diff --git a/roles/lokole/README.rst b/roles/lokole/README.rst
index 824202d07..bb73d370d 100644
--- a/roles/lokole/README.rst
+++ b/roles/lokole/README.rst
@@ -14,9 +14,56 @@ The Lokole is a simple email client that offers functionality like:
 Using It
 --------
 
-Lokole should be accessible at http://box/lokole
+The Lokole web app can be accessed at http://box/lokole.
+
+Administration
+--------------
+
+Every Lokole installation has an admin account named ``admin``. By default, the password is ``changeme``.
+
+Administrators can:
+
+- Suspend and reinstate user accounts
+- Change passwords of user accounts (TODO: admin accounts too?)
+- Promote users to the admin role
+
+All of these actions can be performed from the page http://box/lokole/users.
+
+Account Suspension
+~~~~~~~~~~~~~~~~~~
+
+Administrators have the ability to suspend and reinstate other users' accounts. This functionality is useful for dealing with harassment, cyberbullying, and other forms of abuse.
+
+Password Changes
+~~~~~~~~~~~~~~~~
+
+In the event of a data breach, administrators can update a user's password to a random string. The user can then log in using this temporary password and change. This functionality is also useful in the case that a user forgets their password.
+
+Promoting and Demoting Users
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Admins can grant and revoke admin privileges for other users.
+
+Creating an Admin Account
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+To create a new admin account, run the following command::
+
+  ./manage.py createadmin [--name | -n] <username> [--password | -p] <password>
+
+(TODO what working directory?)
+
+Resetting the Database
+~~~~~~~~~~~~~~~~~~~~~~
+
+TODO
+
+Troubleshooting
+---------------
+
+TODO
 
 Known Issues
 ------------
 
-Please see `#1282 <https://github.com/iiab/iiab/pull/1282#issuecomment-435622419>`_.
+For an up-to-date list of open issues, please see the `Lokole project's issue tracker <https://github.com/ascoderu/opwen-webapp/issues>`_.
diff --git a/roles/lokole/The Lokole-IIAB User's Manual.pdf b/roles/lokole/The Lokole-IIAB User's Manual.pdf
new file mode 100644
index 000000000..5ae9a1cc1
Binary files /dev/null and b/roles/lokole/The Lokole-IIAB User's Manual.pdf differ
diff --git a/roles/lokole/defaults/main.yml b/roles/lokole/defaults/main.yml
index b1272ad1b..b4cfd59be 100644
--- a/roles/lokole/defaults/main.yml
+++ b/roles/lokole/defaults/main.yml
@@ -1,5 +1,7 @@
 # Info needed to install Lokole
-lokole_version: "0.1.24"
+lokole_version: "0.1.26"
+lokole_admin_user: admin    # lowercase seems nec here (even though uppercase Admin/changeme is IIAB's OOB recommendation!)
+lokole_admin_password: changeme
 lokole_install_path: "{{ content_base }}/lokole"    # /library/lokole
 lokole_venv: "{{ lokole_install_path }}/venv"       # /library/lokole/venv
 
diff --git a/roles/lokole/tasks/install.yml b/roles/lokole/tasks/install.yml
index 68f368fdb..988a3bf7e 100644
--- a/roles/lokole/tasks/install.yml
+++ b/roles/lokole/tasks/install.yml
@@ -53,6 +53,13 @@
   tags:
     - configure
 
+- name: Create admin user
+  shell: |
+    . {{ lokole_run_directory }}/webapp_secrets.sh
+    {{ lokole_venv }}/bin/manage.py createadmin --name='{{ lokole_admin_user }}' --password='{{ lokole_admin_password }}'
+  tags:
+    - configure
+
 - name: Install unit file /etc/systemd/system/lokole.service from template
   template:
     src: lokole.service.j2
diff --git a/vars/default_vars.yml b/vars/default_vars.yml
index 333cf855e..07e6cca59 100644
--- a/vars/default_vars.yml
+++ b/vars/default_vars.yml
@@ -90,24 +90,28 @@ gui_wan: True
 adm_cons_force_ssl: False
 adm_cons_allow_downloads: False
 
