Merge branch 'master' into lokole-with-less-apache

LICENSING.md

@@ -15,6 +15,6 @@ this is to include the following two lines at the top of the file:
     Licensed under the terms of the GNU GPL v2 or later; see LICENSE for details.
 
 All files not containing an explicit copyright notice or terms of license in
-the file are Copyright © 2015-2020, Unleash Kids, and are licensed under the
+the file are Copyright © 2015-2021, Unleash Kids, and are licensed under the
 terms of the GPLv2 license in the file named LICENSE in the root of the
 repository.

README.md

@@ -35,11 +35,12 @@ Finally, you can [customize your Internet-in-a-Box home page](http://wiki.laptop
 
 Internet-in-a-Box (IIAB) greatly welcomes contributions from educators, librarians *and* IT/UX/QA people of all kinds!
 
-Please see "[How can I help?](http://wiki.laptop.org/go/IIAB/FAQ#How_can_I_help.3F)" at: [FAQ.IIAB.IO](http://FAQ.IIAB.IO)
+If you would like to volunteer, please [make contact](http://internet-in-a-box.org/pages/contributing.html) after looking over "[How can I help?](http://wiki.laptop.org/go/IIAB/FAQ#How_can_I_help.3F)" at: [FAQ.IIAB.IO](http://FAQ.IIAB.IO)
 
-To learn about our software architecture, check out our [Contributors Guide](https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide).  FYI we use [Ansible](http://wiki.laptop.org/go/IIAB/FAQ#What_is_Ansible_and_what_version_should_I_use.3F) <!--as the underlying technology--> to install, deploy, configure and manage the various software components.
+<!-- To learn about our software architecture, check out our [Contributors Guide](https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide).-->
 
-To learn more about our open community architecture for "offline" education, start by reviewing "[What technical documentation exists?](http://wiki.laptop.org/go/IIAB/FAQ#What_technical_documentation_exists.3F)"
+To learn more about our open community architecture for "offline" learning, check out "[What technical documentation exists?](http://wiki.laptop.org/go/IIAB/FAQ#What_technical_documentation_exists.3F)"
+FYI we use [Ansible](http://wiki.laptop.org/go/IIAB/FAQ#What_is_Ansible_and_what_version_should_I_use.3F) <!--as the underlying technology--> to install, deploy, configure and manage the various software components.
 
 *Thank you for helping us enable offline access to the Internet's free/open knowledge jewels, as well as "Sneakernet-of-Alexandria" distribution of local/indigenous content, when mass media channels do not serve grassroots voices.*
 

iiab-support

@@ -46,7 +46,7 @@ else
     echo -e "\n\e[1mWARNING: openvpn_handle remains unchanged in both above files.\e[0m\n"
 fi
 
-if grep -q '^openvpn_install: True' /etc/iiab/local_vars.yml; then
+if grep -q '^openvpn_installed: True\b' /etc/iiab/iiab_state.yml; then
     echo -e "Your IIAB installation appears normal, with OpenVPN already installed...\n"
 else
     echo -e "Plz wait a few minutes as sshd, iiab-admin & OpenVPN are confirmed/installed...\n"
@@ -58,8 +58,6 @@ else
 
     if [ -d /opt/iiab/iiab ]; then
         cd /opt/iiab/iiab
-        #CWD=`pwd`
-        #export ANSIBLE_LOG_PATH="$CWD/iiab-install.log"
         export ANSIBLE_LOG_PATH="/opt/iiab/iiab/iiab-install.log"
         ansible -m setup -i $INVENTORY localhost --connection=local | grep python
         ansible-playbook -i $INVENTORY $PLAYBOOK --connection=local

roles/1-prep/README.rst

@@ -2,7 +2,15 @@
 1-prep README
 =============
 
-This 1st stage is primarily hardware-focused, prior to OS additions/mods.
+This 1st stage (1-prep) is primarily hardware-focused, prior to OS
+additions/mods, but also includes critical pieces sometimes needed for
+remote support:
 
-Traditionally it included preliminaries like hostname and things specific to a
+- SSH
-particular platform, such as the XO laptop, done before the bulk of the install.
+- `iiab-admin <https://github.com/iiab/iiab/tree/master/roles/iiab-admin>`_ username and group to log into Admin Console
+- OpenVPN software if/as needed later for remote support
+
+Traditionally 1-prep also included preliminaries like hostname and
+hardware-oriented things specific to a particular platform (such as
+One Laptop Per Child's XO laptop) i.e. critical setup prior to the
+bulk of IIAB's software install.

roles/2-common/tasks/network.yml

@@ -1,11 +1,11 @@
-- name: Install package networkd-dispatcher (OS's other than RaspOS)
+- name: Install package networkd-dispatcher (OS's other than RaspiOS)
   package:
     name: networkd-dispatcher
     state: present
   when: not is_raspbian
 
 # used in the network role
-- name: Install network related packages (debuntu)
+- name: 'Install network packages: hostapd, iproute2, iptables-persistent, netmask (debuntu)'
   package:
     name:
       - iproute2
@@ -15,7 +15,7 @@
     state: present
   when: is_debuntu
 
-- name: Install /etc/network/if-pre-up.d/iptables from template (debuntu)
+- name: Install /etc/network/if-pre-up.d/iptables from template (0755, debuntu)
   template:
     src: iptables
     dest: /etc/network/if-pre-up.d/iptables

roles/3-base-server/README.rst

@@ -4,10 +4,12 @@
 
 This 3rd stage installs base server infra that Internet-in-a-Box requires, including:
 
