Merge pull request #438 from iiab/master

Sync from iiab/iiab:master
2025-03-09 15:40:17 +00:00 · 2020-10-18 22:42:22 -07:00 · 2020-10-18 22:42:22 -07:00 · 45f345c8ff
commit 45f345c8ff
parent 6b323723e5 83a4638c74
173 changed files with 2332 additions and 2268 deletions
--- a/roles/0-DEPRECATED-ROLES/activity-server/tasks/main.yml
+++ b/roles/0-DEPRECATED-ROLES/activity-server/tasks/main.yml
@ -80,7 +80,7 @@
 # SEE ALSO THE apache2_module SECTION IN roles/httpd/tasks/main.yml
 - name: enable mod_expires for debian
  command: a2enmod expires
-  when: is_debuntu | bool
+  when: is_debuntu
 - name: create the link which enables the site
  file: src=/etc/apache2/sites-available/xs-activity-server.conf
--- a/roles/0-DEPRECATED-ROLES/ajenti/tasks/ajenti-wondershaper.yml
+++ b/roles/0-DEPRECATED-ROLES/ajenti/tasks/ajenti-wondershaper.yml
@ -1,3 +1,3 @@
 - name: Install wondershaper ajenti plugin
  pip: name="{{ iiab_download_url }}"/ajenti-plugin-wondershaper-0.3.tar.gz
-  when: internet_available | bool
+  when: internet_available
--- a/roles/0-DEPRECATED-ROLES/ajenti/tasks/main.yml
+++ b/roles/0-DEPRECATED-ROLES/ajenti/tasks/main.yml
@ -45,7 +45,7 @@
  service: name=ajenti
           enabled=yes
           state=restarted
-  when: ajenti_enabled | bool
+  when: ajenti_enabled
 - name: Add 'ajenti' variable values to {{ iiab_ini_file }}
  ini_file:
--- a/roles/0-DEPRECATED-ROLES/authserver/tasks/main.yml
+++ b/roles/0-DEPRECATED-ROLES/authserver/tasks/main.yml
@ -4,7 +4,7 @@
 - name: Install xs-authserver from pypi
  pip: name=xs-authserver
-  when: internet_available | bool
+  when: internet_available
 - name: install gunicorn
  package: name=python-gunicorn
@ -48,7 +48,7 @@
  service: name=xs-authserver
           state=restarted
           enabled=yes
-  when: authserver_enabled | bool
+  when: authserver_enabled
 - name: Add 'authserver' variable values to {{ iiab_ini_file }}
  ini_file:
--- a/roles/0-DEPRECATED-ROLES/docker/tasks/main.yml
+++ b/roles/0-DEPRECATED-ROLES/docker/tasks/main.yml
@ -4,7 +4,7 @@
  with_items:
    - docker
    - python-docker-py
-  when: docker_install | bool
+  when: docker_install
 - name: put the systemd startup file in place
  template: src=docker.service
@ -31,7 +31,7 @@
  service: name=docker
           state=started
           enabled=true
-  when: docker_enabled | bool
+  when: docker_enabled
 - name: Disable docker
  service: name=docker
--- a/roles/0-DEPRECATED-ROLES/dokuwiki/tasks/enable.yml
+++ b/roles/0-DEPRECATED-ROLES/dokuwiki/tasks/enable.yml
@ -12,7 +12,7 @@
  systemd:
    name: "{{ apache_service }}"
    state: restarted
-  when: apache_enabled | bool
+  when: apache_enabled
 # NGINX
@ -32,7 +32,7 @@
  systemd:
    name: nginx
    state: restarted
-  when: nginx_enabled | bool
+  when: nginx_enabled
 - name: Add 'dokuwiki' variable values to {{ iiab_ini_file }}
--- a/roles/0-DEPRECATED-ROLES/dokuwiki/tasks/install.yml
+++ b/roles/0-DEPRECATED-ROLES/dokuwiki/tasks/install.yml
@ -3,7 +3,7 @@
    url: "{{ iiab_download_url }}/{{ dokuwiki_version }}.tgz"
    dest: "{{ downloads_dir }}/"
    timeout: "{{ download_timeout }}"
-  when: internet_available | bool
+  when: internet_available
 - name: Unarchive (unpack) it to /library/{{ dokuwiki_version }}
  unarchive:
--- a/roles/0-DEPRECATED-ROLES/ejabberd/tasks/main.yml
+++ b/roles/0-DEPRECATED-ROLES/ejabberd/tasks/main.yml
@ -34,7 +34,7 @@
 #    src: ejabberd-iiab.init
 #    dest: /etc/init.d/ejabberd-iiab
 #    mode: 0755
-#  when: is_debuntu | bool
+#  when: is_debuntu
 #- name: Put the startup script in place - non debian
 #  template:
@ -71,7 +71,7 @@
    #name: ejabberd-iiab
    state: restarted
    enabled: yes
-  when: ejabberd_enabled | bool
+  when: ejabberd_enabled
  #when: ejabberd_config.changed and ejabberd_enabled
 #- name: Wait for ejabberd service start
--- a/roles/0-DEPRECATED-ROLES/homepage/tasks/main.yml
+++ b/roles/0-DEPRECATED-ROLES/homepage/tasks/main.yml
@ -18,4 +18,4 @@
  #   src: "/etc/{{ apache_conf_dir }}/iiab-homepage.conf"
  #   path: /etc/apache2/sites-enabled/iiab-homepage.conf
  #   state: link
-  # when: is_debuntu | bool
+  # when: is_debuntu
--- a/roles/0-DEPRECATED-ROLES/idmgr/tasks/main.yml
+++ b/roles/0-DEPRECATED-ROLES/idmgr/tasks/main.yml
@ -42,7 +42,7 @@
  with_items:
    - idmgr
    - xinetd
-  when: xo_services_enabled | bool
+  when: xo_services_enabled
 - name: Disable idmgr service
  service: name={{ item }}
--- a/roles/0-DEPRECATED-ROLES/nodogsplash/tasks/main.yml
+++ b/roles/0-DEPRECATED-ROLES/nodogsplash/tasks/main.yml
@ -1,3 +1,3 @@
 - name: Install nodogsplash (Raspbian only)
  include_tasks: rpi.yml
-  when: is_raspbian | bool
+  when: is_raspbian
--- a/roles/0-DEPRECATED-ROLES/nodogsplash/tasks/rpi.yml
+++ b/roles/0-DEPRECATED-ROLES/nodogsplash/tasks/rpi.yml
@ -8,7 +8,7 @@
     url: "{{ iiab_download_url }}/{{ nodogsplash_arm_deb }}"
     dest: "{{ downloads_dir }}/{{ nodogsplash_arm_deb }}"
     timeout: "{{ download_timeout }}"
-  when: internet_available | bool
+  when: internet_available
  #async: 300
  #poll: 5
@ -43,7 +43,7 @@
    name: nodogsplash
    enabled: yes
    state: started
-  when: nodogsplash_enabled | bool
+  when: nodogsplash_enabled
 - name: Disable 'nodogsplash' systemd service, if not nodogsplash_enabled
  systemd:
--- a/roles/0-DEPRECATED-ROLES/osm/tasks/main.yml
+++ b/roles/0-DEPRECATED-ROLES/osm/tasks/main.yml
@ -7,7 +7,7 @@
      - libapache2-mod-wsgi
      - libapache2-mod-xsendfile
    state: present
-  when: is_debuntu | bool
+  when: is_debuntu
 - name: Install 6 OSM required packages (not debuntu)
  package:
@ -110,7 +110,7 @@
    group: root
    mode: 0644
    backup: no
-  when: osm_enabled | bool
+  when: osm_enabled
 - name: Create softlink osm.conf from sites-enabled to sites-available (debuntu)
  file:
@ -144,7 +144,7 @@
    owner: root
    group: root
    state: link
-  when: osm_enabled | bool
+  when: osm_enabled
 - name: Create dir /library/knowledge/modules
  file:
@ -165,7 +165,7 @@
    - { src: 'map.html', dest: "{{ osm_path }}/static/map.html" }
    - { src: 'l.control.geosearch.js', dest: "{{ osm_path }}/static/lib/leaflet/geosearch/l.control.geosearch.js" }
    - { src: "{{ osm_path }}/static/map.html", dest: "{{ osm_path }}/static/index.html" }
-  when: osm_enabled | bool
+  when: osm_enabled
 - name: Restart httpd service
  service:
--- a/roles/0-DEPRECATED-ROLES/owncloud/tasks/main.yml
+++ b/roles/0-DEPRECATED-ROLES/owncloud/tasks/main.yml
@ -4,7 +4,7 @@
 - name: add a repo def for ubuntu
  template: dest=/etc/apt/sources.list.d/
            src=owncloud.list
-  when: is_ubuntu | bool
+  when: is_ubuntu
 - name: See if the owncloud startup page exists
  stat: path={{ owncloud_prefix }}/owncloud/index.php
@ -40,7 +40,7 @@
 - name: Get the owncloud software
  get_url: url={{ iiab_download_url }}/{{ owncloud_src_file }}  dest={{ downloads_dir }}/{{ owncloud_src_file }}
-  when: internet_available | bool
+  when: internet_available
  async: 300
  poll: 5
@ -54,7 +54,7 @@
 - name: Copy it to permanent location /opt
  unarchive: src={{ downloads_dir }}/{{ owncloud_src_file }}
             dest={{ owncloud_prefix }}
-  when: is_F18 | bool
+  when: is_F18
 - name: in Centos, the following config dir is symlink to /etc/owncloud
  file: path=/etc/owncloud
@ -103,7 +103,7 @@
 # Enable owncloud by copying template to httpd config
 - include_tasks: owncloud_enabled.yml
-  when: owncloud_enabled | bool
+  when: owncloud_enabled
 - name: Add 'owncloud' variable values to {{ iiab_ini_file }}
  ini_file:
--- a/roles/0-DEPRECATED-ROLES/pathagar/tasks/main.yml
+++ b/roles/0-DEPRECATED-ROLES/pathagar/tasks/main.yml
@ -29,7 +29,7 @@
    - libapache2-mod-wsgi
    - libxml2-dev
    - libxslt-dev
-  when: is_debuntu | bool
+  when: is_debuntu
 - name: "Install Pathagar prerequisites: mod_wsgi, libxml2-devel, libxslt-devel (not debuntu)"
  package:
@ -78,7 +78,7 @@
    - django-tagging==0.3.1
    - django-sendfile==0.3.6
    - lxml==3.4.4
-  when: internet_available | bool
+  when: internet_available
 - name: Install Pathagar requirements in a virtualenv
  pip:
--- a/roles/0-DEPRECATED-ROLES/schooltool/tasks/main.yml
+++ b/roles/0-DEPRECATED-ROLES/schooltool/tasks/main.yml
@ -41,13 +41,13 @@
  service: name=docker
           state=restarted
           enabled=yes
-  when: schooltool_enabled | bool
+  when: schooltool_enabled
 - name: Enable schooltool
  service: name=schooltool
           state=started
           enabled=yes
-  when: schooltool_enabled | bool
+  when: schooltool_enabled
 - name: Disable schooltool
  service: name=schooltool
--- a/roles/0-DEPRECATED-ROLES/sugar-stats/tasks/main.yml
+++ b/roles/0-DEPRECATED-ROLES/sugar-stats/tasks/main.yml
@ -29,7 +29,7 @@
 - name: Enable sugar-stats service
  service: name=sugar-stats-server
           enabled=yes
-  when: sugar_stats_enabled | bool
+  when: sugar_stats_enabled
 - name: Disable sugar-stats service
  service: name=sugar-stats-server
--- a/roles/0-DEPRECATED-ROLES/sugar-stats/tasks/statistics-consolidation.yml
+++ b/roles/0-DEPRECATED-ROLES/sugar-stats/tasks/statistics-consolidation.yml
@ -4,7 +4,7 @@
 - name: Install statistics-consolidation with pip
  pip: name=stats-consolidation version=2.1.2
-  when: internet_available | bool
+  when: internet_available
 - name: Install required libraries
  package: name={{ item }}
--- a/roles/0-DEPRECATED-ROLES/teamviewer/tasks/install.yml
+++ b/roles/0-DEPRECATED-ROLES/teamviewer/tasks/install.yml
@ -20,7 +20,7 @@
    url: "{{ teamviewer_url }}/{{ teamviewer_rpm_file }}"
    dest: "{{ yum_packages_dir }}/{{ teamviewer_rpm_file }}"
    timeout: "{{ download_timeout }}"
-  when: internet_available | bool
+  when: internet_available
 # F22 has issues with yum localinstall exclude for now
 - name: Do the install of TeamViewer, pulling in any required dependencies
--- a/roles/0-DEPRECATED-ROLES/teamviewer/tasks/main.yml
+++ b/roles/0-DEPRECATED-ROLES/teamviewer/tasks/main.yml