+# Enables "campus access" to kiwix (3000), kalite (8008) & calibre (8010 or
+# 8080) on WAN side of server. See network/templates/gateway/iiab-gen-iptables
+# within github.com/iiab/iiab/blob/master/roles/
+services_externally_visible: True
+
 # Gateway and Filters
-# Most all implementations set "iiab_gateway_enabled: False" within
+# Most all implementations use "iiab_gateway_enabled: False" within
 # local_vars.yml as they cannot afford Internet access for students
 # and teachers, and the many associated IT/support/training costs.
-iiab_gateway_enabled: True
+iiab_gateway_enabled: False
 gw_squid_whitelist: False
 gw_block_https: False
 
-# dhcpd
-dhcpd_install: True
+dhcpd_install: False
 dhcpd_enabled: False
 
-# named
-named_install: True
+# named (BIND)
+named_install: False
 named_enabled: False
 block_DNS: False
 
-# dnsmasq
+# dnsmasq - handles DHCP and DNS
 dnsmasq_install: True
 dnsmasq_enabled: True
 
@@ -117,8 +121,8 @@ dns_jail_enabled: False
 # Python-based Captive Portal, that @m-anish & @jvonau experimented with in
 # July 2018 (https://github.com/iiab/iiab/pull/870) and that @georgejhunt
 # extensively refined later in 2018 (PRs #1179, #1300, #1327).
-captive_portal_install: True
-captive_portal_enabled: True
+captive_portal_install: False
+captive_portal_enabled: False
 captive_portal_port: 9090
 # In a pinch, disable Captive Portal using instructions in http://FAQ.IIAB.IO
 
@@ -126,7 +130,6 @@ captive_portal_port: 9090
 # (prior to IIAB 6.7, this had used https://github.com/iiab/iiab-menu)
 js_menu_install: True
 
-# Wonder Shaper
 # Unmaintained as of October 2017: https://github.com/iiab/iiab/pull/382
 wondershaper_install: False
 wondershaper_enabled: False
@@ -152,14 +155,12 @@ wan_nameserver:
 
 # 1-PREP
 
-# sshd
 sshd_enabled: True
 
 # roles/iiab-admin runs here
 # SEE IIAB-ADMIN VARIABLES NEAR TOP OF THIS FILE: e.g. iiab_admin_user_install,
 # iiab_admin_user, iiab_admin_published_pwd, iiab_admin_pwd_hash
 
-# OpenVPN
 openvpn_install: True
 openvpn_enabled: False
 # For /etc/iiab/openvpn_handle
@@ -184,7 +185,6 @@ exFAT_enabled: True
 
 # 3-BASE-SERVER
 
-# httpd (Apache)
 # Make this False to disable http://box/common/services/power_off.php button:
 apache_allow_sudo: True
 # For schools that use WordPress and/or Moodle intensively, see iiab/iiab #1147
@@ -204,11 +204,9 @@ mysql_root_password: fixmysql
 # DNS prep (dnsmasq, named &/or dhcpd) run here.  The full network stage runs
 # after 9-LOCAL-ADDONS (or manually run "cd /opt/iiab/iiab; ./iiab-network")
 
-# Squid
 squid_install: False
 squid_enabled: False
 
-# DansGuardian
 dansguardian_install: False
 dansguardian_enabled: False
 
@@ -228,12 +226,11 @@ iiab_home_url: /home
 postgresql_install: False
 postgresql_enabled: False
 
-# authserver
 authserver_install: False
 authserver_enabled: False
 
 # Common UNIX Printing System (CUPS)
-cups_install: True
+cups_install: False
 cups_enabled: False
 
 # Samba. Take a security audit seriously before deploying this.
@@ -272,36 +269,30 @@ idmgr_enables: False
 
 # 6-GENERIC-APPS
 
-# DokuWiki
 dokuwiki_install: False
 dokuwiki_enabled: False
 
-# MediaWiki
 mediawiki_install: False
 mediawiki_enabled: False
 
-# Elgg
-elgg_install: True
+elgg_install: False
 elgg_enabled: False
 # elgg_mysql_password: $6$iiab51$jeTwnATcbaa92xo0QBTgjLBU.5aVDDrbKeNyyC99R/TAWz6pvfzj.L7lfnOVVjD78nxqT.gkNn6XZmuRV0W3o1
 elgg_mysql_password: elgg4kids
 