-- the web server (Apache for now, possibly NGINX in future)
+- `MySQL <https://github.com/iiab/iiab/blob/master/roles/mysql>`_ (database underlying many/most user-facing apps).  This IIAB role also installs apt package:
-- administrator security (username iiab-admin by default)
+   - **php{{ php_version }}-mysql** — which forcibly installs **php{{ php_version }}-common**
-- MySQL (the database underlying many/most user-facing apps)
+- `NGINX <https://github.com/iiab/iiab/blob/master/roles/nginx>`_ web server (with Apache in some lingering cases).  This IIAB role also installs apt package:
+   - **php{{ php_version }}-fpm** — which forcibly installs **php{{ php_version }}-cli**, **php{{ php_version }}-common** and **libsodium23**
+- `www_base <https://github.com/iiab/iiab/blob/master/roles/www_base>`_ (similar to `www_options <https://github.com/iiab/iiab/blob/master/roles/www_options>`_ which runs later in 4-server-options)
 
-4-server-options follows with more diverse/optional server infra functionality.
+Recap: as with 2-common, 4-server-options and 5-xo-services: this 3rd stage installs core server infra, that is not user-facing.
 
-As in the case of 2-common, 4-server-options and 5-xo-services: this stage installs core server infra, that is not user-facing.
+The next stage (4-server-options) brings more diverse/optional server infra functionality.

roles/3-base-server/tasks/main.yml

@@ -3,14 +3,14 @@
 - name: ...IS BEGINNING =====================================
   command: echo
 
-- name: MYSQL
+- name: MYSQL + CORE PHP
   include_role:
     name: mysql
   #when: mysql_install
 
-# 2020-05-21: Apache role 'httpd' is installed as nec by any of these 7 roles:
+# 2021-05-21: Apache role 'httpd' is installed as nec by any of these 6 roles:
 #
-#    cups, elgg, lokole, moodle, nodered, pbx, phpmyadmin
+#    cups, elgg, moodle, nodered, pbx, phpmyadmin
 #
 # These 14 roles conditionally touch /etc/apache2/sites-available/*.conf files:
 #
@@ -19,7 +19,7 @@
 #
 # SEE ALSO: https://github.com/iiab/iiab/blob/master/roles/nginx/README.md
 
-- name: NGINX
+- name: NGINX + CORE PHP
   include_role:
     name: nginx
   #when: nginx_install

roles/9-local-addons/tasks/main.yml

@@ -30,6 +30,12 @@
     name: calibre-web
   when: calibreweb_install
 
+- name: "2021-06-27 TEMPORARY CODE TO INSTALL 'php-pear' UNTIL ADMIN CONSOLE DECLARES ITS OWN DEPENDENCY FOR: https://github.com/iiab/iiab-admin-console/blob/master/roles/cmdsrv/tasks/main.yml#L19"
+  package:
+    name: php-pear    # WARNING: this also drags in 'php{{ php_version }}-xml' (also installed by MediaWiki, Nextcloud, roles/pbx's FreePBX, WordPress) AND 'php{{ php_version }}-cgi' (also installed by roles/pbx's FreePBX)
+    state: present
+  when: admin_console_install
+
 - name: Recording STAGE 9 HAS COMPLETED ====================
   lineinfile:
     path: "{{ iiab_env_file }}"

roles/awstats/tasks/install.yml

@@ -1,31 +1,29 @@
 # TO DO:
 #
-# - Prepare for a possible future w/o Apache by verifying/refining below...
+# Prepare for a possible future w/o Apache by verifying/refining below...
-#   - 5 'when: apache_installed is defined'
+# - 5 'when: apache_installed is defined'  (2021-05-21: COMMENT OUT THESE STANZAS SOON!?)
-#   - 1 'when: nginx_install'
+# - 1 'when: nginx_install'
-#   - 8 core stanzas w/o such 'when:' clauses
+# - 8 core stanzas w/o such 'when:' clauses
 
-- name: 'Install 3 packages: awstats, openssl, pwauth'
+- name: 'Install package: awstats'
   package:
-    name:
+    name: awstats
-      - awstats
-      - pwauth
-      - openssl
     state: present
 
-- name: 'Install 2 packages: apache2-utils, libapache2-mod-authnz-external'
+- name: 'Install package: pwauth (when: apache_installed is defined)'
   package:
     name:
-      - libapache2-mod-authnz-external
+      - pwauth    # Auto-installs apache2-bin and libapache2-mod-authnz-external
-      - apache2-utils
+      #- apache2-utils    # Unneeded?  (In any case, already installed by Apache itself.)
+      #- openssl    # Unneeded?  (In any case, already installed by most every Linux distro.)
     state: present
   when: apache_installed is defined
 
-- name: Run 'a2enmod cgi' to enable cgi execution via Apache
+- name: "Run 'a2enmod cgi' to enable cgi execution via Apache (when: apache_installed is defined)"
   command: a2enmod cgi
   when: apache_installed is defined
 