@ -6,7 +6,7 @@
 - name: Install Teamviewer if intel
  include_tasks: install.yml
-  when: teamviewer_install | bool
+  when: teamviewer_install
 - name: Add 'teamviewer' variable values to {{ iiab_ini_file }}
  ini_file:
--- a/roles/0-DEPRECATED-ROLES/xovis/tasks/main.yml
+++ b/roles/0-DEPRECATED-ROLES/xovis/tasks/main.yml
@ -7,7 +7,7 @@
    - python-pip
    - nodejs
    - npm
-  when: internet_available | bool
+  when: internet_available
 - name: Determine if xovis is already downloaded
  stat: path={{ downloadds_dir }}/xovis/xxx
@ -23,7 +23,7 @@
  npm: name=kanso
       global=yes
       path={{ downloads_dir }}
-  when: internet_available | bool
+  when: internet_available
 - name: move the xovis repo into place
  shell: "cp -rp {{ downloads_dir }}/xovis {{ xovis_root }}"
@ -37,7 +37,7 @@
 - name: Install the xovis python dependencies
  pip: requirements={{ xovis_root }}/process_stats/requirements.txt
-  when: internet_available | bool
+  when: internet_available
 - name: Update xovis repo with Chart Heading
  lineinfile: dest="{{ xovis_root }}/index.html" regexp='(.+)<h1>(.*)</h1>' line='\1<h1>{{ xovis_chart_heading }}</h1>' backrefs=yes
@ -49,17 +49,17 @@
  service: name=couchdb
           enabled=yes
           state=started
-  when: xovis_enabled | bool
+  when: xovis_enabled
 - name: Wait for CouchDB to become ready
  wait_for: port=5984
            delay=1
            timeout=5
-  when: xovis_enabled | bool
+  when: xovis_enabled
 - name: Add admin user
  command: curl -X PUT {{ xovis_target_host }}/_config/admins/{{ xovis_db_user }} -d "\"{{ xovis_db_password }}\""
-  when: xovis_enabled | bool
+  when: xovis_enabled
 - name: Check if db exists
  shell: "kanso listdb | grep {{ xovis_db_name }}"
@ -79,7 +79,7 @@
  -d {{ xovis_backup_dir }}
  --deployment {{ xovis_deployment_name }}
  --server http://{{ xovis_db_login }}@{{ xovis_target_host }}"
-  when: xovis_enabled | bool
+  when: xovis_enabled
 - name: Add 'xovis' variable values to {{ iiab_ini_file }}
  ini_file:
--- a/roles/0-init/tasks/hostname.yml
+++ b/roles/0-init/tasks/hostname.yml
@ -13,7 +13,7 @@
 - name: 'Turn the crank for systemd: hostnamectl set-hostname "{{ iiab_hostname }}.{{ iiab_domain }}" (debuntu)'
  shell: hostnamectl set-hostname "{{ iiab_hostname }}.{{ iiab_domain }}"
-  when: is_debuntu | bool
+  when: is_debuntu
 - name: Install /etc/sysconfig/network from template (redhat)
  template:
@ -22,7 +22,7 @@
    owner: root
    group: root
    mode: 0644
-  when: is_redhat | bool
+  when: is_redhat
 # roles/network/tasks/hosts.yml [no longer in use] ALSO did this:
 - name: 'Put FQDN & hostnames in /etc/hosts: "127.0.0.1 {{ iiab_hostname }}.{{ iiab_domain }} localhost.localdomain localhost {{ iiab_hostname }} box box.lan"'
--- a/roles/0-init/tasks/main.yml
+++ b/roles/0-init/tasks/main.yml
@ -20,7 +20,7 @@
 # sections once and only once to preserve the install date and git hash.
 - name: Create IIAB tools and {{ iiab_ini_file }}, if first_run
  include_tasks: first_run.yml
-  when: first_run | bool
+  when: first_run
 # Copies the latest/known version of iiab-diagnostics into /usr/bin (so it can
 # be run even if local source tree /opt/iiab/iiab is deleted to conserve disk).
@ -94,7 +94,7 @@
 - name: Set port 443 for Admin Console if adm_cons_force_ssl
  set_fact:
    gui_port: 443
-  when: adm_cons_force_ssl | bool
+  when: adm_cons_force_ssl
 - name: "Set iiab_fqdn: {{ iiab_hostname }}.{{ iiab_domain }}"
  set_fact:
@ -108,7 +108,7 @@
 - name: Set hostname if FQDN_changed
  include_tasks: hostname.yml
-  when: FQDN_changed | bool
+  when: FQDN_changed
 - name: Add 'runtime' variable values to {{ iiab_ini_file }}
  ini_file:
--- a/roles/0-init/tasks/validate_vars.yml
+++ b/roles/0-init/tasks/validate_vars.yml
@ -13,8 +13,8 @@
 # by various scripts, possibly bypassing 0-init?  Either way, risks abound :/
 # 1. "Ansible 2.8+ ADVISORY: avoid warnings by using 'when: var | bool' for
-# top-level BARE vars (in case they're strings, instead of boolean)"
+# top-level BARE vars (in case they're strings, instead of boolean)" per #1632.
-# https://github.com/iiab/iiab/issues/1632
+# 2020-10-16: NO LONGER NEC, SEE: https://github.com/iiab/iiab/pull/2576
 # 2. "How Exactly Does Ansible Parse Boolean Variables?"
 # https://stackoverflow.com/questions/47877464/how-exactly-does-ansible-parse-boolean-variables/47877502#47877502
@ -32,6 +32,10 @@
 # ~18 words too WILL FAIL as strings (as will any non-empty string...so beware
 # casting strings to boolean later on...can make the situation worse!)
 # https://docs.ansible.com/ansible/latest/porting_guides/porting_guide_2.8.html#bare-variables-in-conditionals
 #
 # 2020-07-08 - Excellent analysis & summary by Jon Spriggs: "In Ansible,
 # determine the type of a value, and casting those values to other types"
 # https://jon.sprig.gs/blog/post/1801
 # 3. "How do i fail a task in Ansible if the variable contains a boolean value?
 # I want to perform input validation for Ansible playbooks"
--- a/roles/1-prep/tasks/main.yml
+++ b/roles/1-prep/tasks/main.yml
@ -5,7 +5,7 @@
 - name: dnsmasq (install now, configure LATER in 'network', after Stage 9)
  include_tasks: roles/network/tasks/dnsmasq.yml
-  #when: dnsmasq_install | bool    # Flag might be used in future?
+  #when: dnsmasq_install    # Flag might be used in future?
 - name: Install uuid-runtime package (debuntu)
  package:
@ -13,7 +13,7 @@
      - uuid-runtime
      - sudo
    state: present
-  when: is_debuntu | bool
+  when: is_debuntu
 - name: Does /etc/iiab/uuid file exist?
  stat:
@ -79,17 +79,17 @@
 - name: SSHD
  include_role:
    name: sshd
-  when: sshd_install | bool
+  when: sshd_install
 - name: IIAB-ADMIN
  include_role:
    name: iiab-admin
-  #when: iiab_admin_install | bool    # Flag might be created in future?
+  #when: iiab_admin_install    # Flag might be created in future?
 - name: OPENVPN
  include_role:
    name: openvpn
-  when: openvpn_install | bool
+  when: openvpn_install
 # Debian 10 "Buster" is apparently enabling AppArmor in 2019:
 # https://wiki.debian.org/AppArmor/Progress
@ -102,7 +102,7 @@
    name: apparmor
    enabled: False
    state: stopped
-  when: is_ubuntu | bool
+  when: is_ubuntu
  ignore_errors: True
 - name: Disable SELinux on next boot (OS's other than debuntu)
--- a/roles/2-common/tasks/iptables.yml
+++ b/roles/2-common/tasks/iptables.yml
@ -30,7 +30,7 @@
  package:
    name: iptables-persistent
    state: present
-  when: is_debuntu | bool
+  when: is_debuntu
 - name: Install package iptables-services (OS's other than debuntu)
  package:
@ -51,4 +51,4 @@
    src: iptables
    dest: /etc/network/if-pre-up.d/iptables
    mode: '0755'
-  when: is_debuntu | bool
+  when: is_debuntu
--- a/roles/2-common/tasks/packages.yml
+++ b/roles/2-common/tasks/packages.yml
@ -12,7 +12,7 @@
      - xml-common
      - yum-utils
    state: present
-  when: is_redhat | bool
+  when: is_redhat
 - name: "Install 6 deb/apt packages: avahi-daemon, exfat-fuse, exfat-utils, inetutils-syslogd, libnss-mdns, wpasupplicant (debuntu)"
  package:
@ -25,9 +25,9 @@
      - libnss-mdns
      - wpasupplicant
    state: present
-  when: is_debuntu | bool
+  when: is_debuntu
- name: "Install 23 common packages: acpid, bridge-utils, bzip2, curl, gawk, hostapd, htop, i2c-tools, logrotate, make, mlocate, netmask, net-tools, ntfs-3g, pandoc, pastebinit, rsync, sqlite3, sudo, tar, unzip, usbutils, wget"
+- name: "Install 22 common packages: acpid, bridge-utils, bzip2, curl, gawk, hostapd, htop, i2c-tools, logrotate, make, mlocate, netmask, net-tools, ntfs-3g, pandoc, pastebinit, rsync, sqlite3, sudo, tar, unzip, usbutils, wget"
  package:
    name:
      - acpid
@ -52,7 +52,7 @@
      - rsync
      #- screen    # Installed by 1-prep's roles/iiab-admin/tasks/access.yml
      - sqlite3
-      - sudo
+      #- sudo    # Installed by 1-prep's roles/iiab-admin/tasks/sudo-prereqs.yml
      - tar
      - unzip
      #- usbmount    # Moved to roles/usb_lib/tasks/install.yml
--- a/roles/2-common/tasks/yum-historical.yml
+++ b/roles/2-common/tasks/yum-historical.yml
@ -13,18 +13,18 @@
 - name: get the createrepo program
  package: name=createrepo
           state=present
-  when: is_redhat | bool
+  when: is_redhat
 - name: Create local repo
  shell: createrepo {{ yum_packages_dir }}
-  when: is_redhat | bool
+  when: is_redhat
 - name: Install local repo file.
  template: dest=/etc/yum.repos.d/iiab-local.repo
            src=local.repo
            owner=root
            mode=0644
-  when: is_redhat | bool
+  when: is_redhat
 - name: Install yum packages
  package: name={{ item }}
@ -36,7 +36,7 @@
   - linux-firmware
   - syslog
   - xml-common
-  when: is_redhat | bool
+  when: is_redhat
 - name: Install yum packages for Debian
  package: name={{ item }}
@ -44,7 +44,7 @@
  with_items:
    - inetutils-syslogd
    - wpasupplicant
-  when: is_debuntu | bool
+  when: is_debuntu
 - name: Install common packages
  package: name={{ item }}
@ -82,7 +82,7 @@
   - glibc # CVE-2015-7547
   - bash
   - iptables
-  when: is_redhat | bool
+  when: is_redhat
 - name: Update common packages  (debian)
  package: name={{ item }}
@ -91,7 +91,7 @@
   - libc6
   - bash
   - iptables
-  when: is_debuntu | bool
+  when: is_debuntu
 # instuctions state to start with a fully updated system before starting, stop using
--- a/roles/3-base-server/tasks/main.yml
+++ b/roles/3-base-server/tasks/main.yml
@ -6,7 +6,7 @@
 - name: MYSQL
  include_role:
    name: mysql
-  #when: mysql_install | bool
+  #when: mysql_install
 # 2020-05-21: Apache role 'httpd' is installed as nec by any of these 7 roles:
 #
@ -22,12 +22,12 @@
 - name: NGINX
  include_role:
    name: nginx
-  #when: nginx_install | bool
+  #when: nginx_install
 - name: WWW_BASE (WWW_OPTIONS should be installed later)
  include_role:
    name: www_base
-  #when: www_base_install | bool    # Flag might be created in future?
