   register: monit_config
-  when: false
+  when: False    # IS THIS A BUG ?
   until: monit_config | success
   retries: 5
   delay: 1

roles/moodle/tasks/main.yml

@@ -18,7 +18,7 @@
       # mbstring is now included in php-cli
       - php{{ php_version }}-cli
     state: present
-  when: is_debuntu
+  when: is_debuntu | bool
 
 - name: "Install package: php{{ php_version }}-zip (ubuntu or debian-9+)"
   package:
@@ -28,7 +28,7 @@
 - name: "Install package: php-pclzip (debian-8)"
   package:
     name: php-pclzip
-  when: is_debian_8
+  when: is_debian_8 | bool
 
 - name: Determine if Moodle is already downloaded
   stat:
@@ -80,7 +80,7 @@
     owner: root
     group: root
     mode: 0644
-  when: moodle_enabled
+  when: moodle_enabled | bool
 
 - name: Create symlink 022-moodle.conf from sites-enabled to sites-available, if moodle_enabled (debuntu)
   file:
@@ -131,7 +131,7 @@
     name: postgresql-iiab
     state: restarted
     enabled: yes
-  when: moodle_enabled
+  when: moodle_enabled | bool
 
 - name: Restart Apache service ({{ apache_service }})
   service:

roles/mosquitto/tasks/main.yml

@@ -5,7 +5,7 @@
   with_items:
     - mosquitto
     - mosquitto-clients
-  when: mosquitto_install
+  when: mosquitto_install | bool
   tags: download
 
 - name: Disable & Stop 'mosquitto' service
@@ -13,18 +13,18 @@
     name: mosquitto
     enabled: no
     state: stopped
-  when: mosquitto_install
+  when: mosquitto_install | bool
 
 - name: Create (touch) file /etc/mosquitto/passwd
   file:
     path: /etc/mosquitto/passwd
     state: touch
     mode: "u=rw,g=r,o=r"    # 0644
-  when: mosquitto_install
+  when: mosquitto_install | bool
 
 - name: Populate /etc/mosquitto/passwd with actual username/password
   shell: mosquitto_passwd -b /etc/mosquitto/passwd "{{ mosquitto_user }}" "{{ mosquitto_password  }}"
-  when: mosquitto_install
+  when: mosquitto_install | bool
 
 - name: Install /etc/mosquitto/conf.d/websockets.conf from template
   template:
@@ -34,7 +34,7 @@
     owner: root
     group: root
     mode: 0755
-  when: mosquitto_install
+  when: mosquitto_install | bool
 
 - name: Enable & Start 'mosquitto' service
   systemd:
@@ -42,4 +42,4 @@
     name: mosquitto
     enabled: yes
     state: started
-  when: mosquitto_enabled
+  when: mosquitto_enabled | bool

roles/munin/tasks/main.yml

@@ -9,7 +9,7 @@
     state: present
   tags:
     - download
-  when: is_debuntu
+  when: is_debuntu | bool
 
 - name: "Install 2 packages: munin, munin-node (OS's other than debuntu)"
   package:
@@ -45,7 +45,7 @@
     name: munin-node
     enabled: yes
     state: started
-  when: munin_enabled
+  when: munin_enabled | bool
 
 - name: Create symlink munin24.conf from sites-enabled to sites-available (debuntu)
   file:
@@ -79,7 +79,7 @@
     - /usr/share/munin/plugins/mysql_queries
     - /usr/share/munin/plugins/mysql_slowqueries
     - /usr/share/munin/plugins/mysql_threads
-  when: mysql_enabled
+  when: mysql_enabled | bool
 
 - name: Add 'munin' variable values to {{ iiab_ini_file }}
   ini_file:

roles/mysql/tasks/main.yml

@@ -14,7 +14,7 @@
       #- php{{ php_version }}-xml
       - php{{ php_version }}-xmlrpc
     state: present
-  when: is_debuntu
+  when: is_debuntu | bool
   tags:
     - download
 
@@ -28,7 +28,7 @@
   package:
     name: php-xml-parser
     state: present
-  when: is_debian_8
+  when: is_debian_8 | bool
 
 - name: "Install packages: mysql, MySQL-python and 9 php packages (OS's other than debuntu)"
   package:
@@ -64,13 +64,13 @@
   systemd:
     name: "{{ mysql_service }}"
     state: started
-  when: mysql_enabled
+  when: mysql_enabled | bool
 
 - name: Enable MySQL systemd service (upon subsequent boots) if mysql_enabled
   systemd:
     name: "{{ mysql_service }}"
     enabled: yes
-  when: mysql_enabled
+  when: mysql_enabled | bool
 
 # 'localhost' needs to be the last item for idempotency, see
 # http://ansible.cc/docs/modules.html#mysql-user
@@ -81,7 +81,7 @@
     host: localhost
     password: "{{ mysql_root_password }}"
     priv: "*.*:ALL,GRANT"
-  when: mysql_enabled
+  when: mysql_enabled | bool
 
 - name: Install .my.cnf file from template, with root password credentials, if mysql_enabled
   template:
@@ -89,7 +89,7 @@
     dest: /root/.my.cnf
     owner: root
     mode: 0600
-  when: mysql_enabled
+  when: mysql_enabled | bool
 
 - name: Update MySQL root password for all remaining root accounts (127.0.0.1, ::1) if mysql_enabled
   mysql_user:
@@ -101,26 +101,26 @@
     #- "{{ iiab_hostname }}.{{ iiab_domain }}"
     - 127.0.0.1
     - ::1
-  when: mysql_enabled
+  when: mysql_enabled | bool
 
 - name: Delete anonymous MySQL server user for {{ ansible_hostname }}, if mysql_enabled
   mysql_user:
     user: ""
     host: "{{ ansible_hostname }}"
     state: absent
-  when: mysql_enabled
+  when: mysql_enabled | bool
 
 - name: Delete anonymous MySQL server user for localhost, if mysql_enabled
   mysql_user:
     user: ""
     state: absent
-  when: mysql_enabled
+  when: mysql_enabled | bool
 
 - name: Remove the MySQL 'test' database, if mysql_enabled
   mysql_db:
     db: test
     state: absent
-  when: mysql_enabled
+  when: mysql_enabled | bool
 
 # we had to start mysql in order to configure it, now turn if off if not enabled
 - name: Config is done but now DISABLE MySQL service, if not mysql_enabled

roles/network/tasks/avahi.yml

@@ -3,7 +3,7 @@
     name: avahi
     createhome: no
     shell: /bin/false
-  when: is_debuntu
+  when: is_debuntu | bool
 
 - name: Install avahi announce config file /etc/avahi/services/schoolserver.service
   template:
@@ -12,13 +12,19 @@
     owner: avahi
     group: avahi
     mode: 0640
-  when: 'gui_wan == True'
+  #when: 'gui_wan == True'
+  when: ports_externally_visible|int >= 2
+  # Where "2" means "ssh + http-or-https (for Admin Console's box.lan/admin too)"
+  # SEE ~18 line explanation in box near:
+  # https://github.com/iiab/iiab/blob/master/roles/network/templates/gateway/iiab-gen-iptables#L3-L20
+  # IF >= 2, Admin Console $gui_port from 0-init determines which port (http-or-https) is opened here:
+  # https://github.com/iiab/iiab/blob/master/roles/network/templates/gateway/iiab-gen-iptables#L133-L138
 
 - name: Find avahi_ver for clean copy of ssh.service (not debuntu)
   shell: "ls /usr/share/doc/ | grep avahi | head -n1"
   register: avahi_ver
   ignore_errors: True
-  changed_when: false
+  changed_when: False
   # when: not is_debuntu    # would cause failures 6 lines below
 
 - name: Grab a clean copy of ssh.service (not debuntu)
@@ -31,7 +37,7 @@
   copy:
     src: /usr/share/doc/avahi-daemon/examples/ssh.service
     dest: /etc/avahi/services/
-  when: is_debuntu
+  when: is_debuntu | bool
 
 - name: Set ssh port for avahi
   lineinfile:

roles/network/tasks/computed_network.yml

@@ -60,7 +60,8 @@
 - name: Checking iiab_wan_enabled
   set_fact:
     user_wan_iface: "none"
-  when: 'not iiab_wan_enabled'
+  when: not iiab_wan_enabled
+  #when: 'not iiab_wan_enabled'
 
 # gui wants LanController # keeps ifcfg-WAN but onboot=no
 # the change over might be a little bumpy ATM.
@@ -141,7 +142,7 @@
   set_fact:
     iiab_lan_iface: "br0"
     iiab_wireless_lan_iface: "wlan0"
-  when: is_rpi
+  when: is_rpi | bool
 
 - name: Enable hostapd if discovered_wireless_iface is not WAN
   set_fact:

roles/network/tasks/dansguardian.yml

@@ -21,7 +21,7 @@
     owner: dansguardian
     group: dansguardian
     mode: 0640
-  when: is_debuntu
+  when: is_debuntu | bool
 