-- name: Create directory... mkdir {{ apache_log_dir }}, recursively chown {{ apache_user }}:{{ apache_user }}, with chmod u+rw,g+r,g-w,o-rwx
+- name: 'Create directory... mkdir {{ apache_log_dir }}, recursively chown {{ apache_user }}:{{ apache_user }}, with chmod u+rw,g+r,g-w,o-rwx (when: apache_installed is defined)'
   file:
     state: directory
     recurse: yes
@@ -41,7 +39,7 @@
     state: directory
     recurse: yes
     path: "{{ item }}"
-    owner: "{{ apache_user }}"
+    owner: "{{ apache_user }}"    # USED FOR NGINX TOO: 'www-data' on debuntu
     group: "{{ apache_user }}"
     mode: u+rw,g+r,g-w,o-rwx    # '0750' turned on too many x bits
     #force: yes
@@ -49,13 +47,13 @@
     - "{{ awstats_data_dir }}"    # /library/awstats
     - /usr/lib/cgi-bin/awstats    # create backward compatible path for awstats
 
-- name: Install /etc/{{ apache_conf_dir }}/awstats.conf from template
+- name: 'Install /etc/{{ apache_conf_dir }}/awstats.conf from template (when: apache_installed is defined)'
   template:
     src: apache-awstats.conf
     dest: "/etc/{{ apache_conf_dir }}/awstats.conf"    # apache2/sites-available on debuntu
   when: apache_installed is defined
 
-- name: Install /etc/logrotate.d/apache2 from template, to ensure logrotate doesn't make logs unreadable
+- name: "Install /etc/logrotate.d/apache2 from template, to ensure logrotate doesn't make logs unreadable (when: apache_installed is defined)"
   template:
     src: logrotate.d.apache2
     dest: /etc/logrotate.d/apache2

roles/calibre-web/tasks/install.yml

@@ -49,7 +49,7 @@
     requirements: "{{ calibreweb_venv_path }}/requirements.txt"
     virtualenv: "{{ calibreweb_venv_path }}"    # /usr/local/calibre-web-py3
     virtualenv_site_packages: no
-    virtualenv_command:  python3 -m venv {{ calibreweb_venv_path }}
+    virtualenv_command: python3 -m venv {{ calibreweb_venv_path }}
   when: internet_available
 
 - name: Install /etc/systemd/system/calibre-web.service from template

roles/captiveportal/tasks/install.yml

@@ -1,10 +1,9 @@
-- name: "Download & install packages: python3-dateutil, python3-jinja2"
+- name: "Install packages: python3-dateutil, python3-jinja2"
   package:
-    name: "{{ item }}"
+    name:
+      - python3-dateutil
+      - python3-jinja2
     state: present
-  with_items:
-    - python3-dateutil
-    - python3-jinja2
 
 - name: mkdir /opt/iiab/captiveportal for scripts & templates, set owner to {{ apache_user }}
   file:

roles/httpd/tasks/install.yml

@@ -1,14 +1,13 @@
-- name: 'Install 4 packages: apache2, libapache2-mod-php{{ php_version }}, php{{ php_version }}, php{{ php_version }}-curl'
+- name: 'Install 2 packages: {{ apache_service }}, libapache2-mod-php{{ php_version }}'
   package:
     #name: [u'apache2', u'php{{ php_version }}', u'php{{ php_version }}-curl']    # FAILS ('u' for Unicode strings)
     #name: ['apache2', 'php{{ php_version }}', 'php{{ php_version }}-curl']       # WORKS?
     name:
       - "{{ apache_service }}"    # apache2 on Debuntu
-      - "libapache2-mod-php{{ php_version }}"    # 2020-06-15: Required (e.g. for Elgg, Moodle & possibly others) now that mysql/tasks/install.yml installs "php{{ php_version }}-common" rather than the full "php{{ php_version }}"
+      - libapache2-mod-php{{ php_version }}    # 2020-06-15: Required (e.g. for Elgg, Moodle & possibly others) now that mysql/tasks/install.yml installs "php{{ php_version }}-common" rather than the full "php{{ php_version }}" -- 2021-06-28 FYI: this also drags in libsodium23 (likewise installed via nginx/tasks/install.yml AND moodle/tasks/install.yml)
-#      - "php{{ php_version }}"
+      #- "php{{ php_version }}"
-#      - "php{{ php_version }}-curl"
+      #- "php{{ php_version }}-curl"
     state: present
-  when: is_debuntu
 #  when: is_debian
 
 # - name: 'Install 2 packages: apache2, php (ubuntu)'
@@ -39,29 +38,29 @@
 #  when: is_debuntu and (not is_debian_8) and (not is_ubuntu_16)
 #  #when: (is_debian and ansible_distribution_major_version == "9") or is_ubuntu_18
 
-- name: 'Install 4 packages: httpd, mod_authnz_external, php, php-curl (redhat)'
+#- name: 'Install 4 packages: httpd, mod_authnz_external, php, php-curl (redhat)'
-  package:
+#  package:
-    #name: [u'httpd', u'php', u'php-curl', u'mod_authnz_external']    # FAILS ('u' for Unicode strings)
+#    #name: [u'httpd', u'php', u'php-curl', u'mod_authnz_external']    # FAILS ('u' for Unicode strings)
-    #name: ['httpd', 'php', 'php-curl', 'mod_authnz_external']        # WORKS
+#    #name: ['httpd', 'php', 'php-curl', 'mod_authnz_external']        # WORKS
-    name:
+#    name:
-      - httpd
+#      - httpd
-      - mod_authnz_external
+#      - mod_authnz_external
-      - php
+#      - php
-      - php-curl
+#      - php-curl
-    state: present
+#    state: present
-  when: is_redhat
+#  when: is_redhat
 
 # Remove symlinks for mpm_event, replace with mpm_prefork
-- name: Remove both mpm_event symlinks from /etc/apache2/mods-enabled (debuntu)
+- name: Remove both mpm_event symlinks from /etc/apache2/mods-enabled
   file:
     path: "/etc/apache2/mods-enabled/{{ item }}"
     state: absent
   with_items:
     - mpm_event.conf
     - mpm_event.load
-  when: is_debuntu
+  #when: is_debuntu
 