-# ejabberd
 ejabberd_install: False
 ejabberd_enabled: False
 
-# Lokole (email)
-lokole_install: True
+# Lokole (email for rural communities) from https://ascoderu.ca
+lokole_install: False
 lokole_enabled: False
 
-# Nextcloud
-nextcloud_install: True
+nextcloud_install: False
 nextcloud_enabled: False
 
-# WordPress
-wordpress_install: True
-wordpress_enabled: False
 # If using WordPress intensively, set apache_high_php_limits in 3-BASE-SERVER
+wordpress_install: False
+wordpress_enabled: False
 
 
 # 7-EDU-APPS
@@ -317,26 +308,22 @@ kalite_user: kalite
 kalite_password_hash: $6$<salt>$KHET0XRRsgAY.wOWyTOI3W7dyDh0ESOr48uI5vtk2xdzsU7aw0TF4ZkNuM34RmHBGMJ1fTCmOyVobo0LOhBlJ/
 kalite_password: kalite
 
-# Kolibri
 kolibri_install: False
 kolibri_enabled: False
 kolibri_http_port: 8009
 
-# Kiwix
 kiwix_install: True
 kiwix_enabled: True
 kiwix_port: 3000
 iiab_zim_path: /library/zims
 
-# Moodle
 moodle_install: False
 moodle_enabled: False
 # If using Moodle intensively, set apache_high_php_limits in 3-BASE-SERVER
 
-# Sugarizer
 # Might stall MongoDB on Power Failure: github.com/xsce/xsce/issues/879
 # Sugarizer 1.0.1+ strategies to solve? github.com/iiab/iiab/pull/957
-sugarizer_install: True
+sugarizer_install: False
 sugarizer_enabled: False
 sugarizer_port: 8089
 
@@ -344,8 +331,8 @@ sugarizer_port: 8089
 # 8-MGMT-TOOLS
 
 # Transmission is a BitTorrent downloader for large Content Packs etc
-transmission_install: True
-transmission_enabled: True
+transmission_install: False
+transmission_enabled: False
 
 # Transmission download directory & general owner/group
 transmission_download_dir: "{{ content_base }}/transmission/"    # /library/transmission/
@@ -382,11 +369,9 @@ transmission_kalite_languages:
 transmission_username: Admin
 transmission_password: changeme
 
-# AWStats - summarizes http access logs
 awstats_install: True
-awstats_enabled: False
+awstats_enabled: True
 
-# Monit
 monit_install: False
 monit_enabled: False
 watchdog:
@@ -397,17 +382,15 @@ watchdog:
   - postgresql
   - squid
 
-# Munin
 munin_install: True
-munin_enabled: False
+munin_enabled: True
 
 # Handy for maintaining tables, but DANGEROUS if not locked down
 phpmyadmin_install: False
 phpmyadmin_enabled: False
 
-# vnStat
 vnstat_install: True
-vnstat_enabled: False
+vnstat_enabled: True
 
 
 # 9-LOCAL-ADDONS
@@ -432,53 +415,53 @@ calibre_web_path: calibre  #NEEDS WORK: https://github.com/iiab/iiab/issues/529
 # program, so we recommend you also install Calibre (above!)
 
 # Calibre-Web alternative to Calibre, offers a clean/modern UX
-calibreweb_install: True
-calibreweb_enabled: True
+calibreweb_install: False
+calibreweb_enabled: False
 calibreweb_port: 8083
 # http://box/books works.  Add {box/libros, box/livres, box/livros, box/liv} etc?
 calibreweb_url: /books
 calibreweb_home: "{{ content_base }}/calibre-web"    # /library/calibre-web
 
 
-# PLEASE CONSIDER THESE 2 NEW OPENSTREETMAP APPROACHES INSTEAD, AS OF 2018:
+# CONSIDER THESE 2 NEW OPENSTREETMAP (OSM) APPROACHES INSTEAD, AS OF 2018:
 # - http://download.iiab.io/content/OSM/vector-tiles/
 # - http://oer2go.org/viewmod/en-worldmap-10
 #
 # DOWNLOAD EITHER OSM MANUALLY, OR BETTER YET TRY IIAB'S ADMIN CONSOLE:
 #   http://box/admin -> Install Content -> Get OER2GO(RACHEL) Modules
 #
-# OpenStreetMap (OSM) legacy - unmaintained:
+# Unmaintained:
 # osm_install: False
 # osm_enabled: False
 # Changed in June 2017, from the original:
 # iiab_install: True
 # iiab_enabled: False
 