+  #when: www_base_install    # Flag might be created in future?
 - name: Recording STAGE 3 HAS COMPLETED =====================
  lineinfile:
--- a/roles/4-server-options/tasks/main.yml
+++ b/roles/4-server-options/tasks/main.yml
@ -16,25 +16,25 @@
 - name: Install pylibs (IIAB's python libs)
  include_role:
    name: pylibs
-  #when: pylibs_install | bool    # Flag might be created in future?
+  #when: pylibs_install    # Flag might be created in future?
 # Also run by roles/1-prep/tasks/main.yml as required by OpenVPN.
 - name: SSHD
  include_role:
    name: sshd
-  when: sshd_install | bool
+  when: sshd_install
 - name: Install named / BIND
  include_tasks: roles/network/tasks/named.yml
-  when: named_install | bool
+  when: named_install
 - name: Install dhcpd
  include_tasks: roles/network/tasks/dhcpd.yml
-  when: dhcpd_install | bool
+  when: dhcpd_install
 - name: Install Squid (and DansGuardian if dansguardian_install)
  include_tasks: roles/network/tasks/squid.yml
-  when: squid_install | bool
+  when: squid_install
 - name: Install Bluetooth - only on Raspberry Pi
  include_role:
@ -44,17 +44,17 @@
 - name: USB_LIB
  include_role:
    name: usb_lib
-  when: usb_lib_install | bool
+  when: usb_lib_install
 - name: CUPS
  include_role:
    name: cups
-  when: cups_install | bool
+  when: cups_install
 - name: SAMBA
  include_role:
    name: samba
-  when: samba_install | bool
+  when: samba_install
 # 2020-02-17: What was roles/homepage lives in roles/www_options
 # 2020-10-08: Softcoded iiab_home_url should work (e.g. using local_vars.yml or
@ -65,7 +65,7 @@
 - name: WWW_OPTIONS (WWW_BASE should have been installed earlier)
  include_role:
    name: www_options
-  #when: www_options_install | bool    # Flag might be created in future?
+  #when: www_options_install    # Flag might be created in future?
 - name: Recording STAGE 4 HAS COMPLETED ==================
  lineinfile:
--- a/roles/6-generic-apps/tasks/main.yml
+++ b/roles/6-generic-apps/tasks/main.yml
@ -24,47 +24,47 @@
 - name: ELGG
  include_role:
    name: elgg
-  when: elgg_install | bool
+  when: elgg_install
 - name: GITEA
  include_role:
    name: gitea
-  when: gitea_install | bool
+  when: gitea_install
 - name: LOKOLE
  include_role:
    name: lokole
-  when: lokole_install | bool
+  when: lokole_install
 - name: MEDIAWIKI
  include_role:
    name: mediawiki
-  when: mediawiki_install | bool
+  when: mediawiki_install
 - name: MOSQUITTO
  include_role:
    name: mosquitto
-  when: mosquitto_install | bool
+  when: mosquitto_install
 - name: NODE-RED
  include_role:
    name: nodered
-  when: nodered_install | bool
+  when: nodered_install
 - name: NEXTCLOUD
  include_role:
    name: nextcloud
-  when: nextcloud_install | bool
+  when: nextcloud_install
 - name: PBX
  include_role:
    name: pbx
-  when: pbx_install | bool
+  when: pbx_install
 - name: WORDPRESS
  include_role:
    name: wordpress
-  when: wordpress_install | bool
+  when: wordpress_install
 - name: Recording STAGE 6 HAS COMPLETED ====================
  lineinfile:
--- a/roles/7-edu-apps/tasks/main.yml
+++ b/roles/7-edu-apps/tasks/main.yml
@ -6,27 +6,27 @@
 - name: KALITE
  include_role:
    name: kalite
-  when: kalite_install | bool
+  when: kalite_install
 - name: KOLIBRI
  include_role:
    name: kolibri
-  when: kolibri_install | bool
+  when: kolibri_install
 - name: KIWIX
  include_role:
    name: kiwix
-  when: kiwix_install | bool
+  when: kiwix_install
 - name: MOODLE
  include_role:
    name: moodle
-  when: moodle_install | bool
+  when: moodle_install
 - name: OSM-VECTOR-MAPS
  include_role:
    name: osm-vector-maps
-  when: osm_vector_maps_install | bool
+  when: osm_vector_maps_install
 # UNMAINTAINED
 - name: OSM
@ -43,7 +43,7 @@
 - name: SUGARIZER
  include_role:
    name: sugarizer
-  when: sugarizer_install | bool
+  when: sugarizer_install
 - name: Recording STAGE 7 HAS COMPLETED ========================
  lineinfile:
--- a/roles/8-mgmt-tools/tasks/main.yml
+++ b/roles/8-mgmt-tools/tasks/main.yml
@ -6,32 +6,32 @@
 - name: TRANSMISSION
  include_role:
    name: transmission
-  when: transmission_install | bool
+  when: transmission_install
 - name: AWSTATS
  include_role:
    name: awstats
-  when: awstats_install | bool
+  when: awstats_install
 - name: MONIT
  include_role:
    name: monit
-  when: monit_install | bool
+  when: monit_install
 - name: MUNIN
  include_role:
    name: munin
-  when: munin_install | bool
+  when: munin_install
 - name: PHPMYADMIN
  include_role:
    name: phpmyadmin
-  when: phpmyadmin_install | bool
+  when: phpmyadmin_install
 - name: VNSTAT
  include_role:
    name: vnstat
-  when: vnstat_install | bool
+  when: vnstat_install
 - name: Recording STAGE 8 HAS COMPLETED ======================
  lineinfile:
--- a/roles/9-local-addons/tasks/main.yml
+++ b/roles/9-local-addons/tasks/main.yml
@ -6,29 +6,29 @@
 - name: INTERNETARCHIVE
  include_role:
    name: internetarchive
-  when: internetarchive_install | bool
+  when: internetarchive_install
 # Is porting to Python 3 complete, and if so does this belong elsewhere?
 - name: CAPTIVE PORTAL
  include_role:
    name: captiveportal
-  when: captiveportal_install | bool
+  when: captiveportal_install
 - name: MINETEST
  include_role:
    name: minetest
-  when: minetest_install | bool
+  when: minetest_install
 # KEEP AT THE END as this installs dependencies from Debian's 'testing' branch!
 - name: CALIBRE
  include_role:
    name: calibre
-  when: calibre_install | bool
+  when: calibre_install
 - name: CALIBRE-WEB
  include_role:
    name: calibre-web
-  when: calibreweb_install | bool
+  when: calibreweb_install
 - name: Recording STAGE 9 HAS COMPLETED ====================
  lineinfile:
--- a/roles/awstats/tasks/apache.yml
+++ b/roles/awstats/tasks/apache.yml
@ -1,6 +1,6 @@
 - name: Enable http://box/awstats and/or http://box/awstats/awstats.pl via Apache
  command: a2ensite awstats.conf
-  when: awstats_enabled | bool
+  when: awstats_enabled
 - name: Disable http://box/awstats and/or http://box/awstats/awstats.pl via Apache
  command: a2dissite awstats.conf
--- a/roles/awstats/tasks/install.yml
+++ b/roles/awstats/tasks/install.yml
@ -2,7 +2,7 @@
 #
 # - Prepare for a possible future w/o Apache by verifying/refining below...
 #   - 5 'when: apache_installed is defined'
-#   - 1 'when: nginx_install | bool'
+#   - 1 'when: nginx_install'
 #   - 8 core stanzas w/o such 'when:' clauses
 - name: 'Install 3 packages: awstats, openssl, pwauth'
@ -98,7 +98,7 @@
  template:
    src: cgi-bin.php
    dest: /etc/nginx/
-  when: nginx_install | bool
+  when: nginx_install
 # RECORD AWStats AS INSTALLED
--- a/roles/awstats/tasks/main.yml
+++ b/roles/awstats/tasks/main.yml
@ -30,7 +30,7 @@
 - name: Enable/Disable/Restart NGINX if primary
  include_tasks: nginx.yml
-  when: nginx_enabled | bool
+  when: nginx_enabled
 - name: Add 'awstats' variable values to {{ iiab_ini_file }}
--- a/roles/awstats/tasks/nginx.yml
+++ b/roles/awstats/tasks/nginx.yml
@ -2,7 +2,7 @@
  template:
    src: awstats-nginx.conf
    dest: "{{ nginx_conf_dir }}/"    # /etc/nginx/conf.d
-  when: awstats_enabled | bool
+  when: awstats_enabled
 - name: Disable http://box/awstats via NGINX, by removing {{ nginx_conf_dir }}/awstats-nginx.conf
  file:
--- a/roles/azuracast/tasks/install.yml
+++ b/roles/azuracast/tasks/install.yml
@ -25,7 +25,7 @@
    dest: "{{ azuracast_host_dir }}/"
    timeout: "{{ download_timeout }}"
    mode: 0755
-  when: internet_available | bool
+  when: internet_available
 - name: AzuraCast - Download AzuraCast's docker-compose.yml sample from GitHub to {{ azuracast_host_dir }}
  get_url: 
@ -33,7 +33,7 @@
    dest: "{{ azuracast_host_dir }}/docker-compose.yml"
    timeout: "{{ download_timeout }}"
    mode: 0755
-  when: internet_available | bool
+  when: internet_available
 - name: AzuraCast - Make changes to docker.sh script so it runs headless
  lineinfile:
--- a/roles/bluetooth/tasks/enable.yml
+++ b/roles/bluetooth/tasks/enable.yml
@ -31,7 +31,7 @@
    name: bt-pan
    enabled: yes
    state: restarted
-  when: bluetooth_enabled | bool
+  when: bluetooth_enabled
 - name: Disable 'bt-pan' service
  systemd:
@ -47,7 +47,7 @@
    name: bt-term
    enabled: yes
    state: restarted
-  when: bluetooth_term_enabled | bool
+  when: bluetooth_term_enabled
 - name: Disable 'bt-term' service
  systemd:
--- a/roles/calibre-web/tasks/apache.yml
+++ b/roles/calibre-web/tasks/apache.yml
@ -1,6 +1,6 @@
 - name: Enable http://box{{ calibreweb_url1 }}, http://box{{ calibreweb_url2 }}, http://box{{ calibreweb_url3 }} via Apache    # http://box/books, http://box/libros, http://box/livres
  command: a2ensite calibre-web.conf
-  when: calibreweb_enabled | bool
+  when: calibreweb_enabled
 - name: Disable http://box{{ calibreweb_url1 }}, http://box{{ calibreweb_url2 }}, http://box{{ calibreweb_url3 }} via Apache
  command: a2dissite calibre-web.conf
--- a/roles/calibre-web/tasks/install.yml
+++ b/roles/calibre-web/tasks/install.yml
@ -33,7 +33,7 @@
    force: yes
    depth: 1
    version: "{{ calibreweb_version }}"    # e.g. master, 0.6.5
-  when: internet_available | bool
+  when: internet_available
 ## Ansible Pip Bug: Cannot use 'chdir' with 'env' https://github.com/ansible/ansible/issues/37912 (Patch landed)
 #- name: Download calibre-web dependencies into vendor subdirectory.