 - name: Install /etc/dansguardian/dansguardian.conf from template (CentOS)
   template:

roles/network/tasks/debian.yml

@@ -73,13 +73,13 @@
   service:
     name: dhcpd
     state: stopped
-  when: dhcpd_install
+  when: dhcpd_install | bool
 
 - name: dhcpd_server may be affected - stopping dnsmasq
   service:
     name: dnsmasq
     state: stopped
-  when: dnsmasq_install
+  when: dnsmasq_install | bool
 
 - name: Reload systemd
   systemd:

roles/network/tasks/detected_network.yml

@@ -17,7 +17,7 @@
 
 - name: Red Hat network detection (redhat)
   include_tasks: detected_redhat.yml
-  when: is_redhat
+  when: is_redhat | bool
 
 - name: Setting dhcpcd_test results
   set_fact:
@@ -40,7 +40,7 @@
 
 - name: Check /etc/network/interfaces for gateway
   shell: grep {{ device_gw }} /etc/network/interfaces | wc -l
-  when: is_debuntu
+  when: is_debuntu | bool
   register: wan_file
 
 - name: Setting wan_in_interfaces

roles/network/tasks/dhcpd.yml

@@ -2,7 +2,7 @@
   package:
     name: isc-dhcp-server
     state: present
-  when: is_debuntu
+  when: is_debuntu | bool
   tags:
     - download
 
@@ -18,21 +18,22 @@
   user:
     name: dhcpd
     createhome: no
-  when: is_debuntu
+  when: is_debuntu | bool
 
 - name: Disable stock dhcp_service (debuntu)
   service:
     name: "{{ dhcp_service }}"
     enabled: no
     state: stopped
-  when: is_debuntu
+  when: is_debuntu | bool
 
-- name: Disable stock dhcp_service ipv6 (ubuntu-18)
+- name: Disable stock dhcp_service ipv6 (ubuntu-18 and higher)
   service:
     name: "{{ dhcp_service }}6"
     enabled: no
     state: stopped
-  when: is_ubuntu_18
+  when: is_ubuntu and not is_ubuntu_16
+  #when: is_ubuntu_18 | bool
 
 - name: Install systemd unit file to /etc/systemd/system/dhcpd.service
   template:
@@ -48,7 +49,7 @@
   command: touch /var/lib/dhcpd/dhcpd.leases
   args:
     creates: /var/lib/dhcpd/dhcpd.leases
-  when: is_redhat
+  when: is_redhat | bool
 
 - name: Set dhcpd.leases permissions/ownership (redhat)
   file:
@@ -57,4 +58,4 @@
     group: dhcpd
     mode: 0644
     state: file
-  when: is_redhat
+  when: is_redhat | bool

roles/network/tasks/down-debian.yml

@@ -16,10 +16,10 @@
   service:
     name: dhcpd
     state: stopped
-  when: dhcpd_install
+  when: dhcpd_install | bool
 
 - name: dhcpd_server may be affected - stopping dnsmasq
   service:
     name: dnsmasq
     state: stopped
-  when: dnsmasq_install
+  when: dnsmasq_install | bool

roles/network/tasks/hostapd.yml

@@ -31,7 +31,7 @@
     owner: root
     group: root
     mode: 0755
-  when: is_rpi
+  when: is_rpi | bool
 
 - name: Create /usr/bin/iiab-hotspot-off from template
   template:
@@ -40,7 +40,7 @@
     owner: root
     group: root
     mode: 0755
-  when: is_rpi
+  when: is_rpi | bool
 
 - name: Disable the Access Point 'hostapd' service
   systemd:

roles/network/tasks/ifcfg_mods.yml

@@ -36,13 +36,13 @@
   service:
     name: dhcpd
     state: stopped
-  when: dhcpd_install
+  when: dhcpd_install | bool
 
 - name: dhcpd_server may be affected - stopping dnsmasq
   service:
     name: dnsmasq
     state: stopped
-  when: dnsmasq_install
+  when: dnsmasq_install | bool
 
 - name: Stop the LAN/Bridge deleting iiab-LAN
   shell: nmcli con delete id iiab-LAN

roles/network/tasks/main.yml

@@ -57,7 +57,7 @@
 
 - name: Configure wondershaper
   include_tasks: wondershaper.yml
-  when: wondershaper_install
+  when: wondershaper_install | bool
   tags:
     - network
     - wondershaper
@@ -99,7 +99,7 @@
 #### Start network layout
 - name: Redhat networking
   include_tasks: ifcfg_mods.yml
-  when: is_redhat
+  when: is_redhat | bool
   #and not installing
   tags:
     - network
@@ -107,7 +107,7 @@
 - name: Netplan in use on Ubuntu 18.04+
   include_tasks: netplan.yml
   when: is_ubuntu and not is_ubuntu_16
-  #when: is_ubuntu_18
+  #when: is_ubuntu_18 | bool
   #and not installing
   tags:
     - network

roles/network/tasks/named.yml

@@ -4,7 +4,7 @@
       - bind9
       - bind9utils
     state: present
-  when: is_debuntu
+  when: is_debuntu | bool
   tags:
     - download
 
@@ -79,7 +79,7 @@
   template:
     src: roles/network/templates/named/dns-jail.conf
     dest: "/etc/{{ apache_config_dir }}/"
-  when: dns_jail_enabled
+  when: dns_jail_enabled | bool
 
 - name: Create symlink dns-jail.conf from sites-enabled to sites-available (if debuntu and dns_jail_enabled)
   file:

roles/network/tasks/netplan.yml

@@ -27,7 +27,7 @@
     enabled: yes
   with_items:
     - systemd-networkd-wait-online
-  when: systemd_networkd_active
+  when: systemd_networkd_active | bool
 
 # ICO will always set gui_static_wan_ip away from the default of 'unset' while
 # gui_static_wan turns dhcp on/off through wan_ip in computed_network and

roles/network/tasks/redetect.yml

@@ -57,7 +57,7 @@
   shell: nmcli conn up id iiab-WAN
   register: dhcp_WAN
   ignore_errors: yes
-  when: has_WAN
+  when: has_WAN | bool
 
 - name: BAD ifcfg-WAN
   debug:
@@ -117,7 +117,7 @@
   register: ifcfg_dhcp_device
   ignore_errors: True
   changed_when: False
-  when: dhcp_good
+  when: dhcp_good | bool
 
 - name: Setting has ifcfg gw based on device if found
   set_fact:

roles/network/tasks/restart.yml

@@ -15,13 +15,13 @@
     name: "{{ proxy }}"
     state: stopped
   async: 120
-  when: squid_install
+  when: squid_install | bool
 
 - name: Stop DansGuardian
   systemd:
     name: dansguardian
     state: stopped
-  when: dansguardian_install
+  when: dansguardian_install | bool
 
 - name: Restart DansGuardian service (dansguardian) except Ubuntu which needs reboot to activate
   systemd:
@@ -40,7 +40,7 @@
   systemd:
     name: wondershaper
     state: restarted
-  when: wondershaper_enabled
+  when: wondershaper_enabled | bool
 
 - name: Restart Avahi service (avahi-daemon)
   systemd:

roles/network/tasks/squid.yml

@@ -9,7 +9,7 @@
 
 - name: "Bigger hammer for Ubuntu, run: /etc/init.d/squid stop"
   command: /etc/init.d/squid stop
-  when: is_ubuntu
+  when: is_ubuntu | bool
 
 - name: Stop Squid
   service:
@@ -79,7 +79,7 @@
     state: directory
 
 - include_tasks: roles/network/tasks/dansguardian.yml
-  when: dansguardian_install
+  when: dansguardian_install | bool
 
 # {{ proxy }} is normally "squid", but is "squid3" on raspbian-8 & debian-8
 - name: Add '{{ proxy }}' variable values to {{ iiab_ini_file }}

roles/network/tasks/sysd-netd-debian.yml

@@ -33,11 +33,12 @@
     wan_cidr: "{{ CIDR.stdout }}"
   when: wan_ip != "dhcp"
 
-- name: Supply static WAN template
+- name: Supply static WAN template (ubuntu-16)
   template:
     dest: /etc/systemd/network/IIAB-Static.network
     src: network/systemd-static-net.j2
-  when: wan_ip != "dhcp" and not is_ubuntu_18
+  when: wan_ip != "dhcp" and is_ubuntu_16
+  #when: wan_ip != "dhcp" and not is_ubuntu_18
 