-- name: Create both mpm_prefork symlinks from /etc/apache2/mods-enabled to /etc/apache2/mods-available (debuntu)
+- name: Create both mpm_prefork symlinks from /etc/apache2/mods-enabled to /etc/apache2/mods-available
   file:
     src: "/etc/apache2/mods-available/{{ item }}"
     path: "/etc/apache2/mods-enabled/{{ item }}"
@@ -69,9 +68,9 @@
   with_items:
     - mpm_prefork.conf
     - mpm_prefork.load
-  when: is_debuntu
+  #when: is_debuntu
 
-- name: 'Enable 5 Apache modules, as with "a2enmod" command: headers, proxy, proxy_html, proxy_http, rewrite (for http://box/kiwix, http://box/kolibri, http://box/nodered, etc--if debuntu)'
+- name: 'Enable 5 Apache modules, as with "a2enmod" command: headers, proxy, proxy_html, proxy_http, rewrite (for http://box/kiwix, http://box/kolibri, http://box/nodered, etc)'
   apache2_module:
     name: "{{ item }}"
   with_items:
@@ -80,16 +79,16 @@
     - proxy_html
     - proxy_http
     - rewrite
-  when: is_debuntu
+  #when: is_debuntu
 
-- name: Remove 000-default.conf from /etc/apache2 and /etc/apache2/sites-enabled (debuntu)
+- name: Remove 000-default.conf from /etc/apache2 and /etc/apache2/sites-enabled
   file:
     path: "{{ item }}"
     state: absent
   with_items:
     - /etc/apache2/000-default.conf    # Not nec on Raspbian.  Is this really still needed elsewhere?
     - /etc/apache2/sites-enabled/000-default.conf
-  when: is_debuntu
+  #when: is_debuntu
 
 - name: Create Apache's pid dir /var/run/{{ apache_user }}
   file:

roles/internetarchive/tasks/install.yml

@@ -9,10 +9,11 @@
   include_role:
     name: nodejs
 
-- name: FAIL (STOP INSTALLING) IF nodejs_version is not set to 10.x, 12.x or 14.x
+- name: Assert that 10.x <= nodejs_version ({{ nodejs_version }}) <= 16.x
-  fail:
+  assert:
-    msg: "Internet Archive install cannot proceed, as it currently requires Node.js 10.x or 12.x or 14.x, and your nodejs_version is set to {{ nodejs_version }}.  Please check the value of nodejs_version in /opt/iiab/iiab/vars/default_vars.yml and possibly also /etc/iiab/local_vars.yml"
+    that: nodejs_version is version('10.x', '>=') and nodejs_version is version('16.x', '<=')
-  when: (nodejs_version != "10.x") and (nodejs_version != "12.x") and (nodejs_version != "14.x")
+    fail_msg: "Internet Archive install cannot proceed, as it currently requires Node.js 10.x - 16.x, and your nodejs_version is set to {{ nodejs_version }}.  Please check the value of nodejs_version in /opt/iiab/iiab/vars/default_vars.yml and possibly also /etc/iiab/local_vars.yml"
+    quiet: yes
 
 - name: "Set 'yarn_install: True' and 'yarn_enabled: True'"
   set_fact:

roles/kiwix/defaults/main.yml

@@ -26,9 +26,9 @@ kiwix_library_xml: "{{ iiab_zim_path }}/library.xml"
 # http://download.kiwix.org/release/kiwix-tools/ ...or sometimes...
 # http://download.kiwix.org/nightly/
 
-kiwix_version_armhf: kiwix-tools_linux-armhf-3.1.2-4
+kiwix_version_armhf: kiwix-tools_linux-armhf-3.1.2-5
-kiwix_version_linux64: kiwix-tools_linux-x86_64-3.1.2-4
+kiwix_version_linux64: kiwix-tools_linux-x86_64-3.1.2-5
-kiwix_version_i686: kiwix-tools_linux-i586-3.1.2-4
+kiwix_version_i686: kiwix-tools_linux-i586-3.1.2-5
 
 # kiwix_src_file_i686: "kiwix-linux-i686.tar.bz2"
 # v0.9 for i686 published May 2014 ("use it to test legacy ZIM content")

roles/kiwix/tasks/install.yml

@@ -4,10 +4,10 @@
   set_fact:
     kiwix_src_dir: False
 
-- name: "Set fact 'kiwix_src_dir: {{ kiwix_version_armhf }}' (armv6l or armv71)"
+- name: "Set fact 'kiwix_src_dir: {{ kiwix_version_armhf }}' (armv6l or armv71 or aarch64)"
   set_fact:
     kiwix_src_dir: "{{ kiwix_version_armhf }}"
-  when: ansible_machine == "armv7l" or ansible_machine == "armv6l" or ansible_machine == "aarch64"
+  when: ansible_machine == "armv6l" or ansible_machine == "armv7l" or ansible_machine == "aarch64"
 
 - name: "Set fact 'kiwix_src_dir: {{ kiwix_version_linux64 }}' (x86_64)"
   set_fact:

roles/kolibri/README.rst

@@ -26,11 +26,11 @@ Automatic Device Provisioning
 
 When kolibri_provision is enabled (e.g. in `/etc/iiab/local_vars.yml <http://FAQ.IIAB.IO#What_is_local_vars.yml_and_how_do_I_customize_it.3F>`_) the installation will set up the following defaults::
 