@ -50,7 +50,7 @@
    virtualenv: "{{ calibreweb_venv_path }}"    # /usr/local/calibre-web-py3
    virtualenv_site_packages: no
    virtualenv_command:  python3 -m venv {{ calibreweb_venv_path }}
-  when: internet_available | bool
+  when: internet_available
 - name: Install /etc/systemd/system/calibre-web.service from template
  template:
@ -80,7 +80,7 @@
    - roles/calibre-web/files/metadata.db
    - roles/calibre-web/files/metadata_db_prefs_backup.json
  when: not metadatadb.stat.exists
-  #when: calibreweb_provision | bool
+  #when: calibreweb_provision
 - name: Provision/Copy default admin settings to {{ calibreweb_config }}/app.db IF metadata.db did not exist
  copy:
@ -91,7 +91,7 @@
    mode: '0644'
    backup: yes
  when: not metadatadb.stat.exists
-  #when: calibreweb_provision | bool
+  #when: calibreweb_provision
 # RECORD Calibre-Web AS INSTALLED
--- a/roles/calibre-web/tasks/main.yml
+++ b/roles/calibre-web/tasks/main.yml
@ -30,7 +30,7 @@
    daemon_reload: yes
    enabled: yes
    state: restarted
-  when: calibreweb_enabled | bool
+  when: calibreweb_enabled
 - name: Disable & Stop 'calibre-web' systemd service, if not calibreweb_enabled
  systemd:
@ -45,7 +45,7 @@
 - name: Enable/Disable/Restart NGINX if primary
  include_tasks: nginx.yml
-  when: nginx_enabled | bool
+  when: nginx_enabled
 - name: Add 'calibre-web' variable values to {{ iiab_ini_file }}
--- a/roles/calibre-web/tasks/nginx.yml
+++ b/roles/calibre-web/tasks/nginx.yml
@ -5,7 +5,7 @@
  template:
    src: calibre-web-nginx.conf.j2
    dest: "{{ nginx_conf_dir }}/calibre-web-nginx.conf"    # /etc/nginx/conf.d
-  when: calibreweb_enabled | bool
+  when: calibreweb_enabled
 - name: Disable http://box{{ calibreweb_url1 }} via NGINX, by removing {{ nginx_conf_dir }}/calibre-web-nginx.conf
  file:
--- a/roles/calibre/tasks/install.yml
+++ b/roles/calibre/tasks/install.yml
@ -14,7 +14,7 @@
 #
 #- name: Install Calibre via .debs (if Raspbian)
 #  command: scripts/calibre-install-latest-rpi.sh    # WORKED for Calibre 3.33.1 on 2018-10-23.  And Calibre 3.28 on 2018-07-26 (PR #971).  Likewise for Calibre 3.26.x.  FAILED with Calibre 3.24+ ("calibre : Depends: python-pyqt5 (>= 5.10.1+dfsg-2) but 5.10.1+dfsg-1+rpi1 is to be installed") since June 2018.
-#  when: is_raspbian | bool
+#  when: is_raspbian
 # 2020-04-29: Can work *IF* you do 'apt install python2' and change top line
 # of /opt/iiab/downloads/calibre-installer.py from '#!/usr/bin/env python2'
--- a/roles/calibre/tasks/main.yml
+++ b/roles/calibre/tasks/main.yml
@ -44,7 +44,7 @@
    name: calibre-serve
    enabled: yes
    state: restarted
-  when: calibre_enabled | bool
+  when: calibre_enabled
 - name: Disable & Stop 'calibre-serve' service, if not calibre_enabled
  systemd:
@ -59,7 +59,7 @@
 #
 #- name: Enable/Disable/Restart NGINX if primary
 #  include_tasks: nginx.yml
-#  when: nginx_enabled | bool
+#  when: nginx_enabled
 - name: Add 'calibre' variable values to {{ iiab_ini_file }}
--- a/roles/calibre/tasks/py-installer.yml
+++ b/roles/calibre/tasks/py-installer.yml
@ -12,7 +12,7 @@
    backup: yes
    timeout: "{{ download_timeout }}"
  register: calibre_download_output
-  when: internet_available | bool
+  when: internet_available
 # ALWAYS DEFINED, DESPITE get_url DOCUMENTATION CLAIM...
 # - debug:
@ -53,4 +53,4 @@
  shell: "{{ downloads_dir }}/calibre-installer.py >> /dev/null"
  #args:
  #  creates: /usr/bin/calibre-uninstall
-  when: internet_available | bool
+  when: internet_available
--- a/roles/captiveportal/tasks/enable-or-disable.yml
+++ b/roles/captiveportal/tasks/enable-or-disable.yml
@ -15,7 +15,7 @@
  template:
    src: captiveportal.ini.j2
    dest: /etc/uwsgi/apps-enabled/captiveportal.ini
-  when: captiveportal_enabled | bool
+  when: captiveportal_enabled
 - name: Delete /etc/uwsgi/apps-enabled/captiveportal.ini (if not captiveportal_enabled)
  file:
@ -28,7 +28,7 @@
    src: /etc/nginx/sites-available/capture.conf
    path: /etc/nginx/sites-enabled/capture.conf
    state: link
-  when: captiveportal_enabled | bool
+  when: captiveportal_enabled
 - name: Delete symlink /etc/nginx/sites-enabled/capture.conf to disable NGINX to location definitions for checkurls (if not captiveportal_enabled)
  file:
@ -38,7 +38,7 @@
 - name: Run iiab-divert-to-nginx to generate diversion lists for NGINX
  shell: /usr/sbin/iiab-divert-to-nginx
-  when: captiveportal_enabled | bool
+  when: captiveportal_enabled
 - name: Delete /etc/dnsmasq.d/capture to make sure dnsmasq is not diverting (if not captiveportal_enabled)
  file:
@ -60,10 +60,10 @@
  systemd:
    name: dnsmasq
    state: stopped
-  when: dnsmasq_enabled | bool
+  when: dnsmasq_enabled
 - name: Start 'dnsmasq' systemd service (if dnsmasq_enabled)
  systemd:
    name: dnsmasq
    state: started
-  when: dnsmasq_enabled | bool
+  when: dnsmasq_enabled
--- a/roles/cups/tasks/enable-or-disable.yml
+++ b/roles/cups/tasks/enable-or-disable.yml
@ -1,6 +1,6 @@
 - name: Enable http://box/cups via Apache (MIGHT NOT WORK?)
  command: a2ensite cups.conf
-  when: cups_enabled | bool
+  when: cups_enabled
 - name: Disable http://box/cups via Apache
  command: a2dissite cups.conf
@ -18,7 +18,7 @@
  with_items:
    - cups
    - cups-browsed
-  when: cups_enabled | bool
+  when: cups_enabled
  #when: cups_enabled and not is_F18
 # - name: Enable & Start 'cups' systemd service (Fedora 18, for XO laptops)
@ -30,7 +30,7 @@
 - name: Permit headless admin of CUPS -- only works when CUPS daemon is running (if cups_enabled)
  shell: "cupsctl --remote-admin"
-  when: cups_enabled | bool
+  when: cups_enabled
 - name: Disable & Stop 'cups' & 'cups-browsed' systemd services (OS's other than Fedora 18)
  systemd:
--- a/roles/elgg/tasks/apache.yml
+++ b/roles/elgg/tasks/apache.yml
@ -1,6 +1,6 @@
 - name: Enable http://box{{ elgg_url }} via Apache    # http://box/elgg
  command: a2ensite elgg.conf
-  when: elgg_enabled | bool
+  when: elgg_enabled
 - name: Disable http://box{{ elgg_url }} via Apache    # http://box/elgg
  command: a2dissite elgg.conf
--- a/roles/elgg/tasks/install.yml
+++ b/roles/elgg/tasks/install.yml
@ -34,7 +34,7 @@
    url: "{{ iiab_download_url }}/elgg-{{ elgg_version }}.zip"
    dest: "{{ downloads_dir }}"
    timeout: "{{ download_timeout }}"
-  when: internet_available | bool
+  when: internet_available
 - name: Check for existence of /opt/elgg-{{ elgg_version }}/index.php
  stat:
--- a/roles/elgg/tasks/main.yml
+++ b/roles/elgg/tasks/main.yml
@ -31,7 +31,7 @@
 - name: Enable/Disable/Restart NGINX if primary
  include_tasks: nginx.yml
-  when: nginx_enabled | bool
+  when: nginx_enabled
 - name: Add 'elgg' variable values to {{ iiab_ini_file }}
--- a/roles/elgg/tasks/nginx.yml
+++ b/roles/elgg/tasks/nginx.yml
@ -2,7 +2,7 @@
  template:
    src: elgg-nginx.conf.j2
    dest: "{{ nginx_conf_dir }}/elgg-nginx.conf"    # /etc/nginx/conf.d
-  when: elgg_enabled | bool
+  when: elgg_enabled
 - name: Disable http://box{{ elgg_url }} via NGINX, by removing {{ nginx_conf_dir }}/elgg-nginx.conf    # http://box/elgg
  file:
--- a/roles/elgg/tasks/setup.yml
+++ b/roles/elgg/tasks/setup.yml
@ -28,7 +28,7 @@
    name: "{{ dbname }}"
    state: import
    target: /tmp/elggdb.sql
-  when: create_elgg_database.changed | bool
+  when: create_elgg_database.changed
 - name: Remove database dump /tmp/elggdb.sql
  file:
--- a/roles/gitea/tasks/apache.yml
+++ b/roles/gitea/tasks/apache.yml
@ -1,6 +1,6 @@
 - name: Enable http://box{{ gitea_url }} via Apache    # http://box/gitea
  command: a2ensite gitea.conf
-  when: gitea_enabled | bool
+  when: gitea_enabled
 - name: Disable http://box{{ gitea_url }} via Apache    # http://box/gitea
  command: a2dissite gitea.conf
--- a/roles/gitea/tasks/install.yml
+++ b/roles/gitea/tasks/install.yml
@ -48,13 +48,13 @@
    url: "{{ gitea_download_url }}"
    dest: "{{ gitea_install_path }}"
    mode: '0775'
-  when: internet_available | bool
+  when: internet_available
 - name: Download Gitea GPG signature
  get_url:
    url: "{{ gitea_integrity_url }}"
    dest: "{{ gitea_checksum_path }}"
-  when: internet_available | bool
+  when: internet_available
 - name: Verify Gitea binary with GPG signature
  shell: |
--- a/roles/gitea/tasks/main.yml
+++ b/roles/gitea/tasks/main.yml
@ -30,7 +30,7 @@
    daemon_reload: yes
    enabled: yes
    state: restarted
-  when: gitea_enabled | bool
+  when: gitea_enabled
 - name: Disable & Stop 'gitea' systemd service, if not gitea_enabled
  systemd:
@ -45,7 +45,7 @@
 - name: Enable/Disable/Restart NGINX if primary
  include_tasks: nginx.yml
-  when: nginx_enabled | bool
+  when: nginx_enabled
 - name: Add 'gitea' to list of services at {{ iiab_ini_file }}
--- a/roles/gitea/tasks/nginx.yml
+++ b/roles/gitea/tasks/nginx.yml
@ -2,7 +2,7 @@
  template:
    src: gitea-nginx.conf.j2
    dest: "{{ nginx_conf_dir }}/gitea-nginx.conf"    # /etc/nginx/conf.d
-  when: gitea_enabled | bool
+  when: gitea_enabled
 - name: Disable http://box{{ gitea_url }} via NGINX, by removing {{ nginx_conf_dir }}/gitea-nginx.conf
  file:
--- a/roles/httpd/tasks/homepage.yml
+++ b/roles/httpd/tasks/homepage.yml
@ -10,7 +10,7 @@
 - name: "IN CASE NGINX IS DISABLED: Enable IIAB pages via Apache (e.g. on port 80) by running 'a2ensite iiab-homepage.conf'"
  command: a2ensite iiab-homepage.conf
-  #when: apache_enabled | bool
+  #when: apache_enabled
 # - name: Disable IIAB pages via Apache (e.g. on port 80) by running 'a2dissite iiab-homepage.conf', if not apache_enabled"
 #   command: a2dissite iiab-homepage.conf
--- a/roles/httpd/tasks/install.yml
+++ b/roles/httpd/tasks/install.yml
@ -8,8 +8,8 @@
 #      - "php{{ php_version }}"
 #      - "php{{ php_version }}-curl"
    state: present
-  when: is_debuntu | bool
+  when: is_debuntu
-#  when: is_debian | bool
+#  when: is_debian
 # - name: 'Install 2 packages: apache2, php (ubuntu)'
 #   package:
@ -19,7 +19,7 @@
 #       - "{{ apache_service }}"    # apache2 on Debuntu
 #       - php
 #     state: present
-#   when: is_ubuntu | bool
+#   when: is_ubuntu
 # 2019-05-30: It's interesting that http://box.lan/admin and everything seems
 # to work even without php{{ php_version }}-sqlite3 as confirmed on Ubuntu
@ -49,7 +49,7 @@
      - php
      - php-curl
    state: present
-  when: is_redhat | bool
+  when: is_redhat
 # Remove symlinks for mpm_event, replace with mpm_prefork
 - name: Remove both mpm_event symlinks from /etc/apache2/mods-enabled (debuntu)
@ -59,7 +59,7 @@
  with_items:
    - mpm_event.conf
    - mpm_event.load
-  when: is_debuntu | bool
+  when: is_debuntu
 - name: Create both mpm_prefork symlinks from /etc/apache2/mods-enabled to /etc/apache2/mods-available (debuntu)
  file:
@ -69,7 +69,7 @@
  with_items:
    - mpm_prefork.conf
    - mpm_prefork.load
-  when: is_debuntu | bool
+  when: is_debuntu
 - name: 'Enable 5 Apache modules, as with "a2enmod" command: headers, proxy, proxy_html, proxy_http, rewrite (for http://box/kiwix, http://box/kolibri, http://box/nodered, etc--if debuntu)'
  apache2_module:
@ -80,7 +80,7 @@
    - proxy_html
    - proxy_http
    - rewrite
-  when: is_debuntu | bool
+  when: is_debuntu
 - name: Remove 000-default.conf from /etc/apache2 and /etc/apache2/sites-enabled (debuntu)
  file:
@ -89,7 +89,7 @@
  with_items:
    - /etc/apache2/000-default.conf    # Not nec on Raspbian.  Is this really still needed elsewhere?