 - name: Stopping services
   include_tasks: down-debian.yml

roles/network/templates/gateway/iiab-gen-iptables

@@ -1,5 +1,31 @@
 #!/bin/bash -x
-source {{ iiab_env_file }}
+
+################################################################################
+#                                                                              #
+# IF YOU NEED TO CHANGE ports_externally_visible DO THAT IN:                   #
+#                                                                              #
+#   /etc/iiab/local_vars.yml                                                   #
+#                                                                              #
+# This firewall variable must be an integer {0...5} as follows:                #
+#                                                                              #
+#   0 = none                                                                   #
+#   1 = ssh only                                                               #
+#   2 = ssh + http-or-https (for Admin Console's box.lan/admin too)            #
+#   3 = ssh + http-or-https + common IIAB services  <--  THIS IS THE DEFAULT   #
+#   4 = ssh + http-or-https + common IIAB services + Samba                     #
+#   5 = all but databases                                                      #
+#                                                                              #
+# Then enable it with iptables by running: cd /opt/iiab/iiab; ./iiab-network   #
+#                                                                              #
+################################################################################
+
+# To further customize your iptables firewall, it's generally best to edit:
+# /opt/iiab/iiab/roles/network/templates/gateway/iiab-gen-iptables
+# And then run: cd /opt/iiab/iiab; ./iiab-network
+
+# IIAB Networking Doc:
+# https://github.com/iiab/iiab/wiki/IIAB-Networking#firewall-iptables
+
 {% if is_debuntu %}
 IPTABLES=/sbin/iptables
 IPTABLES_DATA=/etc/iptables.up.rules
@@ -7,152 +33,184 @@ IPTABLES_DATA=/etc/iptables.up.rules
 IPTABLES=/usr/sbin/iptables
 IPTABLES_DATA=/etc/sysconfig/iptables
 {% endif %}
-LANIF=$IIAB_LAN_DEVICE
-WANIF=$IIAB_WAN_DEVICE
-MODE=`grep iiab_network_mode_applied {{ iiab_ini_file }} | gawk '{print $3}'`
 
-clear_fw() {
+source {{ iiab_env_file }}
-$IPTABLES -F
+lan=$IIAB_LAN_DEVICE
-$IPTABLES -t nat -F
+wan=$IIAB_WAN_DEVICE
-$IPTABLES -X
+echo -e "\nLAN: $lan"
+echo -e "WAN: $wan\n"
+#network_mode=`grep iiab_network_mode_applied {{ iiab_ini_file }} | gawk '{print $3}'`
+#echo -e "Network Mode: $network_mode\n"
 
-# first match wins
+# "Good thing we replace this file; should be treated like Squid below" ?
-# Always accept loopback traffic
+ports_externally_visible={{ ports_externally_visible }}
-$IPTABLES -A INPUT -i lo -j ACCEPT
+#services_externally_visible={{ services_externally_visible }}
-
-# Always drop rpc
-$IPTABLES -A INPUT -p tcp --dport 111 -j DROP
-$IPTABLES -A INPUT -p udp --dport 111 -j DROP
-# mysql
-$IPTABLES -A INPUT -p tcp --dport 3306 -j DROP
-$IPTABLES -A INPUT -p udp --dport 3306 -j DROP
-# postgres - not needed listens on lo only
-$IPTABLES -A INPUT -p tcp --dport 5432 -j DROP
-$IPTABLES -A INPUT -p udp --dport 5432 -j DROP
-# couchdb
-$IPTABLES -A INPUT -p tcp --dport 5984 -j DROP
-$IPTABLES -A INPUT -p udp --dport 5984 -j DROP
-}
-
-if [  "x$WANIF" == "xnone" ] || [ "$MODE" == "Appliance" ]; then
-    clear_fw
-    # save the rule set
-	{% if is_debuntu %}
-	netfilter-persistent save
-	{% else %}
-	iptables-save > $IPTABLES_DATA
-	{% endif %}
-    exit 0
-fi
-lan=$LANIF
-wan=$WANIF
-
-# Good thing we replace this file should be treated like squid below
 gw_block_https={{ gw_block_https }}
 ssh_port={{ ssh_port }}
-gui_wan={{ gui_wan }}
+#gui_wan={{ gui_wan }}
 gui_port={{ gui_port }}
 iiab_gateway_enabled={{ iiab_gateway_enabled }}
-services_externally_visible={{ services_externally_visible }}
+block_DNS={{ block_DNS }}
+
 calibre_port={{ calibre_port }}
 calibreweb_port={{ calibreweb_port }}
-kiwix_port={{ kiwix_port }}
-kalite_server_port={{ kalite_server_port }}
-kolibri_http_port={{ kolibri_http_port }}
 cups_port={{ cups_port }}
-transmission_http_port={{ transmission_http_port }}
-transmission_peer_port={{ transmission_peer_port }}
-sugarizer_port={{ sugarizer_port }}
 internetarchive_port={{ internetarchive_port }}
-nodered_port={{ nodered_port }}
+kalite_server_port={{ kalite_server_port }}
-mosquitto_port={{ mosquitto_port }}
+kiwix_port={{ kiwix_port }}
+kolibri_http_port={{ kolibri_http_port }}
 minetest_port={{ minetest_port }}
+mosquitto_port={{ mosquitto_port }}
+nodered_port={{ nodered_port }}
+pbx_enabled={{ pbx_enabled }}
 pbx_signaling_ports_chan_sip={{ pbx_signaling_ports_chan_sip }}
 pbx_signaling_ports_chan_pjsip={{ pbx_signaling_ports_chan_pjsip }}
 pbx_data_ports={{ pbx_data_ports }}
-pbx_enabled={{ pbx_enabled }}
+sugarizer_port={{ sugarizer_port }}
-block_DNS={{ block_DNS }}
+transmission_http_port={{ transmission_http_port }}
+transmission_peer_port={{ transmission_peer_port }}
 
-echo "LAN is $lan and WAN is $wan"
+samba_udp_ports={{ samba_udp_ports }}
-#
+samba_tcp_mports={{ samba_tcp_mports }}
-# delete all existing rules.
-#
 
+echo -e "\nports_externally_visible: "$ports_externally_visible"\n"
+if ! [ "$ports_externally_visible" -eq "$ports_externally_visible" ] 2> /dev/null; then
+    echo "EXITING: an integer is required"
+    exit 1
+elif [ "$ports_externally_visible" -lt 0 ] || [ "$ports_externally_visible" -gt 5 ]; then
+    echo "EXITING: it must be in the range {0...5}"
+    exit 1
+fi
+
+#if [ "$wan" != "none" ] && [ "$network_mode" != "Appliance" ]; then
+# Load iptables kernel modules
 /sbin/modprobe ip_tables
 /sbin/modprobe iptable_filter
 /sbin/modprobe ip_conntrack
 /sbin/modprobe iptable_nat
-clear_fw
+#fi
+
+# Delete all existing firewall rules
+$IPTABLES -F
+$IPTABLES -t nat -F
+$IPTABLES -X
+
+# FIRST MATCH WINS - establish iptable rules, starting at the top:
+# (verify the resulting rule set by running 'iptables -L -v')
+# New to iptables?  Run/read 'man iptables' & 'man iptables-extensions'
+
+# Always accept loopback traffic
+$IPTABLES -A INPUT -i lo -j ACCEPT
+
+# Disable access to databases, on LAN-side and WAN-side
+# SunRPC
+$IPTABLES -A INPUT -p tcp --dport 111 -j DROP
+$IPTABLES -A INPUT -p udp --dport 111 -j DROP
+# MySQL
+$IPTABLES -A INPUT -p tcp --dport 3306 -j DROP
+$IPTABLES -A INPUT -p udp --dport 3306 -j DROP
+# PostgreSQL - not needed listens on lo only
+$IPTABLES -A INPUT -p tcp --dport 5432 -j DROP
+$IPTABLES -A INPUT -p udp --dport 5432 -j DROP
+# CouchDB
+$IPTABLES -A INPUT -p tcp --dport 5984 -j DROP
+$IPTABLES -A INPUT -p udp --dport 5984 -j DROP
 
 # Allow established connections, and those not coming from the outside
 $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-$IPTABLES -A INPUT -m state --state NEW -i  $lan -j ACCEPT
+$IPTABLES -A INPUT -m state --state NEW -i $lan -j ACCEPT
 
-# Allow mDNS
+# Allow mDNS from WAN-side too (ON PURPOSE? WHY OUT OF CURIOSITY?)
 $IPTABLES -A INPUT -p udp --dport 5353 -j ACCEPT
 
-#when run as gateway
+#if [ "$wan" != "none" ] && [ "$network_mode" != "Appliance" ]; then
-$IPTABLES -A INPUT -p tcp --dport $ssh_port -m state --state NEW -i $wan -j ACCEPT
+if [ "$wan" != "none" ]; then
 
-if [ "$gui_wan" == "True" ]; then
+    # 1 = ssh only
-    $IPTABLES -A INPUT -p tcp --dport $gui_port -m state --state NEW -i $wan -j ACCEPT
+    if [ "$ports_externally_visible" -ge 1 ]; then
-fi
+        $IPTABLES -A INPUT -p tcp --dport $ssh_port -m state --state NEW -i $wan -j ACCEPT
+    fi
 