-  Kolibri Facility name: 'Kolibri-in-a-Box'
+  kolibri_facility: Kolibri-in-a-Box   
-  Kolibri Preset type: formal     # Options: formal, nonformal, informal
+  kolibri_language: en      # See KOLIBRI_SUPPORTED_LANGUAGES at the bottom of https://github.com/learningequality/kolibri/blob/develop/kolibri/utils/i18n.py
-  Kolibri default language: en    # Options: ar, bn-bd, en, es-es, fa, fr-fr, hi-in, mr, nyn, pt-br, sw-tz, ta, te, ur-pk, yo, zu
+  kolibri_preset: formal    # formal, nonformal, informal
-  Kolibri Admin username: Admin
+  kolibri_admin_user: Admin
-  Kolibri Admin password: changeme
+  kolibri_admin_password: changeme
 
 *Feel free to override any of the above, by copying the relevant line from /opt/iiab/iiab/roles/kolibri/defaults/main.yml to /etc/iiab/local_vars.yml (then run 'cd /opt/iiab/iiab' followed by './runrole kolibri' per IIAB's general guidelines at http://FAQ.IIAB.IO).*
 
@@ -42,13 +42,17 @@ Kolibri 0.10 introduced ``kolibri manage deprovision`` which will remove user co
 Troubleshooting
 ---------------
 
-You can run the server manually with the following commands::
+This unproxied version of Kolibri can sometimes help: http://box:8009/kolibri/
+
+You can run Kolibri manually with commands like::
 
   systemctl stop kolibri           # Make sure the systemd service is not running
   export KOLIBRI_HOME=/library/kolibri
   export KOLIBRI_HTTP_PORT=8009    # Otherwise Kolibri will try to run on default port 8080
   kolibri start
 
+...while you look over Kolibri's systemd unit file (`/etc/systemd/system/kolibri.service <https://github.com/iiab/iiab/blob/master/roles/kolibri/templates/kolibri.service.j2>`_) for the latest parameters!
+
 To return to using the systemd unit file::
 
   kolibri stop

roles/kolibri/defaults/main.yml

@@ -1,7 +1,7 @@
 # kolibri_install: False
 # kolibri_enabled: False
 
-# kolibri_language: en    # ar,bn-bd,en,es-es,fa,fr-fr,hi-in,mr,nyn,pt-br,sw-tz,ta,te,ur-pk,yo,zu
+# kolibri_language: en    # See KOLIBRI_SUPPORTED_LANGUAGES at the bottom of https://github.com/learningequality/kolibri/blob/develop/kolibri/utils/i18n.py
 
 # kolibri_http_port: 8009
 

roles/lokole/defaults/main.yml

@@ -20,14 +20,17 @@ lokole_admin_password: changeme
 
 lokole_install_path: "{{ content_base }}/lokole"    # /library/lokole
 lokole_venv: "{{ lokole_install_path }}/venv"       # /library/lokole/venv
+lokole_confd: /etc/supervisor/conf.d
 
 # Info needed to run Lokole:
 lokole_user: lokole
 lokole_url: /lokole
 lokole_uid: "2000"
-lokole_run_directory: /home/{{ lokole_user }}/state
+lokole_home_dir: /home/{{ lokole_user }}
-lokole_log_directory: /home/{{ lokole_user }}/log
+lokole_run_dir: "{{ lokole_home_dir }}/state"
-lokole_domain_socket: "{{ lokole_run_directory }}/lokole_gunicorn.sock"
+lokole_log_dir: "{{ lokole_home_dir }}/logs"
+lokole_settings: "{{ lokole_run_dir }}/settings.env"
+lokole_domain_socket: "{{ lokole_run_dir }}/lokole_gunicorn.sock"
 lokole_sim_type: LocalOnly
 
 lokole_full_url: "http://{{ iiab_hostname }}.{{ iiab_domain }}{{ lokole_url }}"    # http://box.lan/lokole

roles/lokole/tasks/install.yml

@@ -25,6 +25,13 @@
       - libjpeg-dev
       - libssl-dev
       - libopenjp2-7    # 2020-02-01: To solve bug #2221
+      - supervisor
+      - usb-modeswitch
+      - usb-modeswitch-data
+      - mobile-broadband-provider-info
+      - ppp
+      - wvdial
+
     state: present
 
 # For development purposes -- To install Lokole from a given commit, add the
@@ -75,52 +82,63 @@
   ansible.builtin.user:
     state: present
     name: "{{ lokole_user }}"
+    #group: "{{ lokole_user }}"
+    groups: dialout, dip
     system: yes
-    uid: "{{ lokole_uid }}"
+    #uid: "{{ lokole_uid }}"
-    home: /home/{{ lokole_user }}
+    home: "{{ lokole_home_dir }}"
 
-- name: mkdir {{ lokole_run_directory }}
+- name: mkdir {{ lokole_run_dir }}
   file:
     state: directory
-    path: "{{ lokole_run_directory }}"
+    path: "{{ lokole_run_dir }}/lokole_restarter"
     group: "{{ lokole_user }}"
     owner: "{{ lokole_user }}"
     mode: g+rw
 
-- name: mkdir /{{ lokole_user }}/log
+- name: mkdir {{ lokole_log_dir }}
   file:
     state: directory
-    path: "{{ lokole_log_directory }}"
+    path: "{{ lokole_log_dir }}"
     group: "{{ lokole_user }}"
     owner: "{{ lokole_user }}"
     mode: g+rw
 