-# TeamViewer - unmaintained (better to install from http://teamviewer.com or prep scripts at http://download.iiab.io)
+# Unmaintained (better to install from http://teamviewer.com or prep scripts at http://download.iiab.io)
 # teamviewer_install: False
 # teamviewer_enabled: False
 
-# Docker - unmaintained
+# Unmaintained
 # docker_install: False
 # docker_enabled: False
 
-# SchoolTool - unmaintained
+# Unmaintained
 # schooltool_install: False
 # schooltool_enabled: False
 
-# Debian SchoolTool - nnmaintained
+# Unmaintained
 # debian_schooltool_install: False
 # debian_schooltool_enabled: False
 
-# Pathagar - unmaintained (consider Calibre or Calibre-Web above?)
+# Unmaintained (consider Calibre or Calibre-Web above?)
 # pathagar_install: False
 # pathagar_enabled: False
 
-# sugar-stats - unmaintained
+# Unmaintained
 # sugar_stats_install: False
 # sugar_stats_enabled: False
 
-# XOVis - unmaintained
+# Unmaintained
 # xovis_install: False
 # xovis_enabled: False
 # xovis_target_host: "127.0.0.1:5984"
@@ -486,20 +469,19 @@ calibreweb_home: "{{ content_base }}/calibre-web"    # /library/calibre-web
 # xovis_db_name: xovis
 # xovis_db_user: admin
 # xovis_db_password: admin
-
 # xovis_root: "/opt/xovis"
 # xovis_backup_dir: "/library/users"
 # xovis_chart_heading: "My School: Usage Data Visualization"
 
-# ownCloud - unmaintained
+# Unmaintained
 # owncloud_install: False
 # owncloud_enabled: False
 
-# Ajenti - unmaintained
+# Unmaintained
 # ajenti_install: False
 # ajenti_enabled: False
 
-# RACHEL - no longer in use
+# Unmaintained
 # rachel_install: False
 # rachel_enabled: False
 # rachel_content_found: False
diff --git a/vars/local_vars_big.yml b/vars/local_vars_big.yml
index 78f1baf98..ad599eb5d 100644
--- a/vars/local_vars_big.yml
+++ b/vars/local_vars_big.yml
@@ -48,7 +48,14 @@ services_externally_visible: True
 # Make this True if client machines should have access to WAN/Internet:
 iiab_gateway_enabled: False
 
-# dnsmasq
+dhcpd_install: False
+dhcpd_enabled: False
+
+# named (BIND)
+named_install: False
+named_enabled: False
+
+# dnsmasq - handles DHCP and DNS
 dnsmasq_install: True
 dnsmasq_enabled: True
 
@@ -174,6 +181,7 @@ elgg_enabled: True
 ejabberd_install: True
 ejabberd_enabled: False
 
+# Lokole (email for rural communities) from https://ascoderu.ca
 lokole_install: True
 lokole_enabled: True
 
@@ -275,14 +283,14 @@ calibreweb_url: /books
 calibreweb_home: "{{ content_base }}/calibre-web"    # /library/calibre-web
 
 
-# PLEASE CONSIDER THESE 2 NEW OPENSTREETMAP APPROACHES INSTEAD, AS OF 2018:
+# CONSIDER THESE 2 NEW OPENSTREETMAP (OSM) APPROACHES INSTEAD, AS OF 2018:
 # - http://download.iiab.io/content/OSM/vector-tiles/
 # - http://oer2go.org/viewmod/en-worldmap-10
 #
 # DOWNLOAD EITHER OSM MANUALLY, OR BETTER YET TRY IIAB'S ADMIN CONSOLE:
 #   http://box/admin -> Install Content -> Get OER2GO(RACHEL) Modules
 #
-# Unmaintained - OpenStreetMap (OSM) legacy
+# Unmaintained
 # osm_install: False
 # osm_enabled: False
 
diff --git a/vars/local_vars_medium.yml b/vars/local_vars_medium.yml
index a70758e7f..f2260a517 100644
--- a/vars/local_vars_medium.yml
+++ b/vars/local_vars_medium.yml
@@ -48,7 +48,14 @@ services_externally_visible: True
 # Make this True if client machines should have access to WAN/Internet:
 iiab_gateway_enabled: False
 