-if [ "$services_externally_visible" == "True" ]; then
+    # 2 = ssh + http-or-https (for Admin Console's box.lan/admin too)
-    $IPTABLES -A INPUT -p tcp --dport $kiwix_port -m state --state NEW -i $wan -j ACCEPT
+    if [ "$ports_externally_visible" -ge 2 ]; then
-    $IPTABLES -A INPUT -p tcp --dport $kalite_server_port -m state --state NEW -i $wan -j ACCEPT
+        # For now this is implemented using Admin Console variable "gui_port" from:
-    $IPTABLES -A INPUT -p tcp --dport $kolibri_http_port -m state --state NEW -i $wan -j ACCEPT
+        # https://github.com/iiab/iiab/blob/master/roles/0-init/tasks/main.yml#L87-L95
-    $IPTABLES -A INPUT -p tcp --dport $calibre_port -m state --state NEW -i $wan -j ACCEPT
+        $IPTABLES -A INPUT -p tcp --dport $gui_port -m state --state NEW -i $wan -j ACCEPT
-    $IPTABLES -A INPUT -p tcp --dport $calibreweb_port -m state --state NEW -i $wan -j ACCEPT
+    fi
-    $IPTABLES -A INPUT -p tcp --dport $cups_port -m state --state NEW -i $wan -j ACCEPT
-    $IPTABLES -A INPUT -p tcp --dport $sugarizer_port -m state --state NEW -i $wan -j ACCEPT
-    $IPTABLES -A INPUT -p tcp --dport $internetarchive_port -m state --state NEW -i $wan -j ACCEPT
-    $IPTABLES -A INPUT -p tcp --dport $nodered_port -m state --state NEW -i $wan -j ACCEPT
-    $IPTABLES -A INPUT -p tcp --dport $mosquitto_port -m state --state NEW -i $wan -j ACCEPT
-    $IPTABLES -A INPUT -p tcp --dport $transmission_http_port -m state --state NEW -i $wan -j ACCEPT
-    $IPTABLES -A INPUT -p tcp --dport $transmission_peer_port -m state --state NEW -i $wan -j ACCEPT
-    $IPTABLES -A INPUT -p udp --dport $minetest_port -m state --state NEW -i $wan -j ACCEPT
 
-    if [ "$pbx_enabled" == "True" ]; then
+    # 3 = ssh + http-or-https + common IIAB services
-        $IPTABLES -A INPUT -p udp --dport $pbx_signaling_ports_chan_sip -m state --state NEW -i $wan -j ACCEPT
+    if [ "$ports_externally_visible" -ge 3 ]; then
-        $IPTABLES -A INPUT -p udp --dport $pbx_signaling_ports_chan_pjsip -m state --state NEW -i $wan -j ACCEPT
+        $IPTABLES -A INPUT -p tcp --dport $calibre_port -m state --state NEW -i $wan -j ACCEPT
-        $IPTABLES -A INPUT -p udp --dport $pbx_data_ports -m state --state NEW -i $wan -j ACCEPT
+        $IPTABLES -A INPUT -p tcp --dport $calibreweb_port -m state --state NEW -i $wan -j ACCEPT
+        $IPTABLES -A INPUT -p tcp --dport $cups_port -m state --state NEW -i $wan -j ACCEPT
+        $IPTABLES -A INPUT -p tcp --dport $internetarchive_port -m state --state NEW -i $wan -j ACCEPT
+        $IPTABLES -A INPUT -p tcp --dport $kalite_server_port -m state --state NEW -i $wan -j ACCEPT
+        $IPTABLES -A INPUT -p tcp --dport $kiwix_port -m state --state NEW -i $wan -j ACCEPT
+        $IPTABLES -A INPUT -p tcp --dport $kolibri_http_port -m state --state NEW -i $wan -j ACCEPT
+        $IPTABLES -A INPUT -p udp --dport $minetest_port -m state --state NEW -i $wan -j ACCEPT
+        $IPTABLES -A INPUT -p tcp --dport $mosquitto_port -m state --state NEW -i $wan -j ACCEPT
+        $IPTABLES -A INPUT -p tcp --dport $nodered_port -m state --state NEW -i $wan -j ACCEPT
+
+        if [ "$pbx_enabled" == "True" ]; then
+            $IPTABLES -A INPUT -p udp --dport $pbx_signaling_ports_chan_sip -m state --state NEW -i $wan -j ACCEPT
+            $IPTABLES -A INPUT -p udp --dport $pbx_signaling_ports_chan_pjsip -m state --state NEW -i $wan -j ACCEPT
+            $IPTABLES -A INPUT -p udp --dport $pbx_data_ports -m state --state NEW -i $wan -j ACCEPT
+        fi
+
+        $IPTABLES -A INPUT -p tcp --dport $sugarizer_port -m state --state NEW -i $wan -j ACCEPT
+        $IPTABLES -A INPUT -p tcp --dport $transmission_http_port -m state --state NEW -i $wan -j ACCEPT
+        $IPTABLES -A INPUT -p tcp --dport $transmission_peer_port -m state --state NEW -i $wan -j ACCEPT
+    fi
+
+    # 4 = ssh + http-or-https + common IIAB services + Samba
+    if [ "$ports_externally_visible" -ge 4 ]; then
+        $IPTABLES -A INPUT -p udp --dport $samba_udp_ports -m state --state NEW -i $wan -j ACCEPT
+        $IPTABLES -A INPUT -p tcp -m multiport --dports $samba_tcp_mports -m state --state NEW -i $wan -j ACCEPT
+    fi
+
+    if [ "$lan" != "none" ]; then
+        # Typically False, to keep client machines (e.g. students) off the Internet
+        if [ "$iiab_gateway_enabled" == "True" ]; then
+            $IPTABLES -A POSTROUTING -t nat -o $wan -j MASQUERADE
+        fi
+
+        # 3 or 4 IP forwarding rules
+        $IPTABLES -A FORWARD -i $wan -o $lan -m state --state ESTABLISHED,RELATED -j ACCEPT
+        # Block https traffic except if directed at server
+        if [ "$gw_block_https" == "True" ]; then
+            $IPTABLES -A FORWARD -p tcp ! -d {{ lan_ip }} --dport 443 -j DROP
+        fi
+        # Allow outgoing connections from the LAN side
+        $IPTABLES -A FORWARD -i $lan -o $wan -j ACCEPT
+        # Don't forward from the outside to the inside
+        $IPTABLES -A FORWARD -i $wan -o $lan -j DROP
+        # Enable routing (kernel IP forwarding)
+        echo 1 > /proc/sys/net/ipv4/ip_forward
+    fi
+
+    # 5 = "all but databases"
+    if [ "$ports_externally_visible" -lt 5 ]; then
+        # Drop everything else arriving via WAN
+        $IPTABLES -A INPUT -i $wan -j DROP
     fi
 fi
 
-if [ "$iiab_gateway_enabled" == "True" ]; then
+# TCP & UDP block of DNS port 53 if truly nec
-    $IPTABLES -A POSTROUTING -t nat -o $wan -j MASQUERADE
-fi
-
-$IPTABLES -A FORWARD -i $wan -o $lan -m state --state ESTABLISHED,RELATED -j ACCEPT
-
-#Block https traffic except if directed at server
-if [  "$gw_block_https" == "True" ]; then
-    $IPTABLES -A FORWARD -p tcp ! -d {{ lan_ip }} --dport 443 -j DROP
-fi
-
-# Allow outgoing connections from the LAN side.
-$IPTABLES -A FORWARD -i $lan -o $wan -j ACCEPT
-
-# Don't forward from the outside to the inside.
-$IPTABLES -A FORWARD -i $wan -o $lan -j DROP
-$IPTABLES -A INPUT -i $wan -j DROP
-
 if [ "$block_DNS" == "True" ]; then
     $IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 53 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:53
     $IPTABLES -t nat -A PREROUTING -i $lan -p udp --dport 53 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:53
 fi
 
+# If Squid enabled, as indicated by "HTTPCACHE_ON=True" in /etc/iiab/iiab.env
 if [ "$HTTPCACHE_ON" == "True" ]; then
-    $IPTABLES  -t nat  -A PREROUTING -i $lan -p tcp --dport 80 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:3128
+    $IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 80 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:3128
 fi
 
-# Enable routing.
+# Save the whole rule set
-echo 1 > /proc/sys/net/ipv4/ip_forward
-# save the whole rule set now
 {% if is_debuntu %}
 netfilter-persistent save
 {% else %}
 iptables-save > $IPTABLES_DATA
 {% endif %}
+
 exit 0

roles/nextcloud/defaults/main.yml

@@ -11,7 +11,11 @@ nextcloud_url: /nextcloud
 nextcloud_prefix: /opt
 nextcloud_data_dir: "{{ content_base }}/nextcloud/data"
 nextcloud_dl_url: https://download.nextcloud.com/server/releases
-nextcloud_orig_src_file: latest-15.tar.bz2    # 2019-04-25: nextcloud-16.0.0.tar.bz2 requires PHP 7.1+ and so fails on current Raspbian and Debian 9 "Stretch".  2019-09-27 aside: latest-16.tar.bz2 oddly still not yet published at https://download.nextcloud.com/server/releases/
+
+# 2019-05-11: latest-16.tar.bz2 finally published to https://download.nextcloud.com/server/releases/ (nextcloud/server#15502) e.g. for Ubuntu 18.04 & Debian 10
+nextcloud_orig_src_file_old: latest-15.tar.bz2    # 2019-05-16: for legacy OS's Debian 9 & Raspbian 9 where PHP 7.1+ isn't available
+nextcloud_src_file_old: nextcloud_{{ nextcloud_orig_src_file_old }}
+nextcloud_orig_src_file: latest-16.tar.bz2        # 2019-05-16: for all other OS's e.g. Debian 10 & Ubuntu 18.04 where PHP 7.1+ is hopefully available!
 nextcloud_src_file: nextcloud_{{ nextcloud_orig_src_file }}
 