-- name: Install {{ lokole_run_directory }}/settings.env
+- name: Generate key and salt
+  set_fact:
+    lokole_key: "{{ lookup('password', '/dev/null chars=ascii_letters,digits,_ length=32') }}"
+    lokole_salt: "{{ lookup('password', '/dev/null chars=ascii_letters,digits,_ length=16') }}"
+
+- name: Install {{ lokole_settings }}
   template:
     src: settings.env.j2
-    dest: "{{ lokole_run_directory }}/settings.env"
+    dest: "{{ lokole_settings }}"
     group: "{{ lokole_user }}"
     owner: "{{ lokole_user }}"
-    mode: a+rw
+    mode: g+rw
 
-- name: Install {{ lokole_run_directory }}/webapp_secrets.sh from template, to configure Lokole
+#- name: Fixup supervisorctl
-  template:
+#  file:
-    src: webapp_secrets.sh.j2
+#    path: /usr/bin/supervisorctl
-    dest: "{{ lokole_run_directory }}/webapp_secrets.sh"
+#    owner: root
-    mode: a+x
+#    group: "{{ lokole_user }}"
+#    mode: u=rw+s,g=rx,o=rx
 
-- name: Install {{ lokole_run_directory }}/webapp.sh from template, to configure Gunicorn
+- name: Install {{ lokole_confd }} templates to configure Lokole
   template:
-    src: webapp.sh.j2
+    src: "{{ item.src }}"
-    dest: "{{ lokole_run_directory }}/webapp.sh"
+    dest: "{{ lokole_confd }}"
     group: "{{ lokole_user }}"
     owner: "{{ lokole_user }}"
-    mode: a+x
+    mode: 0644
+  with_items:
+    - { src: 'lokole_gunicorn.conf' }
+    - { src: 'lokole_celery_beat.conf' }
+    - { src: 'lokole_celery_worker.conf' }
+    - { src: 'lokole_restarter.conf' }
 
 - name: Create Lokole admin user with password, for http://box{{ lokole_url }}    # http://box/lokole
-  shell: |
+  include_tasks: setup.yml
-    . {{ lokole_run_directory }}/webapp_secrets.sh
-    {{ lokole_venv }}/bin/manage.py createadmin --name='{{ lokole_admin_user }}' --password='{{ lokole_admin_password }}'
 
 #- name: Install /etc/{{ apache_conf_dir }}/lokole.conf from template, for http://box{{ lokole_url }} via Apache    # http://box/lokole
 #  template:
@@ -129,24 +147,12 @@
 #    mode: 0644
 #  when: apache_install
 
-- name: Install unit files {lokole.service, celery.service, celerybeat.service, lokole_restarter.service} into /etc/systemd/system, from template
-  template:
-    src: "{{ item.src }}"
-    dest: "{{ item.dest}}"
-    mode: 0644
-  with_items:
-    - { src: 'lokole.service.j2', dest: '/etc/systemd/system/lokole.service' }
-    - { src: 'celery.service.j2', dest: '/etc/systemd/system/celery.service' }
-    - { src: 'celerybeat.service.j2', dest: '/etc/systemd/system/celerybeat.service' }
-    - { src: 'lokole_restarter.service.j2', dest: '/etc/systemd/system/lokole_restarter.service' }
-
-
-# RECORD Lokole AS INSTALLED
-
 - name: "Set 'lokole_installed: True'"
   set_fact:
     lokole_installed: True
 
+# RECORD Lokole AS INSTALLED
+
 - name: "Add 'lokole_installed: True' to {{ iiab_state_file }}"
   lineinfile:
     path: "{{ iiab_state_file }}"    # /etc/iiab/iiab_state.yml

roles/lokole/tasks/main.yml

@@ -24,43 +24,27 @@
   when: lokole_installed is undefined
 
 
-- name: Do a 'systemctl daemon-reload' if lokole_enabled
+- name: Do a 'systemctl daemon-reload'
   systemd:
     daemon_reload: yes
   when: lokole_enabled
 
-- name: Enable & Restart {lokole, celery, celerybeat, lokole_restarter} systemd services, if lokole_enabled
+- name: Enable & Restart supervisor systemd service, if lokole_enabled
   systemd:
-    name: "{{ item }}"
+    name: supervisor
     enabled: yes
     state: restarted
   when: lokole_enabled
-  with_items:
-    - lokole
-    - celery
-    - celerybeat
-    - lokole_restarter
 
-- name: Disable & Stop all 4 (above) systemd services, if not lokole_enabled
+- name: Disable & Stop supervisor systemd service, if not lokole_enabled
   systemd:
-    name: "{{ item }}"
+    name: supervisor
     enabled: no
     state: stopped
   when: not lokole_enabled
-  with_items:    # @jvonau prefers reverse starting order, if stopping these 4
-    - lokole_restarter
-    - celerybeat
-    - celery
-    - lokole
-
-#- name: SHIM FOR NOW SO ALWAYS DO THE...Enable/Disable/Restart Apache
-#- name: Enable/Disable/Restart Apache if primary
-#  include_tasks: apache.yml
-#  when: not nginx_enabled
 
 - name: Enable/Disable/Restart NGINX
   include_tasks: nginx.yml
-  #when: nginx_enabled
 