    - /etc/apache2/sites-enabled/000-default.conf
-  when: is_debuntu | bool
+  when: is_debuntu
 - name: Create Apache's pid dir /var/run/{{ apache_user }}
  file:
@ -128,7 +128,7 @@
 - name: "IN CASE NGINX IS DISABLED: Enable IIAB pages via Apache (e.g. on port 80) by running 'a2ensite 010-iiab.conf'"
  command: a2ensite 010-iiab.conf
-  #when: apache_enabled | bool
+  #when: apache_enabled
 # - name: Disable IIAB pages via Apache (e.g. on port 80) by running 'a2dissite 010-iiab.conf', if not apache_enabled"
 #   command: a2dissite 010-iiab.conf
--- a/roles/httpd/tasks/main.yml
+++ b/roles/httpd/tasks/main.yml
@ -36,7 +36,7 @@
    name: "{{ apache_service }}"
    enabled: yes
    state: started    # No need to restart, as many IIAB apps do that later
-  when: apache_enabled | bool
+  when: apache_enabled
 - name: Disable & Stop {{ apache_service }} systemd service, if not apache_enabled
  systemd:
--- a/roles/iiab-admin/README.rst
+++ b/roles/iiab-admin/README.rst
@ -13,31 +13,59 @@
 iiab-admin README
 =================
-This role is home to a number of administrative (Ansible) playbooks:
+`Internet-in-a-Box <http://internet-in-a-box.org>`_ (IIAB) encourages you to pay attention to the security of your learning community.
-Add Administrative User
+This Ansible playbook is one of the very first that runs when you install IIAB, and we hope reading this helps you understand your choices:
 -----------------------
-* Adds the Linux user that will allow you access to IIAB's Admin Console (http://box.lan/admin) if this has not already been done for you by IIAB's 1-line installer (http://download.iiab.io).
+Configure user 'iiab-admin'
-* By default this is ``iiab-admin`` with password ``g0adm1n``
+---------------------------
 * `admin-user.yml <tasks/admin-user.yml>`_ configures a Linux user that will give you access to IIAB's Admin Console (http://box.lan/admin) after IIAB is installed — and can also help you at the command-line with IIAB community support commands like {iiab-diagnostics, iiab-hotspot-on, iiab-check-firmware, etc}.
   * If initial creation of the user and password was somehow not already taken care of by IIAB's 1-line installer (http://download.iiab.io) or by your underlying OS, that too will be taken care of here.
 * By default this user is ``iiab-admin`` with password ``g0adm1n``
   * *Do change the default password if you haven't yet, by running:* **sudo passwd iiab-admin**
-   * After IIAB is installed, you can also change the password by logging into Admin Console (http://box.lan/admin) > Utilities > Change Password
+   * After IIAB is installed, you can also change the password by logging into Admin Console (http://box.lan/admin) > Utilities > Change Password.
-   * If you prefer using a pre-existing user like ``pi`` or ``ubuntu`` etc, consider customizing variables ``iiab_admin_user_install``, ``iiab_admin_user`` and ``iiab_admin_user_group`` in your `/etc/iiab/local_vars.yml <http://wiki.laptop.org/go/IIAB/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F>`_ (please do this prior to installing IIAB !)
+* If you prefer to use a pre-existing user like ``pi`` or ``ubuntu`` (or any other username) customize the variable ``iiab_admin_user`` in your `/etc/iiab/local_vars.yml <http://wiki.laptop.org/go/IIAB/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F>`_ (preferably do this prior to installing IIAB!)
-* Please read more about what escalated (root) actions are authorized when you log into IIAB's Admin Console, and how this works: https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md
+   * You can set ``iiab_admin_can_sudo: False`` if you want a strict security lockdown (if you're really sure you won't need IIAB community support commands like `/usr/bin/iiab-diagnostics <../../scripts/iiab-diagnostics.README.md>`_, `/usr/bin/iiab-hotspot-on <../network/templates/network/iiab-hotspot-on>`_, `iiab-check-firmware <../firmware/templates/iiab-check-firmware>`_, etc!)
   * You can also set ``iiab_admin_user_install: False`` if you're sure you know how to do all this `account and sudo configuration <tasks/admin-user.yml>`_ manually.
-Desiderata, for the historical record:
+Security
 --------
-* Auto-checking for the default password is implemented in `/etc/profile.d <https://github.com/iiab/iiab/blob/master/roles/iiab-admin/templates/sshpwd-profile-iiab.sh>`_ (and `/etc/xdg/lxsession/LXDE-pi <https://github.com/iiab/iiab/blob/master/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh>`_ when it exists).
+* A user MUST be a member of at least one of these 2 Linux groups, in order to log in to IIAB's Admin Console: (http://box.lan/admin)
-* |ss| N.B. to create password hash use python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")' |se| |nbsp| (not recommended as of October 2020)
+   #. ``iiab-admin`` (specified by ``admin_console_group`` in `/opt/iiab/iiab/vars/default_vars.yml <../../vars/default_vars.yml>`_ and `/opt/iiab/iiab-admin-console/vars/default_vars.yml <https://github.com/iiab/iiab-admin-console/blob/master/vars/default_vars.yml>`_)
-* |ss| Make a sudoer |se| |nbsp| (likely going away in October 2020, as group 'iiab-admin' should be recommended instead of group 'sudo')
+   #. ``sudo``
-* |ss| Add /root/.ssh and dummy authorized_keys file as placeholder |se| |nbsp| (moved to `roles/openvpn/tasks/install.yml <https://github.com/iiab/iiab/blob/master/roles/openvpn/tasks/install.yml>`_)
+* Please read much more about what escalated (root) actions are authorized when you log into IIAB's Admin Console, and how this works: https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md
-* |ss| Force password for sudoers |se| |nbsp| (sudo flag ``NOPASSWORD:`` and the ``wheel`` group will no longer being used as of October 2020)
+* If your IIAB includes OpenVPN, ``/root/.ssh/authorized_keys`` should be installed by `roles/openvpn/tasks/install.yml <../openvpn/tasks/install.yml>`_ to facilitate remote community support.  Feel free to remove this as mentioned here: http://wiki.laptop.org/go/IIAB/Security
 * Auto-checking for the default/published password (as specified by ``iiab_admin_published_pwd`` in `/opt/iiab/iiab/vars/default_vars.yml <../../vars/default_vars.yml>`_) is implemented in `/etc/profile.d <templates/sshpwd-profile-iiab.sh>`_ (and `/etc/xdg/lxsession/LXDE-pi <templates/sshpwd-lxde-iiab.sh>`_ when it exists, i.e. on Raspberry Pi OS with desktop).
-Add Packages for Remote Access
+Example
------------------------------
+=======
-* screen
+* If you later change your mind about ``sudo`` privileges for user 'iiab-admin' (as specified by ``iiab_admin_user``) then do this:
-* lynx
+   #. Go ahead and change the value of ``iiab_admin_can_sudo`` (to either True or False) in `/etc/iiab/local_vars.yml <http://wiki.laptop.org/go/IIAB/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F>`_
   #. Make sure that ``iiab_admin_user_install: True`` is also set.
   #. Then re-run this Ansible playbook, by running ``cd /opt/iiab/iiab`` followed by ``sudo ./runrole --reinstall iiab-admin``
 Historical Notes
 ================
 * We no longer support setting your password using a hash e.g. ``python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")'`` (or the Python 3 equivalent, ``python3 -c 'import crypt; print(crypt.crypt("<plaintext>", crypt.mksalt(crypt.METHOD_SHA512)))'``) as these are very cumbersome — and worse, exposing your "salt" opens up your password to `possible attack <https://stackoverflow.com/questions/6776050/how-long-to-brute-force-a-salted-sha-512-hash-salt-provided>`_.  [October 2020]
 * The sudo flag ``NOPASSWORD:`` and the ``wheel`` group are similarly no longer recommended, so that your IIAB faces fewer security risks.  [October 2020]
 Remote Support Tools
 --------------------
 The `iiab-diagnostics <../../scripts/iiab-diagnostics.README.md>`_ and `OpenVPN <https://en.wikipedia.org/wiki/OpenVPN>`_ options mentioned above can greatly help you empower your community, typically during the implementation phase of your project, even if Linux is new to you.
 Similarly, `access.yml <tasks/access.yml>`_ adds a couple text mode tools — extremely helpful over expensive / low-bandwidth connections:
 * `lynx <https://en.wikipedia.org/wiki/Lynx_(web_browser)>`_
 * `screen <https://linuxize.com/post/how-to-use-linux-screen/>`_
 *More great tools to help you jumpstart community action at a distance:*
 * http://FAQ.IIAB.IO > "How can I remotely manage my Internet-in-a-Box?"
 Admin Console
 -------------
--- a/roles/iiab-admin/defaults/main.yml
+++ b/roles/iiab-admin/defaults/main.yml
@ -1,24 +1,16 @@
-# Must keep roles/0-init/defaults/main.yml sync'd ?  (Seems no longer true as of 2018-10-15)
+# Please read more about the 'iiab-admin' Linux user, for login to IIAB's
 # Admin Console (http://box.lan/admin) AND to help you at the command-line:
 # https://github.com/iiab/iiab/tree/master/roles/iiab-admin
 # https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md
-# Set iiab_admin_user_install: False if you don't want iiab_admin_user & wheel
+# iiab_admin_user: iiab-admin    # Some prefer to reuse 'pi' or 'ubuntu' etc.
-# group auto-created in roles/iiab-admin/tasks/main.yml (hence disabling sudo-
+
-# checks/warnings of published passwds like pi/raspberry & iiab-admin/g0adm1n).
+# Set iiab_admin_user_install: False if you don't want iiab_admin_user auto-
 # configured e.g. by IIAB's 1-line installer & iiab-admin/tasks/admin-user.yml
 # iiab_admin_user_install: True
-# If iiab_admin_user_install: False, set iiab_admin_user (below) to an existing
+# iiab_admin_can_sudo: True   # For /usr/bin/iiab-* support commands. Optional.
-# Linux user that has sudo access, for login to Admin Console http://box/admin
+# iiab_admin_published_pwd: g0adm1n   # Default password. For pwd warnings too.
-
+# admin_console_group: iiab-admin   # This group & sudo log in to Admin Console
 # ODDLY THIS IS ALSO USED BY roles/usb-lib/tasks/main.yml TO SET GROUP PERM FOR /library/www/html/local_content (ISN'T {{ apache_user }} MORE APPROPRIATE?)