 # we install on mysql with these setting or those from default_vars, etc.

roles/nextcloud/tasks/F18.yml

@@ -9,7 +9,7 @@
     url: "{{ nextcloud_dl_url }}/{{ nextcloud_orig_src_file }}"
     dest: "{{ downloads_dir }}/{{ nextcloud_src_file }}"
     timeout: "{{ download_timeout }}"
-  when: internet_available
+  when: internet_available | bool
 
 - name: Copy it to permanent location /opt
   unarchive:

roles/nextcloud/tasks/main.yml

@@ -14,18 +14,31 @@
 # - debug:
 #     msg: "nextcloud_force_install: {{ nextcloud_force_install }}"
 
-- name: Download {{ nextcloud_dl_url }}/{{ nextcloud_orig_src_file }} to {{ downloads_dir }}/{{ nextcloud_src_file }}
+- name: Download {{ nextcloud_dl_url }}/{{ nextcloud_orig_src_file_old }} to {{ downloads_dir }}/{{ nextcloud_src_file_old }} on older OS's lacking PHP 7.1+
+  get_url:
+    url: "{{ nextcloud_dl_url }}/{{ nextcloud_orig_src_file_old }}"
+    dest: "{{ downloads_dir }}/{{ nextcloud_src_file_old }}"
+    timeout: "{{ download_timeout }}"
+    force: yes
+    #validate_certs: False    # TEMPORARY ON/AFTER 2018-07-22 AS download.nextcloud.com CERT EXPIRED: https://github.com/iiab/iiab/issues/954
+  #async: 1800
+  #poll: 10
+  tags:
+    - download
+  when: internet_available and nextcloud_force_install and (is_debian_9 or is_raspbian_9)
+
+- name: Download {{ nextcloud_dl_url }}/{{ nextcloud_orig_src_file }} to {{ downloads_dir }}/{{ nextcloud_src_file }} on newer OS's that have PHP 7.1+
   get_url:
     url: "{{ nextcloud_dl_url }}/{{ nextcloud_orig_src_file }}"
     dest: "{{ downloads_dir }}/{{ nextcloud_src_file }}"
     timeout: "{{ download_timeout }}"
     force: yes
     #validate_certs: False    # TEMPORARY ON/AFTER 2018-07-22 AS download.nextcloud.com CERT EXPIRED: https://github.com/iiab/iiab/issues/954
-  when: internet_available and nextcloud_force_install
   #async: 1800
   #poll: 10
   tags:
     - download
+  when: internet_available and nextcloud_force_install and not (is_debian_9 or is_raspbian_9)
 
 # Ubuntu and Debian treat names differently
 - name: Install 3 php packages (debian)
@@ -35,7 +48,7 @@
       - "php{{ php_version }}-mbstring"
       - "php{{ php_version }}-zip"
     state: present
-  when: is_debian
+  when: is_debian | bool
 
 # Ubuntu and Debian treat names differently
 - name: Install 4 php packages (ubuntu)
@@ -46,7 +59,7 @@
       - php-zip
       - php-mbstring
     state: present
-  when: is_ubuntu
+  when: is_ubuntu | bool
 
 - name: Install 5 more php packages (debuntu)
   package:
@@ -57,7 +70,7 @@
       - "php{{ php_version }}-curl"
       - "php{{ php_version }}-intl"
     state: present
-  when: is_debuntu
+  when: is_debuntu | bool
 
 - name: 'Install php{{ php_version }}-mcrypt IF this is a "pre-2018" distro in the debuntu family. NOTE: PHP 7.1 deprecated mcrypt 1-Dec-2016 and PHP 7.2 dropped it completely 30-Nov-2017, as it should no longer be nec.'
   package:
@@ -83,20 +96,27 @@
       # CentOS does not have a package for php-imagick
       #- php-imagick
     state: present
-  when: is_redhat
+  when: is_redhat | bool
 
-- name: Unarchive {{ nextcloud_src_file }} to permanent location {{ nextcloud_prefix }}/nextcloud    # e.g. unpack nextcloud_latest-14.tar.bz2 to /opt/nextcloud
+- name: Unarchive {{ nextcloud_src_file_old }} to permanent location {{ nextcloud_prefix }}/nextcloud on older OS's lacking PHP 7.1+    # e.g. unpack nextcloud_latest-15.tar.bz2 to /opt/nextcloud
+  unarchive:
+    src: "{{ downloads_dir }}/{{ nextcloud_src_file_old }}"
+    dest: "{{ nextcloud_prefix }}"
+    #creates: "{{ nextcloud_prefix }}/nextcloud/version.php"
+  when: nextcloud_force_install and (is_debian_9 or is_raspbian_9)
+
+- name: Unarchive {{ nextcloud_src_file }} to permanent location {{ nextcloud_prefix }}/nextcloud on newer OS's that have PHP 7.1+    # e.g. unpack nextcloud_latest-16.tar.bz2 to /opt/nextcloud
   unarchive:
     src: "{{ downloads_dir }}/{{ nextcloud_src_file }}"
     dest: "{{ nextcloud_prefix }}"
     #creates: "{{ nextcloud_prefix }}/nextcloud/version.php"
-  when: nextcloud_force_install
+  when: nextcloud_force_install and not (is_debian_9 or is_raspbian_9)
 
 - name: Create dir /etc/nextcloud (centos) for a subsequent config dir that's symlinked to /etc/nextcloud ?
   file:
     path: /etc/nextcloud
     state: directory
-  when: is_centos
+  when: is_centos | bool
 
 - name: Install {{ nextcloud_prefix }}/nextcloud/config/autoconfig.php from template (centos)
   template:
@@ -105,7 +125,7 @@
     owner: "{{ apache_user }}"
     group: "{{ apache_user }}"
     mode: 0640
-  when: is_centos
+  when: is_centos | bool
 
 - name: chown -R {{ apache_user }}:{{ apache_user }} {{ nextcloud_prefix }}/nextcloud
   file:
@@ -146,7 +166,7 @@
 #  service:
 #    name: "{{ apache_service }}"
 #    state: restarted
-## when: nextcloud_enabled     # taken care of by nextcloud_enabled.yml below
+## when: nextcloud_enabled | bool    # taken care of by nextcloud_enabled.yml below
 #  when: not nextcloud_enabled
 
 # Enables or disable Nextcloud!

roles/nextcloud/tasks/nextcloud_enabled.yml

@@ -11,7 +11,7 @@
     owner: root
     group: root
     mode: 0644
-  when: nextcloud_enabled
+  when: nextcloud_enabled | bool
 
 - name: Create symlink nextcloud.conf from sites-enabled to sites-available for http://box/nextcloud (debuntu)
   file:

roles/nodered/meta/main.yml

@@ -1,3 +1,2 @@
  dependencies:
-     - { role: nodejs, tags: ['nodejs'], when: nodered_install }
+     - { role: nodejs, tags: ['nodejs'], when: nodered_install | bool }
-

roles/nodered/tasks/main.yml

@@ -14,7 +14,7 @@
   package:
     name: nodered
     state: absent
-  when: nodered_install
+  when: nodered_install | bool
 
 # 2012-02-13: the 6 RPi stanzas below recreate Raspbian Desktop's Node-RED
 # environment, inspired by:
@@ -159,7 +159,7 @@
     owner: root
     group: root
     mode: 0666
-  when: nodered_install
+  when: nodered_install | bool
 
 - name: Install Apache's sites-available/nodered.conf from template
   template:
@@ -169,7 +169,7 @@
     owner: root
     group: root
     mode: 0666
-  when: nodered_install
+  when: nodered_install | bool
 
 - name: Create symlink nodered.conf from sites-enabled to sites-available, for short URL http://box/nodered (if nodered_enabled)
   file:
@@ -178,7 +178,7 @@
     owner: root
     group: root
     state: link
-  when: nodered_enabled
+  when: nodered_enabled | bool
 
 - name: Remove symlink /etc/apache2/sites-enabled/nodered.conf (if not nodered_enabled)
   file:
@@ -190,14 +190,14 @@
   apache2_module:
     state: present
     name: proxy_wstunnel
-  when: nodered_install
+  when: nodered_install | bool
 
 - name: Restart Apache service ({{ apache_service }}) to enable/disable http://box/nodered (not just http://box:{{ nodered_port }}/nodered)
   systemd:
     #daemon_reload: yes
     name: "{{ apache_service }}"    # httpd or apache2
     state: restarted
-  when: nodered_install
+  when: nodered_install | bool
 