 
 - name: Add 'lokole' variable values to {{ iiab_ini_file }}
@@ -79,8 +63,8 @@
       value: "{{ lokole_install }}"
     - option: lokole_enabled
       value: "{{ lokole_enabled }}"
-    - option: lokole_run_directory
+    - option: lokole_settings
-      value: "{{ lokole_run_directory }}"
+      value: "{{ lokole_settings }}"
     - option: lokole_url
       value: "{{ lokole_url }}"
     - option: lokole_full_url

roles/lokole/tasks/setup.yml

@@ -0,0 +1,20 @@
+- name: start supervisor
+  systemd:
+    name: supervisor
+    state: started
+
+- name: Create Lokole admin user with password, for http://box{{ lokole_url }}    # http://box/lokole
+  shell: |
+    while read envvar; do export "$envvar"; done < {{ lokole_run_dir }}/settings.env
+    {{ lokole_venv }}/bin/manage.py createadmin --name='{{ lokole_admin_user }}' --password='{{ lokole_admin_password }}'
+
+- name: Change owner of dbfiles
+  file:
+    path: "{{ item.path }}"
+    state: file
+    owner: "{{ lokole_user }}"
+    group: "{{ lokole_user }}"
+    mode: u=rw
+  loop:
+    - { path: "{{ lokole_run_dir }}/users.sqlite3" }
+#    - { path: "{{ lokole_run_dir }}/celery.sqlite3" }

roles/lokole/templates/lokole_celery_beat.conf

@@ -0,0 +1,10 @@
+[program:lokole_celery_beat]
+command={{ lokole_venv }}/bin/celery --app=opwen_email_client.webapp.tasks beat --pidfile={{ lokole_run_dir }}/lokole_celery_beat.pid --loglevel=error
+autostart=true
+autorestart=true
+startretries=3
+stopasgroup=true
+stderr_logfile={{ lokole_log_dir }}/lokole_celery_beat.stderr.log
+stdout_logfile={{ lokole_log_dir }}/lokole_celery_beat.stdout.log
+user={{ lokole_user }}
+environment=OPWEN_SETTINGS={{ lokole_settings }}

roles/lokole/templates/lokole_celery_worker.conf

@@ -0,0 +1,10 @@
+[program:lokole_celery_worker]
+command={{ lokole_venv }}/bin/celery --app=opwen_email_client.webapp.tasks worker --loglevel=error --concurrency=2
+autostart=true
+autorestart=true
+startretries=3
+stopasgroup=true
+stderr_logfile={{ lokole_log_dir }}/lokole_celery_worker.stderr.log
+stdout_logfile={{ lokole_log_dir }}/lokole_celery_worker.stdout.log
+user={{ lokole_user }}
+environment=OPWEN_SETTINGS={{ lokole_settings }}

roles/lokole/templates/lokole_gunicorn.conf

@@ -0,0 +1,10 @@
+[program:lokole_gunicorn]
+command={{ lokole_venv }}/bin/gunicorn --bind=unix:{{ lokole_run_dir }}/lokole_gunicorn.sock --timeout=300 --workers=3 --log-level=error opwen_email_client.webapp:app
+autostart=true
+autorestart=true
+startretries=3
+stopasgroup=true
+stderr_logfile={{ lokole_log_dir }}/lokole_gunicorn.stderr.log
+stdout_logfile={{ lokole_log_dir }}/lokole_gunicorn.stdout.log
+user={{ lokole_user }}
+environment=OPWEN_SETTINGS={{ lokole_settings }}

roles/lokole/templates/lokole_restarter.conf

@@ -0,0 +1,10 @@
+[program:lokole_restarter]
+command={{ lokole_venv }}/bin/manage.py restarter --directory={{ lokole_run_dir }}/lokole_restarter
+autostart=true
+autorestart=true
+startretries=3
+stopasgroup=true
+stderr_logfile={{ lokole_log_dir }}/lokole_restarter.stderr.log
+stdout_logfile={{ lokole_log_dir }}/lokole_restarter.stdout.log
+user=root
+environment=OPWEN_SETTINGS={{ lokole_settings }}

roles/lokole/templates/settings.env.j2

@@ -1,8 +1,11 @@
-OPWEN_SETTINGS='{{ lokole_run_directory }}/settings.env'
+OPWEN_SETTINGS={{ lokole_run_dir }}/settings.env
-OPWEN_STATE_DIRECTORY='{{ lokole_run_directory }}'
+OPWEN_STATE_DIRECTORY={{ lokole_run_dir }}
-OPWEN_APP_ROOT='{{ lokole_url }}/'
+OPWEN_APP_ROOT={{ lokole_url }}/
 OPWEN_MAX_UPLOAD_SIZE_MB=10
-OPWEN_SYNC_SCHEDULE='1,16,31,46 * * * *'
+OPWEN_SYNC_SCHEDULE="1,16,31,46 * * * *"
-OPWEN_SESSION_KEY='{{ lookup('password', '/dev/null chars=ascii_letters,digits,_ length=32') }}'
+OPWEN_RESTART_PATH={{ lokole_run_dir }}/lokole_restarter/lokole_gunicorn=HUP,{{ lokole_run_dir }}/lokole_restarter/lokole_celery_worker=,{{ lokole_run_dir }}/lokole_restarter/lokole_celery_beat=
-OPWEN_PASSWORD_SALT='{{ lookup('password', '/dev/null chars=ascii_letters,digits,_ length=16') }}'
+OPWEN_SESSION_KEY={{ lokole_key }}
-OPWEN_SIM_TYPE='{{ lokole_sim_type }}'
+OPWEN_SECRET_KEY={{ lokole_key }}
+OPWEN_PASSWORD_SALT={{ lokole_salt }}
+OPWEN_SIM_TYPE={{ lokole_sim_type }}
+OPWEN_CLIENT_NAME={{ lokole_client_id }}

roles/mediawiki/defaults/main.yml

@@ -4,8 +4,8 @@
 # All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml
 # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
 