-# dnsmasq
+dhcpd_install: False
+dhcpd_enabled: False
+
+# named (BIND)
+named_install: False
+named_enabled: False
+
+# dnsmasq - handles DHCP and DNS
 dnsmasq_install: True
 dnsmasq_enabled: True
 
@@ -129,7 +136,7 @@ postgresql_enabled: False
 # authserver_enabled: False
 
 # Common UNIX Printing System (CUPS)
-cups_install: True
+cups_install: False
 cups_enabled: False
 
 # At Your Own Risk: take a security audit seriously before deploying this
@@ -174,6 +181,7 @@ elgg_enabled: True
 ejabberd_install: False
 ejabberd_enabled: False
 
+# Lokole (email for rural communities) from https://ascoderu.ca
 lokole_install: False
 lokole_enabled: False
 
@@ -275,14 +283,14 @@ calibreweb_url: /books
 calibreweb_home: "{{ content_base }}/calibre-web"    # /library/calibre-web
 
 
-# PLEASE CONSIDER THESE 2 NEW OPENSTREETMAP APPROACHES INSTEAD, AS OF 2018:
+# CONSIDER THESE 2 NEW OPENSTREETMAP (OSM) APPROACHES INSTEAD, AS OF 2018:
 # - http://download.iiab.io/content/OSM/vector-tiles/
 # - http://oer2go.org/viewmod/en-worldmap-10
 #
 # DOWNLOAD EITHER OSM MANUALLY, OR BETTER YET TRY IIAB'S ADMIN CONSOLE:
 #   http://box/admin -> Install Content -> Get OER2GO(RACHEL) Modules
 #
-# Unmaintained - OpenStreetMap (OSM) legacy
+# Unmaintained
 # osm_install: False
 # osm_enabled: False
 
diff --git a/vars/local_vars_min.yml b/vars/local_vars_min.yml
index 4a2ab3bcf..c267e8603 100644
--- a/vars/local_vars_min.yml
+++ b/vars/local_vars_min.yml
@@ -48,7 +48,14 @@ services_externally_visible: True
 # Make this True if client machines should have access to WAN/Internet:
 iiab_gateway_enabled: False
 
-# dnsmasq
+dhcpd_install: False
+dhcpd_enabled: False
+
+# named (BIND)
+named_install: False
+named_enabled: False
+
+# dnsmasq - handles DHCP and DNS
 dnsmasq_install: True
 dnsmasq_enabled: True
 
@@ -58,8 +65,8 @@ dns_jail_enabled: False
 # Python-based Captive Portal, that @m-anish & @jvonau experimented with in
 # July 2018 (https://github.com/iiab/iiab/pull/870) and that @georgejhunt
 # extensively refined later in 2018 (PRs #1179, #1300, #1327).
-captive_portal_install: True
-captive_portal_enabled: True
+captive_portal_install: False
+captive_portal_enabled: False
 # In a pinch, disable Captive Portal using instructions in http://FAQ.IIAB.IO
 
 # Set to "False" if you want to revert to the older Dynamic Menuing system
@@ -174,6 +181,7 @@ elgg_enabled: False
 ejabberd_install: False
 ejabberd_enabled: False
 
+# Lokole (email for rural communities) from https://ascoderu.ca
 lokole_install: False
 lokole_enabled: False
 
@@ -275,14 +283,14 @@ calibreweb_url: /books
 calibreweb_home: "{{ content_base }}/calibre-web"    # /library/calibre-web
 
 
-# PLEASE CONSIDER THESE 2 NEW OPENSTREETMAP APPROACHES INSTEAD, AS OF 2018:
+# CONSIDER THESE 2 NEW OPENSTREETMAP (OSM) APPROACHES INSTEAD, AS OF 2018:
 # - http://download.iiab.io/content/OSM/vector-tiles/
 # - http://oer2go.org/viewmod/en-worldmap-10
 #
 # DOWNLOAD EITHER OSM MANUALLY, OR BETTER YET TRY IIAB'S ADMIN CONSOLE:
 #   http://box/admin -> Install Content -> Get OER2GO(RACHEL) Modules
 #
-# Unmaintained - OpenStreetMap (OSM) legacy
+# Unmaintained
 # osm_install: False
 # osm_enabled: False