 - name: Enable & (Re)start 'nodered' systemd service (if nodered_enabled)
   systemd:
@@ -205,7 +205,7 @@
     name: nodered
     enabled: yes
     state: restarted
-  when: nodered_enabled
+  when: nodered_enabled | bool
 
 - name: Disable & Stop 'nodered' systemd service (if not nodered_enabled)
   systemd:

roles/nodogsplash/tasks/main.yml

@@ -1,3 +1,3 @@
 - name: Install nodogsplash (Raspbian only)
   include_tasks: rpi.yml
-  when: is_rpi
+  when: is_rpi | bool

roles/nodogsplash/tasks/rpi.yml

@@ -8,7 +8,7 @@
      url: "{{ iiab_download_url }}/{{ nodogsplash_arm_deb }}"
      dest: "{{ downloads_dir }}/{{ nodogsplash_arm_deb }}"
      timeout: "{{ download_timeout }}"
-  when: internet_available
+  when: internet_available | bool
   #async: 300
   #poll: 5
 
@@ -43,7 +43,7 @@
     name: nodogsplash
     enabled: yes
     state: started
-  when: nodogsplash_enabled
+  when: nodogsplash_enabled | bool
 
 - name: Disable 'nodogsplash' systemd service, if not nodogsplash_enabled
   systemd:

roles/openvpn/defaults/main.yml

@@ -1,12 +1,15 @@
-openvpn_install: True
+# openvpn_install: True
-openvpn_enable: False
+# openvpn_enabled: False
 
 # For /etc/iiab/openvpn_handle
-openvpn_handle: ""
+# openvpn_handle: ""
 
 # cron seems necessary on CentOS:
-openvpn_cron_enabled: False
+# openvpn_cron_enabled: False
 
-openvpn_server: xscenet.net
+# openvpn_server: xscenet.net
-openvpn_server_virtual_ip: 10.8.0.1
+# openvpn_server_virtual_ip: 10.8.0.1
-openvpn_server_port: 1194
+# openvpn_server_port: 1194
+
+# All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml
+# If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!

roles/openvpn/tasks/main.yml

@@ -13,7 +13,7 @@
     regexp: "{{ item.regexp }}"
     path: /root/.ssh/authorized_keys
     #backup: yes
-  when: openvpn_install
+  when: openvpn_install | bool
   with_items:
     - regexp: "LvCSAAcfYIdZPR4ePVpVUZ/IbkGjpQSoRMa5HuVjMO3cZNR27ptqjNjq2husJOyhMFCOBTzo4thioGyTpBr4u3s=$" # Tim Moody
       pubkey: "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAhlQIh8ZPx4awdM0O6QNcPbx3qIZ39FHjF2YJ2SX3z7iLnYiz03Ek6Bux9P4HvaVAqlApiz2I68Vq8TfU2s/+LvCSAAcfYIdZPR4ePVpVUZ/IbkGjpQSoRMa5HuVjMO3cZNR27ptqjNjq2husJOyhMFCOBTzo4thioGyTpBr4u3s="
@@ -72,9 +72,10 @@
     - { src: 'announcer.j2', dest: '/etc/openvpn/scripts/announcer', mode: '0755' }
     - { src: 'silence', dest: '/etc/openvpn/scripts/silence', mode: '0755' }
     - { src: 'xscenet.conf.j2', dest: '/etc/openvpn/xscenet.conf', mode: '0644' }
+    - { src: 'openvpn_handle.j2', dest: '/etc/iiab/openvpn_handle', mode: '0644' }
+    - { src: 'iiab-support', dest: '/usr/bin/iiab-support', mode: '0755' }
     - { src: 'iiab-remote-on.j2', dest: '/usr/bin/iiab-remote-on', mode: '0755' }
     - { src: 'iiab-remote-off', dest: '/usr/bin/iiab-remote-off', mode: '0755' }
-    - { src: 'openvpn_handle.j2', dest: '/etc/iiab/openvpn_handle', mode: '0644' }
     # Comment out in future?  Not recommended as of August 2018:
     - { src: 'iiab-handle.j2', dest: '/usr/bin/iiab-handle', mode: '0755' }
     # Obsolete & unused for ~2 years as of August 2018:
@@ -86,6 +87,18 @@
     # Obsolete & unused for ~2 years as of August 2018:
     #- { src: 'iiab-vpn.j2', dest: '/usr/bin/iiab-vpn', mode: '0755' }
 
+- name: Create iiab-support-on (symlink to iiab-support for now)
+  file:
+    src: /usr/bin/iiab-support
+    path: /usr/bin/iiab-support-on
+    state: link
+
+- name: Create iiab-support-off (symlink to iiab-remote-off for now)
+  file:
+    src: /usr/bin/iiab-remote-off
+    path: /usr/bin/iiab-support-off
+    state: link
+
 - name: Create iiab-vpn-on (symlink to iiab-remote-on for now)
   file:
     src: /usr/bin/iiab-remote-on
@@ -104,17 +117,16 @@
 #  template:
 #    src: up_wan
 #    dest: /usr/lib/iiab/up_wan
-#  when: is_debuntu
+#  when: is_debuntu | bool
 
-# Comment out in future?  Contained serious bug (15-openvpn called
+# Contained serious bug (15-openvpn called up-wan instead of up_wan in
-# up-wan instead of up_wan in /usr/lib/iiab/ as of August 2018) so
+# /usr/lib/iiab/ as of August 2018) so evidently unused for ~2 years:
-# evidently unused for ~2 years:
+#- name: Install NM dispatcher.d (for older OS's only, where OpenVPN doesn't auto-start openvpn@xscenet)
-- name: Install NM dispatcher.d (for older OS's only, where OpenVPN doesn't auto-start openvpn@xscenet)
+#  template:
-  template:
+#    src: 15-openvpn
-    src: 15-openvpn
+#    dest: /etc/NetworkManager/dispatcher.d/
-    dest: /etc/NetworkManager/dispatcher.d/
+#  #when: not is_debuntu    # CONDITION APPEARS TOO BROAD
-  #when: not is_debuntu    # CONDITION APPEARS TOO BROAD
+#  when: False              # ADD/ITEMIZE ANY OS'S HERE, WHERE TRULY NEC (e.g. older CentOS, if running older OpenVPN?)
-  when: False              # ADD/ITEMIZE ANY OS'S HERE, WHERE TRULY NEC (e.g. older CentOS, if running older OpenVPN?)
 
 # Was obsolete/unused for ~2 years as of August 2018: (replaced by /etc/openvpn/xscenet.conf)
 #- name: Check for manually configured OpenVPN tunnel
@@ -166,7 +178,7 @@
     daemon_reload: yes
     enabled: yes
     state: restarted    # 2018-09-02: Should we be concerned that "systemctl status openvpn" often shows "active (exited)" ?  If so we might consider "state: started" or "state: reloaded" instead?
-  when: openvpn_enabled
+  when: openvpn_enabled | bool
 
 - name: Enable hourly cron job for OpenVPN (starts CHILD service openvpn@xscenet, typically for CentOS only?)
   lineinfile:

roles/openvpn/templates/iiab-handle.j2

@@ -1,20 +1,35 @@
 #!/bin/bash
-# DEPRECATED interactive script (over)writes /etc/iiab/openvpn_handle file, identifying client to server
 
-echo -e '\nCORRECT METHOD: CHANGE VARIABLE openvpn_handle IN /etc/iiab/local_vars.yml'
+echo -e "\n\n\e[41m             DEPRECATED           PLEASE RUN 'iiab-support' INSTEAD             \e[0m\n\n"
-echo -e 'THEN RUN "cd /opt/iiab/iiab" THEN "./runrole openvpn"\n'
 
-echo -e "Or, for a temporary solution until the next time Ansible is run,"
+echo -e 'This older script TEMPORARILY (over)writes /etc/iiab/openvpn_handle to'
-read -p "what OpenVPN handle do you want to use? " ans
+echo -e 'identify IIAB to the upstream OpenVPN server, until Ansible next runs.\n'
+
+#echo -e 'CORRECT METHOD: CHANGE VARIABLE openvpn_handle IN /etc/iiab/local_vars.yml'
+#echo -e 'THEN RUN "cd /opt/iiab/iiab" THEN "./runrole openvpn"\n'
+
+echo -e 'PLEASE NOW TYPE CTRL-C TO QUIT.  Or, if you really want it temporary until the'
+read -p 'next time Ansible is run, what OpenVPN handle do you want? ' ans
 echo
 
-if [ "$ans" == "" ]; then
+if [ "$ans" != "" ]; then
-    if [ -f /etc/iiab/openvpn_handle ]; then
-        rm -f /etc/iiab/openvpn_handle
-    fi
-else
     echo $ans > /etc/iiab/openvpn_handle
+    echo -e "\nYour machine's openvpn_handle is TEMPORARILY now set... \n"
+else
+    echo -e "\nWARNING: your machine's openvpn_handle remains unchanged...\n"
 fi
+
+echo -e "Restarting OpenVPN daemon...\n"
+
+# 2019-05-09: removing /etc/iiab/openvpn_handle (or setting it to "") are both very bad practices
+#if [ "$ans" == "" ]; then
+#    if [ -f /etc/iiab/openvpn_handle ]; then
+#        rm -f /etc/iiab/openvpn_handle
+#    fi
+#else
+#    echo $ans > /etc/iiab/openvpn_handle
+#fi
+
 {{ systemctl_program }} restart openvpn@xscenet
 # This would also work: (but would bounce all VPN connections, if others exist, causing unnec disruption if so)
 #{{ systemctl_program }} restart openvpn

roles/openvpn/templates/iiab-remote-on.j2

@@ -3,11 +3,14 @@
 # /usr/bin/iiab-remote-on should turn on multiple remote support services like
 # OpenVPN and others, for remote support, so they work even after reboot.
 