 # iiab_admin_user: iiab-admin
 # For live checks/alerts of published pwds
 # iiab_admin_published_pwd: g0adm1n
 # Password hash to override above, if Ansible creates above user:
 # iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop.
 # Obtain a password hash - NEW MORE SECURE WAY:
 #    python3 -c 'import crypt; print(crypt.crypt("<plaintext>", crypt.mksalt(crypt.METHOD_SHA512)))'
 # Obtain a password hash - OLD WAY:
 #    python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")'
 # All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml
 # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
--- a/roles/iiab-admin/tasks/access.yml
+++ b/roles/iiab-admin/tasks/access.yml
@ -1,6 +1,6 @@
- name: "Install textmode remote access packages: screen, lynx"
+- name: "Install text mode packages, useful during remote access: screen, lynx"
  package:
    name:
-    - screen
+      - lynx
-    - lynx
+      - screen
    state: present
--- a/roles/iiab-admin/tasks/admin-user.yml
+++ b/roles/iiab-admin/tasks/admin-user.yml
@ -1,53 +1,56 @@
- name: Create user {{ iiab_admin_user }} in group sudo for Admin Console; set password from iiab_admin_pwd_hash if newly creating account
+# Summary of how this works with IIAB's Admin Console etc:
-  user:
+# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/README.rst
    name: "{{ iiab_admin_user }}"    # iiab-admin
    password: "{{ iiab_admin_pwd_hash }}"
    update_password: on_create
    shell: /bin/bash
    groups: sudo
 #- name: Create a wheel group
 #  group:
 #    name: wheel
 #    state: present
-#- name: Create a sudo group (redhat)
+# YOU CAN CHANGE THIS USER TO 'pi' OR 'ubuntu' ETC, IN /etc/iiab/local_vars.yml
-#  group:
+- name: Does user '{{ iiab_admin_user }}' (iiab_admin_user) exist?    # iiab-admin BY DEFAULT
-#    name: sudo
+  command: "id {{ iiab_admin_user | quote }}"    # quote to avoid ';' exploits
-#    state: present
+  register: user_info
-#  when: is_redhat | bool
+  failed_when: False    # Hides red errors (stronger than 'ignore_errors: yes')
-#- name: 'Add user {{ iiab_admin_user }} to groups: wheel, sudo'
+# admin_console_group: iiab-admin   # PER default_vars.yml, SHOULD NEVER CHANGE
-#  user:
+- name: Establish Linux group '{{ admin_console_group }}' group, for login to Admin Console
-#    name: "{{ iiab_admin_user }}"
+  group:
-#    groups: wheel,sudo
+    name: "{{ admin_console_group }}"
 - name: Edit the sudoers file -- first make it editable
  file:
    path: /etc/sudoers
    mode: 0640
 - name: Have sudo log all commands it handles
  lineinfile:
    regexp: logfile
    line: "Defaults     logfile = /var/log/sudo.log"
    dest: /etc/sudoers
    state: present
 - name: Configure user '{{ iiab_admin_user }}' with group '{{ admin_console_group }}' for login to IIAB's Admin Console (http://box.lan/admin) AND for IIAB community support commands (/usr/bin/iiab-* and /usr/sbin/iiab-*) at the command-line
  user:
    name: "{{ iiab_admin_user }}"
    #group: "{{ iiab_admin_user }}"    # Not nec.  Anyway this happens during account creation b/c 'USERGROUPS_ENAB yes' is set in any modern /etc/login.defs
    groups: "{{ admin_console_group }}"    # What guarantees any user's ability to login to Admin Console, just in case the user is not a member of sudo in future.  FWIW Ansible adds the user to this group in /etc/group even in cases where that's not nec -- i.e. user iiab-admin's primary group is normally sufficient if it (the correct GID, corresponding to group iiab-admin) is in the 4th column of /etc/passwd.
    append: yes
    shell: /bin/bash
    #password: "{{ iiab_admin_pwd_hash }}"    # 2020-10-14: DEPRECATED in favor
    #update_password: on_create               # of 'command: chpasswd' below.
 - name: If user didn't exist, set password to '{{ iiab_admin_published_pwd }}'    # g0adm1n
  #shell: "echo {{ iiab_admin_user }}:{{ iiab_admin_published_pwd }} | chpasswd"
  command: chpasswd    # Equiv to line above, but safer
  args:
    stdin: "{{ iiab_admin_user | quote }}:{{ iiab_admin_published_pwd | quote }}"
  when: user_info.rc != 0
 # sudo-prereqs.yml needs to have been run!
 - name: Add user {{ iiab_admin_user }} to group sudo, for IIAB community support commands like {iiab-diagnostics, iiab-hotspot-on, iiab-check-firmware}, if iiab_admin_can_sudo
  #command: "gpasswd -a {{ iiab_admin_user | quote }} sudo"
  user:
    name: "{{ iiab_admin_user }}"
    groups: sudo
    append: yes
  when: iiab_admin_can_sudo
 - name: Remove user {{ iiab_admin_user }} from group sudo, if not iiab_admin_can_sudo
  command: "gpasswd -d {{ iiab_admin_user | quote }} sudo"
  when: not iiab_admin_can_sudo
  failed_when: False    # Hides red errors (stronger than 'ignore_errors: yes')
 #- name: Lets {{ iiab_admin_user }} sudo without password
 ##- name: Lets wheel sudo without password
 #  lineinfile:
 #    path: /etc/sudoers
 #    line: "{{ iiab_admin_user }} ALL=(ALL) NOPASSWD: ALL"
 ##    line: "%wheel ALL= NOPASSWD: ALL"
 #    dest: /etc/sudoers
 - name: Remove the line which requires tty
  lineinfile:
    regexp: requiretty
    dest: /etc/sudoers
    state: absent
 - name: End editing the sudoers file -- protect it again
  file:
    path: /etc/sudoers
    mode: 0440
--- a/roles/iiab-admin/tasks/main.yml
+++ b/roles/iiab-admin/tasks/main.yml
@ -1,39 +1,32 @@
- include_tasks: admin-user.yml
+# Summary of how this works with IIAB's Admin Console etc:
-  when: iiab_admin_user_install | bool
+# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/README.rst
 - include_tasks: access.yml
- name: Install /etc/profile.d/sshpwd-profile-iiab.sh from template, to issue warnings (during shell/ssh logins) if iiab-admin password is the default
+- name: Install lynx, screen
-  template:
+  include_tasks: access.yml
    src: sshpwd-profile-iiab.sh
    dest: /etc/profile.d/
    mode: '0644'
- name: Is this LXDE-pi?
+- name: Install sudo & /etc/sudoers with logging to /var/log/sudo.log
-  stat:
+  include_tasks: sudo-prereqs.yml
    path: /etc/xdg/lxsession/LXDE-pi
  register: lx
- name: "Likewise for Raspbian, installing: /etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh"
+- name: Configure user iiab-admin / password and its group(s), if iiab_admin_user_install
-  template:
+  include_tasks: admin-user.yml
-    src: sshpwd-lxde-iiab.sh
+  when: iiab_admin_user_install
    dest: /etc/xdg/lxsession/LXDE-pi/
    mode: '0755'
  when: lx.stat.isdir is defined and lx.stat.isdir and is_raspbian and is_debuntu
-# 2019-03-07: This popup (/etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh) does
+# Idea: institute precautionary system-wide published password warning(s)
-# not actually appear when triggered by /etc/xdg/autostart/pprompt-iiab.desktop
+# for user iiab-admin / g0adm1n, i.e. {{ iiab_admin_user }} with password
-# (or pprompt.desktop as Raspbian has working since 2018-11-13!)  Too bad as it
+# {{ iiab_admin_published_pwd }}, regardless whether the password is set:
-# would be really nice to standardize this popup across Ubermix & all distros..
+#
-# Is this a permissions/security issue presumably?  Official autostart spec is:
+# (1) by the OS installer
-# https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html
+# (2) by the OS's graphical desktop tools
-# Raspbian's 2016-2018 evolution here: https://github.com/iiab/iiab/issues/1537
+# (3) at the command-line: sudo passwd iiab-admin
 # (4) by IIAB's 1-line installer: http://download.iiab.io
 # (5) by this role: roles/iiab-admin/tasks/admin-user.yml
 # (6) by IIAB's Admin Console during installation
 # ...and/or...
 # (7) by IIAB's Admin Console > Utilities > Change Password
- name: Put line in /etc/xdg/lxsession/LXDE-pi/autostart to run the above (raspbian)
+- name: Install password warning(s)
-  lineinfile:
+  include_tasks: pwd-warnings.yml
    path: /etc/xdg/lxsession/LXDE-pi/autostart
    line: "@/etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh"
  when: lx.stat.isdir is defined and lx.stat.isdir and is_raspbian and is_debuntu
 # RECORD iiab-admin AS INSTALLED
@ -62,3 +55,7 @@
      value: '"Admin User"'
    - option: iiab_admin_user
      value: "{{ iiab_admin_user }}"
    - option: iiab_admin_user_install
      value: "{{ iiab_admin_user_install }}"
    - option: iiab_admin_can_sudo
      value: "{{ iiab_admin_can_sudo }}"
--- a/roles/iiab-admin/tasks/pwd-warnings.yml
+++ b/roles/iiab-admin/tasks/pwd-warnings.yml
@ -0,0 +1,31 @@
 - name: Install /etc/profile.d/sshpwd-profile-iiab.sh from template, to issue warnings (during shell/ssh logins) if iiab-admin password is the default
  template:
    src: sshpwd-profile-iiab.sh
    dest: /etc/profile.d/
    mode: '0644'
 - name: Is this LXDE-pi?
  stat:
    path: /etc/xdg/lxsession/LXDE-pi
  register: lx
 - name: "Likewise for Raspbian, installing: /etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh"
  template:
    src: sshpwd-lxde-iiab.sh
    dest: /etc/xdg/lxsession/LXDE-pi/
    mode: '0755'
  when: lx.stat.isdir is defined and lx.stat.isdir and is_raspbian and is_debuntu
 # 2019-03-07: This popup (/etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh) does
 # not actually appear when triggered by /etc/xdg/autostart/pprompt-iiab.desktop
 # (or pprompt.desktop as Raspbian has working since 2018-11-13!)  Too bad as it
 # would be really nice to standardize this popup across Ubermix & all distros..
 # Is this a permissions/security issue presumably?  Official autostart spec is:
 # https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html
 # Raspbian's 2016-2018 evolution here: https://github.com/iiab/iiab/issues/1537
 - name: Put line in /etc/xdg/lxsession/LXDE-pi/autostart to run the above (raspbian)
  lineinfile:
    path: /etc/xdg/lxsession/LXDE-pi/autostart
    line: "@/etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh"
  when: lx.stat.isdir is defined and lx.stat.isdir and is_raspbian and is_debuntu
--- a/roles/iiab-admin/tasks/sudo-prereqs.yml
+++ b/roles/iiab-admin/tasks/sudo-prereqs.yml
@ -0,0 +1,27 @@
 # roles/2-common/tasks/packages.yml also installed sudo, but that's too late
 - name: 'Install package: sudo'
  package:
    name: sudo
 - name: Temporarily make file /etc/sudoers editable (0640)
  file:
    path: /etc/sudoers
    mode: 0640
 - name: '/etc/sudoers: Have sudo log all commands to /var/log/sudo.log -- in addition to the lengthier /var/log/auth.log'
  lineinfile:
    path: /etc/sudoers
    regexp: logfile
    line: "Defaults     logfile = /var/log/sudo.log"
 # Not nec (heavyhanded removal of customizations+comments) given sudo defaults.
 #- name: Remove all lines that contain 'requiretty'
 #  lineinfile:
 #    path: /etc/sudoers
 #    regexp: requiretty
 #    state: absent
 - name: End editing file /etc/sudoers -- protect it again (0440)
  file:
    path: /etc/sudoers
    mode: 0440
--- a/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh
+++ b/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh
@ -3,6 +3,9 @@
 # SEE ALSO: /etc/profile.d/sshpwd-profile-iiab.sh sourced from...
 # https://github.com/iiab/iiab/blob/master/roles/iiab-admin/templates/sshpwd-profile-iiab.sh
 # CAUTION: popup warnings still don't appear on most OS's, as mentioned here:
 # https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/pwd-warnings.yml#L19-L25
 # For Localization/Translation: (use /usr/bin/gettext below if later nec!)
 #export TEXTDOMAIN=pprompt-iiab
 #. gettext.sh
--- a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh
+++ b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh
@ -44,8 +44,6 @@ check_user_pwd() {
 # HISTORICAL: if password-free sudo access is truly nec, it can be set with
 # "iiab-admin ALL=(ALL) NOPASSWD: ALL" in /etc/sudoers as seen in the older:
 # https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/admin-user.yml
 # CAUTION: popup warnings still don't appear on most OS's, as mentioned here:
 # https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/main.yml#L24-L30
 if check_user_pwd "{{ iiab_admin_user }}" "{{ iiab_admin_published_pwd }}" ; then    # iiab-admin g0adm1n
    echo
--- a/roles/internetarchive/tasks/apache.yml
+++ b/roles/internetarchive/tasks/apache.yml
@ -1,6 +1,6 @@
 - name: Enable internetarchive.conf via Apache (for short URL http://box/archive eventually?) if internetarchive_enabled
  command: a2ensite internetarchive.conf
-  when: internetarchive_enabled | bool
+  when: internetarchive_enabled
 - name: Disable internetarchive.conf via Apache, if not internetarchive_enabled
  command: a2dissite internetarchive.conf
--- a/roles/internetarchive/tasks/install.yml
+++ b/roles/internetarchive/tasks/install.yml
@ -46,7 +46,7 @@
  args:
    chdir: "{{ internetarchive_dir }}"
    creates: "{{ internetarchive_dir }}/node_modules/@internetarchive/dweb-mirror/internetarchive"
-  when: internet_available | bool
+  when: internet_available
 - name: mkdir {{ content_base }}/archiveorg
  file:
--- a/roles/internetarchive/tasks/main.yml
+++ b/roles/internetarchive/tasks/main.yml
@ -59,7 +59,7 @@
    daemon_reload: yes
    enabled: yes
    state: restarted
-  when: internetarchive_enabled | bool
+  when: internetarchive_enabled
 - name: Disable & Stop 'internetarchive' systemd service, if not internetarchive_enabled
  systemd:
@ -74,7 +74,7 @@
 - name: Enable/Disable/Restart NGINX if primary
  include_tasks: nginx.yml
-  when: nginx_enabled | bool
+  when: nginx_enabled
 - name: Add 'internetarchive' variable values to {{ iiab_ini_file }}
--- a/roles/internetarchive/tasks/nginx.yml
+++ b/roles/internetarchive/tasks/nginx.yml
@ -2,7 +2,7 @@
  template:
    src: internetarchive-nginx.conf.j2    # TO DO: roles/internetarchive/templates/internetarchive-nginx.conf.j2
    dest: "{{ nginx_conf_dir }}/internetarchive-nginx.conf"    # /etc/nginx/conf.d
-  when: internetarchive_enabled | bool
+  when: internetarchive_enabled
 - name: Disable http://box/archive via NGINX, by removing {{ nginx_conf_dir }}/internetarchive-nginx.conf
  file:
--- a/roles/kalite/tasks/install.yml
+++ b/roles/kalite/tasks/install.yml
@ -3,13 +3,13 @@
    url: "{{ kalite_requirements }}"
    dest: "{{ pip_packages_dir }}/kalite.txt"    # /opt/iiab/pip-packages/kalite.txt
    timeout: "{{ download_timeout }}"
-  when: internet_available | bool
+  when: internet_available
 # 2020-01-19: https://github.com/piwheels/packages/issues/74 says the following is not longer needed...
 #- name: Run 'mv /etc/pip.conf /etc/pip.conf.see-iiab-issue-2139' as "TEMPORARY" workaround (2020-01-17) for piwheels.org's setuptools Python 2/3 brokenness on RPi (https://github.com/iiab/iiab/issues/2139)
 #  command: mv /etc/pip.conf /etc/pip.conf.see-iiab-issue-2139
 #  ignore_errors: yes
-#  when: is_raspbian | bool
+#  when: is_raspbian
 - name: Install python2, if Raspbian/Debian > 10 or Ubuntu > 19
  package:
@ -41,7 +41,7 @@
    virtualenv_command: /usr/bin/virtualenv
    virtualenv_python: python2.7
    extra_args: "--no-cache-dir"
-  when: internet_available | bool
+  when: internet_available
 - name: "Install from templates: venv wrapper /usr/bin/kalite, systemd unit file kalite-serve.service"
  template:
--- a/roles/kalite/tasks/main.yml
+++ b/roles/kalite/tasks/main.yml
@ -30,7 +30,7 @@
    name: kalite-serve
    enabled: yes
    state: restarted
-  when: kalite_enabled | bool
+  when: kalite_enabled
 - name: Disable & Stop 'kalite-serve' service, if not kalite_enabled
  systemd:
--- a/roles/kiwix/files/test_zim/Notes.txt
+++ b/roles/kiwix/files/test_zim/Notes.txt
@ -1,8 +1,8 @@
-Make zim with
+Make zim with
-
+
-./zimwriterfs --welcome=index.html --favicon=favicon.png --language=eng --title=test --description=test --creator=XSCE --publisher=XSCE  /root/devel/test_zim test.zim
+./zimwriterfs --welcome=index.html --favicon=favicon.png --language=eng --title=test --description=test --creator=XSCE --publisher=XSCE  /root/devel/test_zim test.zim
-
+
-Create library.xml with
+Create library.xml with
-
+
-/opt/schoolserver/kiwix/bin/kiwix-manage /library/zims/library.xml add /library/zims/content/test.zim
+/opt/schoolserver/kiwix/bin/kiwix-manage /library/zims/library.xml add /library/zims/content/test.zim
-
+
--- a/roles/kiwix/tasks/apache.yml
+++ b/roles/kiwix/tasks/apache.yml
@ -1,6 +1,6 @@
 - name: Enable http://box{{ kiwix_url }} via Apache    # http://box/kiwix
  command: a2ensite kiwix.conf
-  when: kiwix_enabled | bool
+  when: kiwix_enabled
 - name: Disable http://box{{ kiwix_url }} via Apache    # http://box/kiwix
  command: a2dissite kiwix.conf
--- a/roles/kiwix/tasks/enable-or-disable.yml
+++ b/roles/kiwix/tasks/enable-or-disable.yml
@ -4,7 +4,7 @@
    daemon_reload: yes
    enabled: yes
    state: restarted
-  when: kiwix_enabled | bool
+  when: kiwix_enabled
 - name: Disable & Stop 'kiwix-serve' systemd service
  systemd:
@ -42,4 +42,4 @@
 - name: Enable/Disable/Restart NGINX if primary
  include_tasks: nginx.yml
-  when: nginx_enabled | bool
+  when: nginx_enabled
--- a/roles/kiwix/tasks/install.yml
+++ b/roles/kiwix/tasks/install.yml
@ -37,7 +37,7 @@
    url: "{{ iiab_download_url }}/{{ kiwix_src_file }}"    # http://download.iiab.io/packages
    dest: "{{ downloads_dir }}/{{ kiwix_src_file }}"
    timeout: "{{ download_timeout }}"
-  when: internet_available | bool
+  when: internet_available
 - name: Create dir {{ iiab_zim_path }} and subdirs {content, index} for Kiwix ZIM files
  file:
@ -95,7 +95,7 @@
 #    - proxy_html
 #    - proxy_http
 #    - rewrite
-#  when: is_debuntu | bool
+#  when: is_debuntu
 # 4. INSTALL iiab-make-kiwix-lib*, kiwix-serve.service, kiwix.conf for Apache
--- a/roles/kiwix/tasks/kiwix-apk.yml
+++ b/roles/kiwix/tasks/kiwix-apk.yml
@ -1,18 +1,18 @@
-# Install kiwix android app apk for downloading
+# Install kiwix android app apk for downloading
- name: Create {{ doc_root }}{{ kiwix_apk_url }} directory
+- name: Create {{ doc_root }}{{ kiwix_apk_url }} directory
-  file:
+  file:
-    path: "{{ doc_root }}{{ kiwix_apk_url }}"
+    path: "{{ doc_root }}{{ kiwix_apk_url }}"
-    state: directory
+    state: directory
-
+
- name: Download kiwix.apk to {{ doc_root }}{{ kiwix_apk_url }}
+- name: Download kiwix.apk to {{ doc_root }}{{ kiwix_apk_url }}
-  get_url:
+  get_url:
-    url: "{{ kiwix_apk_src  }}"    # https://download.kiwix.org/release/kiwix-android/kiwix.apk
+    url: "{{ kiwix_apk_src  }}"    # https://download.kiwix.org/release/kiwix-android/kiwix.apk
-    dest: "{{ doc_root }}{{ kiwix_apk_url }}"
+    dest: "{{ doc_root }}{{ kiwix_apk_url }}"
-    timeout: "{{ download_timeout }}"
+    timeout: "{{ download_timeout }}"
-  when: internet_available | bool
+  when: internet_available
-
+
- name: Symlink {{ doc_root }}{{ kiwix_apk_url }}/zims -> {{ iiab_zim_path }}/content
+- name: Symlink {{ doc_root }}{{ kiwix_apk_url }}/zims -> {{ iiab_zim_path }}/content
-  file:
+  file:
-    src: "{{ iiab_zim_path }}/content"              # /library/zims/content
+    src: "{{ iiab_zim_path }}/content"              # /library/zims/content
-    path: "{{ doc_root }}{{ kiwix_apk_url }}/zims"  # /library/www/html/softare/kiwix/zims
+    path: "{{ doc_root }}{{ kiwix_apk_url }}/zims"  # /library/www/html/softare/kiwix/zims
-    state: link
+    state: link
--- a/roles/kiwix/tasks/nginx.yml
+++ b/roles/kiwix/tasks/nginx.yml
@ -2,7 +2,7 @@
  template:
    src: kiwix-nginx.conf.j2
    dest: "{{ nginx_conf_dir }}/kiwix-nginx.conf"    # /etc/nginx/conf.d
-  when: kiwix_enabled | bool
+  when: kiwix_enabled
 - name: Disable http://box{{ kiwix_url }} via NGINX, by removing {{ nginx_conf_dir }}/kiwix-nginx.conf    # http://box/kiwix
  file:
--- a/roles/kiwix/templates/iiab-make-kiwix-lib
+++ b/roles/kiwix/templates/iiab-make-kiwix-lib
@ -1,33 +1,33 @@
-#!/bin/bash
+#!/bin/bash
-
+
-LOCK_PATH=/run/lock/kiwix
+LOCK_PATH=/run/lock/kiwix
-mkdir -p $LOCK_PATH
+mkdir -p $LOCK_PATH
-
+
-WAITLOCK="$LOCK_PATH/make-kiwix-lib-wait.LCK";
+WAITLOCK="$LOCK_PATH/make-kiwix-lib-wait.LCK";
-RUNLOCK="$LOCK_PATH/kiwix-lib-access.LCK";
+RUNLOCK="$LOCK_PATH/kiwix-lib-access.LCK";
-KIWIXLIB={{ kiwix_library_xml }}
+KIWIXLIB={{ kiwix_library_xml }}
-
+
-exec 200>$WAITLOCK;
+exec 200>$WAITLOCK;
-exec 201>$RUNLOCK;
+exec 201>$RUNLOCK;
-
+
-if flock -n -e 200; then :
+if flock -n -e 200; then :
-  echo 'Waiting to run iiab-make-kiwix-lib.py'
+  echo 'Waiting to run iiab-make-kiwix-lib.py'
-  # wait for up to 5 min
+  # wait for up to 5 min
-  flock -x -w 300 201
+  flock -x -w 300 201
-  flock -u 200 # unlock queue
+  flock -u 200 # unlock queue
-  echo "Now running iiab-make-kiwix-lib.py"
+  echo "Now running iiab-make-kiwix-lib.py"
-  # write to {{ kiwix_library_xml }}.tmp to minimize kiwix down
+  # write to {{ kiwix_library_xml }}.tmp to minimize kiwix down
-  # zim map could be out of sync for a few seconds
+  # zim map could be out of sync for a few seconds
-  # using new version that does deltas
+  # using new version that does deltas
-  cp $KIWIXLIB $KIWIXLIB.tmp
+  cp $KIWIXLIB $KIWIXLIB.tmp
-  /usr/bin/iiab-make-kiwix-lib.py
+  /usr/bin/iiab-make-kiwix-lib.py
-  {{ systemctl_program }} stop kiwix-serve
+  {{ systemctl_program }} stop kiwix-serve
-  rm $KIWIXLIB
+  rm $KIWIXLIB
-  mv $KIWIXLIB.tmp $KIWIXLIB
+  mv $KIWIXLIB.tmp $KIWIXLIB
-  {{ systemctl_program }} start kiwix-serve
+  {{ systemctl_program }} start kiwix-serve
-else
+else
-  echo "Can't get wait lock for iiab-make-kiwix-lib.py";
+  echo "Can't get wait lock for iiab-make-kiwix-lib.py";
-  exit 1;
+  exit 1;
-fi
+fi
-echo 'Finished making Kiwix library.xml'
+echo 'Finished making Kiwix library.xml'
-exit 0
+exit 0
--- a/roles/kolibri/tasks/apache.yml
+++ b/roles/kolibri/tasks/apache.yml
@ -1,6 +1,6 @@
 - name: Enable http://box{{ kolibri_url }} via Apache    # http://box/kolibri
  command: a2ensite kolibri.conf
-  when: kolibri_enabled | bool
+  when: kolibri_enabled
 - name: Disable http://box{{ kolibri_url }} via Apache    # http://box/kolibri
  command: a2dissite kolibri.conf
--- a/roles/kolibri/tasks/install.yml
+++ b/roles/kolibri/tasks/install.yml
@ -37,7 +37,7 @@
  environment:
    KOLIBRI_HOME: "{{ kolibri_home }}"    # these don't do a thing for now but
    KOLIBRI_USER: "{{ kolibri_user }}"    # both can't hurt & Might Help Later
-  when: internet_available | bool
+  when: internet_available
 - name: 'Install from template: /etc/systemd/system/kolibri.service'
  template:
@ -64,7 +64,7 @@
 #  ignore_errors: yes
 #  become: yes
 #  become_user: "{{ kolibri_user }}"
-#  when: kolibri_provision | bool
+#  when: kolibri_provision
 # 2020-01-05: Deprecated per https://github.com/iiab/iiab/issues/2103
 #- name: Set Kolibri default language ({{ kolibri_language }})
@ -72,7 +72,7 @@
 #  ignore_errors: yes
 #  become: yes
 #  become_user: "{{ kolibri_user }}"
-#  when: kolibri_provision | bool
+#  when: kolibri_provision
 - name: 'Provision Kolibri, while setting: facility name, admin acnt / password, preset type, and language'
  shell: >
@ -84,7 +84,7 @@
  ignore_errors: yes
  become: yes
  become_user: "{{ kolibri_user }}"
-  when: kolibri_provision | bool
+  when: kolibri_provision
 - name: chown -R {{ kolibri_user }}:{{ apache_user }} {{ kolibri_home }} for good measure?