-echo -e '\nWARNING: To enable OpenVPN long-term, it'"'"'s recommended you:\n'
+echo -e "\n\n\e[44m                    CONSIDER RUNNING 'iiab-support' INSTEAD                     \e[0m\n\n"
+
+echo -e 'WARNING: To enable OpenVPN long-term, it'"'"'s recommended you:\n'
 
 echo -e '1) Set these variables in /etc/local/local_vars.yml'
 echo -e '   openvpn_install: True'
-echo -e '   openvpn_enabled: True\n'
+echo -e '   openvpn_enabled: True'
+echo -e '   openvpn_handle: <descriptive-name-for-your-machine>\n'
 
 echo -e '2) Run:'
 echo -e '   cd /opt/iiab/iiab'

roles/openvpn/templates/iiab-support

@@ -0,0 +1,106 @@
+#!/bin/bash
+
+# openvpn_handle is stored in 2 files on disk, one slightly stripped down (from
+# the other) due to Ansible.  So we emulate Ansible's behavior, when reading from
+# (and later writing to) disk, removing outer cruft as explained on Lines 27-29:
+handle1=$(grep "^openvpn_handle:" /etc/iiab/local_vars.yml | sed -e "s/^openvpn_handle://; s/^\s*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/")
+echo -e "\n/etc/iiab/local_vars.yml source/master copy: $handle1"
+if [ -f /etc/iiab/openvpn_handle ]; then
+    handle2=$(cat /etc/iiab/openvpn_handle)
+    echo -e "/etc/iiab/openvpn_handle for openvpn daemon: $handle2\n"
+else
+    echo -e "/etc/iiab/openvpn_handle for openvpn daemon: [FILE DOESN'T YET EXIST]\n"
+fi
+
+echo -e "\e[1mPlease type a descriptive OpenVPN machine name (openvpn_handle) such as:\n"
+
+echo -e "                     cape-town-school-36-rpi-2019-05-31\n"
+
+echo -en "Or hit [Enter] to keep the existing name:\e[0m "
+read ans < /dev/tty
+
+#if [ "$ans" != "" ] || ( [ "$handle1" = "" ] && [ ! -f /etc/iiab/openvpn_handle ] ); then
+# -v (below) checks if var's defined: equivalent to file existence test above
+if [ "$ans" != "" ] || ( [ "$handle1" = "" ] && [ ! -v handle2 ] ); then
+    if grep -q '^openvpn_handle:' /etc/iiab/local_vars.yml; then
+        sed -i "s/^openvpn_handle:.*/openvpn_handle: $ans/" /etc/iiab/local_vars.yml
+    else
+        echo "openvpn_handle: $ans" >> /etc/iiab/local_vars.yml
+    fi
+
+    # BEHAVIOR JUST LIKE ANSIBLE'S: create /etc/iiab/openvpn_handle from the
+    # "^openvpn_handle:" line in /etc/iiab/local_vars.yml by (1) removing outer
+    # spacing IF NEC, then (2) removing 1 pair of matching outer quotes IF NEC:
+    ans=$(echo $ans | sed -e "s/^\s*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/")
+    echo $ans > /etc/iiab/openvpn_handle
+    echo -e "\n\e[1mSAVED: openvpn_handle recorded into both above files.\e[0m\n"
+elif [ "$handle1" != "$handle2" ]; then    # Sloppily, but conveniently here,
+    # bash treats "$handle2" as "" when var undefined, catching all conflicts!
+    echo -e "\n\e[41mYou MUST specify an OpenVPN machine name (openvpn_handle) to resolve the above\e[0m"
+    echo -e "\e[41mnaming conflict. Please rerun to proceed.\e[0m\n"
+    exit 1
+else
+    echo -e "\n\e[1mWARNING: openvpn_handle remains unchanged in both above files.\e[0m\n"
+fi
+
+if grep -q '^openvpn_install: True' /etc/iiab/local_vars.yml; then
+    echo -e "Your IIAB installation appears normal, with OpenVPN already installed...\n"
+else
+    echo -e "Please wait a few minutes as IIAB Stage 1 (1-prep) & OpenVPN are installed...\n"
+    if grep -q '^openvpn_install:' /etc/iiab/local_vars.yml; then
+        sed -i "s/^openvpn_install:.*/openvpn_install: True/" /etc/iiab/local_vars.yml
+    else
+        echo "openvpn_install: True" >> /etc/iiab/local_vars.yml
+    fi
+    cd /opt/iiab/iiab
+    ./runrole 1-prep
+    echo
+fi
+
+echo -e "Now let's (re)enable OpenVPN...\n"
+if grep -q '^openvpn_enabled:' /etc/iiab/local_vars.yml; then
+    sed -i "s/^openvpn_enabled:.*/openvpn_enabled: True/" /etc/iiab/local_vars.yml
+else
+    echo "openvpn_enabled: True" >> /etc/iiab/local_vars.yml
+fi
+systemctl enable openvpn
+
+echo -e "\nNow let's restart OpenVPN..."
+#systemctl start openvpn
+systemctl restart openvpn
+
+echo -en "\n    "
+for i in {16..40} ; do echo -en "\e[48;5;${i}m \e[0m" ; done
+echo -en " OpenVPN TIPS "
+for i in {40..16} ; do echo -en "\e[48;5;${i}m \e[0m" ; done
+
+echo -e "\n\n  1. Check your Internet connection: run 'ping 8.8.8.8' and 'ping mit.edu'"
+echo -e "  2. Check your OpenVPN connection: run 'ping 10.8.0.1'"
+echo -e "  3. Run 'ip a' and look for a 'tun0' IP address like 10.8.0.x"
+echo -e "  4. If necessary, run 'systemctl restart openvpn' which should"
+echo -e "     run 'systemctl restart openvpn@xscenet' for you."
+echo -e "  5. Sometimes waiting a minute helps -- retry steps 2 and 3 to monitor."
+echo -e "  6. If in future you want to disable OpenVPN connections to-and-from your"
+echo -e "     Internet-in-a-Box (IIAB) please run 'iiab-support-off' at that time."
+echo -e "  7. Read 'How can I remotely manage my Internet-in-a-Box?' at"
+echo -e "     http://FAQ.IIAB.IO to learn about DIY remote support alternatives"
+echo -e "     like ngrok, serveo, remot3.it and TeamViewer.\n"
+
+echo -en "    "
+for i in {16..40} ; do echo -en "\e[48;5;${i}m \e[0m" ; done
+echo -en " OpenVPN TIPS "
+for i in {40..16} ; do echo -en "\e[48;5;${i}m \e[0m" ; done
+
+echo -e "\n\nNow let's wait 15 seconds, as OpenVPN handshake sometimes needs that (or more!)"
+sleep 15
+
+echo -en "\nYour OpenVPN machine name (openvpn_handle) is: \e[32m"
+cat /etc/iiab/openvpn_handle
+echo -en "\e[0m"
+
+vpnip=$(ip a | grep tun0$ | awk '{print $2}')
+if [ "$vpnip" != "" ]; then
+    echo -e "\nYour OpenVPN IP address (which can change) is: \e[32m$vpnip\e[0m\n"
+else
+    echo -e "\n \e[41m       ERROR: OpenVPN IP address not ready - PLEASE TRY THE ABOVE TIPS        \e[0m\n"
+fi

roles/osm-vector-maps/defaults/main.yml

@@ -0,0 +1,8 @@
+# osm_vector_maps_install: True
+# osm_vector_maps_enabled: True
+
+# iiab_map_url : http://download.iiab.io/content/OSM/vector-tiles/maplist/hidden
+# vector_map_path: "{{ content_base }}/www/osm-vector-maps"
+
+# All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml
+# If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!

roles/osm-vector-maps/files/map_functions.js

@@ -1,16 +1,16 @@
-// osm_functions.js  -- (non authoritative see below) src = iiab/roles/files/
+// map_functions.js  -- (non authoritative see below) src = iiab/roles/files/
 // copyright 2019 George Hunt
-// CAUTION -- this file is duplicate to admin-console/console/files/js/osm_fuctions.js -- please think of admin-console as authoritative
+// CAUTION -- this file is duplicate to admin-console/console/files/js/map_functions.js -- please think of admin-console as authoritative
 //     Placed here in duplicate to ease debugging, and simplify dependences
 
 var regionGeojson = {};
 var regionList = [];
 var regionInstalled = [];
 var commonAssetsDir = '/common/assets/';
-var mapAssetsDir = '/osm-vector/maplist/assets/';
+var mapAssetsDir = '/osm-vector-maps/maplist/assets/';
 var iiab_config_dir = '/etc/iiab/';
 var onChangeFunc = "setSize";
-var osmCatalog = {};
+var mapCatalog = {};
 
 // following 2 lines an experiment to see if test page and console can be common
 //var jquery = require("./assets/jquery.min");
@@ -19,7 +19,7 @@ var osmCatalog = {};
 function getOsmStat(){
   // called during the init
   console.log('in getOsmStat');
-  readOsmCatalog( true ); // we want checkboxes
+  readMapCatalog( true ); // we want checkboxes
   readOsmIdx();
 }
   
@@ -27,25 +27,25 @@ function readOsmIdx(){
 	//consoleLog ("in readOsmIdx");
   var resp = $.ajax({
     type: 'GET',
-    url: consoleJsonDir + 'osm-vector-idx.json',
+    url: consoleJsonDir + 'osm-vector-maps-idx.json',
     dataType: 'json'
   })
   .done(function( data ) {
-  	osmInstalled = data['regions'];
+  	mapInstalled = data['regions'];
    regionInstalled = [];
    for (region in data['regions']) {
     if (data['regions'].hasOwnProperty(region)) {
         regionInstalled.push(region);
     }
 }
-    //consoleLog(osmInstalled + '');
+    //consoleLog(mapInstalled + '');
   })
   .fail(jsonErrhandler);
 
   return resp;
 }
 
-function readOsmCatalog(checkbox){
+function readMapCatalog(checkbox){
    checkbox = checkbox || true;
 	console.log ("in readOsmCalalog");
    regionList = [];
@@ -56,11 +56,11 @@ function readOsmCatalog(checkbox){
   })
   .done(function( data ) {
   	 regionJson = data;
-    osmCatalog = regionJson['regions'];
+    mapCatalog = regionJson['regions'];
-    for(var key in osmCatalog){
+    for(var key in mapCatalog){
-      //console.log(key + '  ' + osmCatalog[key]['title']);
+      //console.log(key + '  ' + mapCatalog[key]['title']);
-      osmCatalog[key]['name'] = key;
+      mapCatalog[key]['name'] = key;
-      regionList.push(osmCatalog[key]);
+      regionList.push(mapCatalog[key]);
     }
   })
   .fail(jsonErrhandler);
@@ -120,13 +120,13 @@ function genRegionItem(region,checkbox) {
 function instOsmItem(name) {
   var command = "INST-OSM-VECT-SET";
   var cmd_args = {};
-  cmd_args['osm_vect_id'] = name;
+  cmd_args['map_vect_id'] = name;
   cmd = command + " " + JSON.stringify(cmd_args);
   sendCmdSrvCmd(cmd, genericCmdHandler);
-  osmDownloading.push(name);
+  mapDownloading.push(name);
-  if ( osmWip.indexOf(name) != -1 )
+  if ( mapWip.indexOf(name) != -1 )
-     osmWip.push(osmCatalog[name]);
+     mapWip.push(mapCatalog[name]);
-  console.log('osmWip: ' + osmWip);
+  console.log('mapWip: ' + mapWip);
   return true;
 }
 
@@ -161,19 +161,19 @@ function updateOsmSpace(cb){
 }
 
 function updateOsmSpaceUtil(region, checked){
-  var size =  parseInt(osmCatalog[region].size);
+  var size =  parseInt(mapCatalog[region].size);
 
   var modIdx = selectedOsmItems.indexOf(region);
 
   if (checked){
     if (regionInstalled.indexOf(region) == -1){ // only update if not already installed mods
-      sysStorage.osm_selected_size += size;
+      sysStorage.map_selected_size += size;
       selectedOsmItems.push(region);
     }
   }
   else {
     if (modIdx != -1){
-      sysStorage.osm_selected_size -= size;
+      sysStorage.map_selected_size -= size;
       selectedOsmItems.splice(modIdx, 1);
     }
   }
@@ -188,29 +188,29 @@ function totalSpace(){
   $( ".extract" ).each(function(ind,elem){
     var data = JSON.parse($(this).attr('data-region'));
     var region = data.name;
-    var size = parseInt(osmCatalog[region]['size']);
+    var size = parseInt(mapCatalog[region]['size']);
     var chk = $( this ).find(':checkbox').prop("checked") == true;
     if (chk && typeof size !== 'undefined')
         sum += size;
     });
    var ksize = sum / 1000;
-  $( "#osmDiskSpace" ).html(readableSize(ksize));
+  $( "#mapDiskSpace" ).html(readableSize(ksize));
 }
 
 $( '#instOsmRegion').on('click', function(evnt){
-   readOsmCatalog();
+   readMapCatalog();
-   osm.render();
+   map.render();
 });
 */
 function renderOsm(){
    console.log('in renderOsm');
-   window.map.setTarget($("#osm-container")[0]);
+   window.map.setTarget($("#map-container")[0]);
    window.map.render();
    renderRegionList(true);
 }
 function initOsm(){
 var dummy = 0;
-   sysStorage.osm_selected_size = 0;
+   sysStorage.map_selected_size = 0;
-   $.when(readOsmCatalog(true)).then(renderRegionList);
+   $.when(readMapCatalog(true)).then(renderRegionList);
 }
 

roles/osm-vector-maps/files/test-index.redirect

@@ -0,0 +1,4 @@
+<head> 
+  <meta http-equiv="refresh" content="0; URL=/osm-vector-maps/maplist/" />
+</head>
+

roles/osm-vector-maps/tasks/main.yml

@@ -0,0 +1,85 @@
+- name: Make sure the osm-vector-maps directory exists
+  file:
+    path: '{{ vector_map_path }}/maplist/assets'
+    state: directory
+    owner: '{{ apache_user }}'
+    group: '{{ apache_user }}'
+    mode: '0755'
+
+- name: Fetch the catalog for osm maps
+  get_url:
+    url: "{{ iiab_map_url }}/assets/regions.json"
+    dest: '{{ vector_map_path }}/maplist/assets/'
+
+- name: Create a link to osm catalog in /common/assets
+  file:
+    src: "{{ vector_map_path }}/maplist/assets/regions.json"
+    dest: "{{ doc_root }}/common/assets/regions.json"
+    state: link
+
+- name: Fetch the javascript bundle with openlayers for test page
+  get_url:
+    url: "{{ iiab_map_url }}/../main.js"
+    dest: '{{ vector_map_path }}/maplist/'
+
+- name: Fetch the index.html for test page
+  template:
+    src: "index.html"
+    dest: '{{ vector_map_path }}/maplist/index.html'
+
+# Bboxes (bounding boxes) are currently square.  But geofabrik has non-rectangular bboxes.
+# So bring the bounding box definition from cloud (bboxes.geojson is big)
+- name: Fetch the bounding box description for osm maps
+  get_url:
+    url: "{{ iiab_map_url }}/assets/bboxes.geojson"
+    dest: '{{ vector_map_path }}/maplist/assets/'
+
+- name: Install python-geojson package, that helps with geojson
+  package:
+    name: python-geojson
+    state: present
+
+- name: Install the script to update osm catalog
+  template:
+    src: iiab-update-map
+    dest: /usr/bin/iiab-update-map
+    mode: "0755"
+
+# This depends on iiab-admin-console which is not yet installed
+#- name: Run the script that does osm-vector-maps housekeeping
+#  shell: /usr/bin/iiab-update-map
+
+- name: Copy the Countries geojson to assets
+  copy:
+    src: countries.json
+    dest: '{{ vector_map_path }}/maplist/assets'
+
+#  It is too complicated to use a single file for both iiab and admin-console
+- name: Copy the duplicated javascript to assets
+  copy:
+    src: map_functions.js
+    dest: '{{ vector_map_path }}/maplist/assets'
+
+- name: Install /etc/{{ apache_config_dir }}/osm-vector-maps.conf from template
+  template:
+    src: osm-vector-maps.conf
+    dest: "/etc/{{ apache_config_dir }}/osm-vector-maps.conf"
+
+- name: Create symlink osm-vector-maps.conf from sites-enabled to sites-available (debuntu, not nec for redhat)
+  file:
+    src: /etc/apache2/sites-available/osm-vector-maps.conf
+    path: /etc/apache2/sites-enabled/osm-vector-maps.conf
+    state: link
+  when: osm_vector_maps_enabled and is_debuntu
+
+- name: Remove symlink /etc/apache2/sites-enabled/osm-vector-maps.conf (debuntu)
+  file:
+    path: /etc/apache2/sites-enabled/osm-vector-maps.conf
+    state: absent
+  when: not osm_vector_maps_enabled and is_debuntu
+
+- name: Copy the redirect to the test page -- delete this if more than one map
+  copy:
+    src: test-index.redirect
+    dest: "{{ vector_map_path }}/index.html"
+