  file:
@ -92,7 +92,7 @@
    owner: "{{ kolibri_user }}"    # kolibri
    group: "{{ apache_user }}"     # www-data (on Debian/Ubuntu/Raspbian)
    recurse: yes
-  when: kolibri_provision | bool
+  when: kolibri_provision
 # 2019-10-07: Moved to roles/httpd/tasks/main.yml
--- a/roles/kolibri/tasks/main.yml
+++ b/roles/kolibri/tasks/main.yml
@ -35,7 +35,7 @@
    daemon_reload: yes
    enabled: yes
    state: started
-  when: kolibri_enabled | bool
+  when: kolibri_enabled
 - name: Disable & Stop 'kolibri' systemd service, if not kolibri_enabled
  systemd:
@ -50,7 +50,7 @@
 - name: Enable/Disable/Restart NGINX if primary
  include_tasks: nginx.yml
-  when: nginx_enabled | bool
+  when: nginx_enabled
 - name: Add 'kolibri' variable values to {{ iiab_ini_file }}    # /etc/iiab/iiab.ini
--- a/roles/kolibri/tasks/nginx.yml
+++ b/roles/kolibri/tasks/nginx.yml
@ -2,7 +2,7 @@
  template:
    src: kolibri-nginx.conf.j2
    dest: "{{ nginx_conf_dir }}/kolibri-nginx.conf"    # /etc/nginx/conf.d
-  when: kolibri_enabled | bool
+  when: kolibri_enabled
 - name: Disable http://box{{ kolibri_url }} via NGINX, by removing {{ nginx_conf_dir }}/kolibri-nginx.conf    # http://box/kolibri
  file:
--- a/roles/lokole/tasks/apache.yml
+++ b/roles/lokole/tasks/apache.yml
@ -1,6 +1,6 @@
 - name: Enable http://box{{ lokole_url }} via Apache    # http://box/lokole
  command: a2ensite lokole.conf
-  when: lokole_enabled | bool
+  when: lokole_enabled
 - name: Disable http://box{{ lokole_url }} via Apache    # http://box/lokole
  command: a2dissite lokole.conf
--- a/roles/lokole/tasks/install.yml
+++ b/roles/lokole/tasks/install.yml
@ -37,7 +37,7 @@
    virtualenv_command: python3 -m venv "{{ lokole_venv }}"
    extra_args: --no-cache-dir    # To avoid caching issues e.g. soon after new releases hit https://pypi.org/project/opwen-email-client/
  when:
-    - internet_available | bool
+    - internet_available
    - lokole_commit is defined
 # For development purposes -- To install a given pip version of Lokole, add
@ -51,7 +51,7 @@
    virtualenv_command: python3 -m venv "{{ lokole_venv }}"
    extra_args: --no-cache-dir    # To avoid caching issues e.g. soon after new releases hit https://pypi.org/project/opwen-email-client/
  when:
-    - internet_available | bool
+    - internet_available
    - lokole_version is defined
 - name: "DEFAULT: pip install opwen_email_client (Lokole, latest available version) from PyPI to {{ lokole_venv }}, if above vars both UNdefined"
@ -61,7 +61,7 @@
    virtualenv_command: python3 -m venv "{{ lokole_venv }}"
    extra_args: --no-cache-dir    # To avoid caching issues e.g. soon after new releases hit https://pypi.org/project/opwen-email-client/
  when:
-    - internet_available | bool
+    - internet_available
    - lokole_commit is undefined and lokole_version is undefined
 - name: Compile translations
@ -99,7 +99,7 @@
    src: lokole.conf.j2
    dest: "/etc/{{ apache_conf_dir }}/lokole.conf"
    mode: 0644
-  when: apache_install | bool
+  when: apache_install
 - name: Install unit files {lokole.service, celery.service, celerybeat.service, lokole_restarter.service} into /etc/systemd/system, from template
  template:
--- a/roles/lokole/tasks/main.yml
+++ b/roles/lokole/tasks/main.yml
@ -27,14 +27,14 @@
 - name: Do a 'systemctl daemon-reload' if lokole_enabled
  systemd:
    daemon_reload: yes
-  when: lokole_enabled | bool
+  when: lokole_enabled
 - name: Enable & Restart {lokole, celery, celerybeat, lokole_restarter} systemd services, if lokole_enabled
  systemd:
    name: "{{ item }}"
    enabled: yes
    state: restarted
-  when: lokole_enabled | bool
+  when: lokole_enabled
  with_items:
    - lokole
    - celery
@ -60,7 +60,7 @@
 - name: Enable/Disable/Restart NGINX if primary
  include_tasks: nginx.yml
-  when: nginx_enabled | bool
+  when: nginx_enabled
 - name: Add 'lokole' variable values to {{ iiab_ini_file }}
--- a/roles/lokole/tasks/nginx.yml
+++ b/roles/lokole/tasks/nginx.yml
@ -2,7 +2,7 @@
  template:
    src: lokole-nginx.conf.j2
    dest: "{{ nginx_conf_dir }}/lokole-nginx.conf"    # /etc/nginx/conf.d
-  when: lokole_enabled | bool
+  when: lokole_enabled
 - name: Disable http://box{{ lokole_url }} via NGINX, by removing {{ nginx_conf_dir }}/lokole-nginx.conf    # http://box/lokole
  file:
--- a/roles/mediawiki/tasks/apache.yml
+++ b/roles/mediawiki/tasks/apache.yml
@ -1,6 +1,6 @@
 - name: Enable http://box{{ mediawiki_url }} via Apache    # http://box/wiki
  command: a2ensite mediawiki.conf
-  when: mediawiki_enabled | bool
+  when: mediawiki_enabled
 - name: Disable http://box{{ mediawiki_url }} via Apache    # http://box/wiki
  command: a2dissite mediawiki.conf
--- a/roles/mediawiki/tasks/install.yml
+++ b/roles/mediawiki/tasks/install.yml
@ -12,7 +12,7 @@
    timeout: "{{ download_timeout }}"
    #force: yes
    #backup: yes
-  when: internet_available | bool
+  when: internet_available
 - name: Unarchive (unpack) it to permanent location {{ mediawiki_abs_path }} ({{ apache_user }}:{{ apache_user }}, u+rw,g+r,o+r)
  unarchive:
--- a/roles/mediawiki/tasks/main.yml
+++ b/roles/mediawiki/tasks/main.yml
@ -30,7 +30,7 @@
 - name: Enable/Disable/Restart NGINX if primary
  include_tasks: nginx.yml
-  when: nginx_enabled | bool
+  when: nginx_enabled
 - name: Add 'mediawiki' variable values to {{ iiab_ini_file }}
--- a/roles/mediawiki/tasks/nginx.yml
+++ b/roles/mediawiki/tasks/nginx.yml
@ -2,7 +2,7 @@
  template:
    src: mediawiki-nginx.conf.j2
    dest: "{{ nginx_conf_dir }}/mediawiki-nginx.conf"    # /etc/nginx.conf.d
-  when: mediawiki_enabled | bool
+  when: mediawiki_enabled
 - name: Disable http://box{{ mediawiki_url }} & http://box{{ mediawiki_url2 }} via NGINX, by removing {{ nginx_conf_dir }}/mediawiki-nginx.conf    # http://box/wiki & http://box/mediawiki
  file:
--- a/roles/minetest/tasks/calc_vars.yml
+++ b/roles/minetest/tasks/calc_vars.yml
@ -7,7 +7,7 @@
 # only works if server run as root
    minetest_runas_user: root
    minetest_runas_group: root
-  when: is_raspbian | bool
+  when: is_raspbian
 # For other installs
 - name: Set some facts for other platforms
--- a/roles/minetest/tasks/enable.yml
+++ b/roles/minetest/tasks/enable.yml
@ -5,7 +5,7 @@
    name: minetest-server
    enabled: yes
    state: restarted
-  when: minetest_enabled | bool
+  when: minetest_enabled
 - name: Disable & Stop 'minetest-server' service
  systemd:
--- a/roles/minetest/tasks/minetest_install.yml
+++ b/roles/minetest/tasks/minetest_install.yml
@ -24,7 +24,7 @@
    line: "{{ item.line }}"
  with_items:
    - { regexp: '^mg_name = ', line: 'mg_name = flat' }
-  when: minetest_flat_world | bool
+  when: minetest_flat_world
 - name: Create /library/games/minetest/worlds/world
  file:
--- a/roles/minetest/tasks/rpi_minetest_install.yml
+++ b/roles/minetest/tasks/rpi_minetest_install.yml
@ -49,4 +49,4 @@
  with_items:
    - { src: 'minetest.conf.j2', dest: '/etc/minetest/minetest.conf' }
    - { src: 'minetest-server.service.j2', dest: '/etc/systemd/system/minetest-server.service' }
-  when: minetest_install | bool
+  when: minetest_install
--- a/roles/mongodb/tasks/install.yml
+++ b/roles/mongodb/tasks/install.yml
@ -92,7 +92,7 @@
      repo: deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/4.4 multiverse
      state: present
      filename: mongodb-org
-    when: is_linuxmint | bool
+    when: is_linuxmint
  - name: Use mongodb-org's Ubuntu repo for all non-Mint Ubuntu - 64bit only
    apt_repository:
--- a/Show more
+++ b/Show more