-mediawiki_major_version: 1.35    # "1.35" also works
+mediawiki_major_version: 1.36    # "1.35" also works
-mediawiki_minor_version: 2
+mediawiki_minor_version: 1
 mediawiki_version: "{{ mediawiki_major_version }}.{{ mediawiki_minor_version }}"
 
 mediawiki_download_base_url: "https://releases.wikimedia.org/mediawiki/{{ mediawiki_major_version }}"

roles/mediawiki/tasks/install.yml

@@ -1,10 +1,23 @@
-- name: 'Install packages: php{{ php_version }}-intl, php{{ php_version }}-mbstring'
+# https://www.mediawiki.org/wiki/Manual:Installation_requirements#PHP
+- name: 'Install packages: php{{ php_version }}-intl, php{{ php_version }}-mbstring, php{{ php_version }}-xml'
   package:
     name:
-      - "php{{ php_version }}-intl"
+      #- php{{ php_version }}-common     # Auto-installed as an apt dependency.  REGARDLESS: php{{ php_version }}-common superset php{{ php_version }}-cli is auto-installed by php{{ php_version }}-fpm in nginx/tasks/install.yml
-      - "php{{ php_version }}-mbstring"
+      - php{{ php_version }}-intl        # Likewise installed in moodle/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml
+      #- php{{ php_version }}-json       # See stanza just below
+      - php{{ php_version }}-mbstring    # Likewise installed in moodle/tasks/install.yml, nextcloud/tasks/install.yml, pbx/tasks/freepbx_dependencies.yml, wordpress/tasks/install.yml
+      - php{{ php_version }}-xml         # 2021-06-27: REQUIRED (AND ENFORCED) despite this being missing from MediaWiki's above requirements doc!  Likewise installed in moodle/tasks/install.yml, nextcloud/tasks/install.yml, pbx/tasks/freepbx_dependencies.yml, wordpress/tasks/install.yml -- AND REGARDLESS dragged in later by Admin Console's use of php-pear for roles/cmdsrv/tasks/main.yml
     state: present
 
+# For PHP >= 8.0: phpX.Y-json is baked into PHP itself.
+# For PHP <  8.0: phpX.Y-json auto-installed by phpX.Y-fpm AND phpX.Y-cli in 3-base-server's nginx/tasks/install.yml, as confirmed by: apt rdepends phpX.Y-json
+#
+#- name: Install php{{ php_version }}-json if PHP < 8.0
+#  package:
+#    name: php{{ php_version }}-json
+#    state: present
+#  when: php_version is version('8.0', '<')
+
 - name: Download {{ mediawiki_download_base_url }}/{{ mediawiki_src }} to {{ downloads_dir }}
   get_url:
     url: "{{ mediawiki_download_base_url }}/{{ mediawiki_src }}"
@@ -18,7 +31,7 @@
   unarchive:
     src: "{{ downloads_dir }}/{{ mediawiki_src }}"
     dest: "{{ mediawiki_install_path }}"    # /library
-    owner: "{{ apache_user }}"
+    owner: "{{ apache_user }}"    # www-data on debuntu
     group: "{{ apache_user }}"
     mode: u+rw,g+r,o+r    # '0755' forced executable bits on files
     keep_newer: yes
@@ -31,7 +44,7 @@
 
 - name: Start MySQL systemd service ({{ mysql_service }}) so we can create db
   systemd:
-    name: "{{ mysql_service }}"
+    name: "{{ mysql_service }}"    # mariadb on debuntu
     state: started
 
 - name: Create MySQL database {{ mediawiki_db_name }}
@@ -64,7 +77,7 @@
     chdir: "{{ mediawiki_abs_path }}"    # /library/mediawiki-1.XY.Z
     creates: "{{ mediawiki_abs_path }}/LocalSettings.php"
 
-- name: Configure wgArticlePath variable in {{ mediawiki_abs_path }}/LocalSettings.php
+- name: Configure $wgArticlePath variable in {{ mediawiki_abs_path }}/LocalSettings.php
   lineinfile:
     path: "{{ mediawiki_abs_path }}/LocalSettings.php"    # /library/mediawiki-1.XY.Z
     line: '$wgArticlePath = "/wiki/$1";'

roles/moodle/defaults/main.yml

@@ -1,5 +1,5 @@
-# If using Moodle intensively, consider setting nginx_high_php_limits in:
+# 2021-07-02 WARNING: Stage 4's roles/www_options/tasks/main.yml FORCES
-# /etc/iiab/local_vars.yml
+# (the equivalent of) 'nginx_high_php_limits: True' if 'moodle_install: True'
 
 # moodle_install: False
 # moodle_enabled: False
@@ -8,7 +8,7 @@
 # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
 
 moodle_version: 311
-moodle_repo_url: https://github.com/moodle/moodle.git
+moodle_repo_url: https://github.com/moodle/moodle
 #moodle_repo_url: git://git.moodle.org/moodle.git    # 2020-10-16: VERY Slow!
 moodle_base: "{{ iiab_base }}/moodle"    # /opt/iiab
 moodle_data: "{{ content_base }}/moodle"    # /library

roles/moodle/tasks/install.yml

@@ -1,11 +1,10 @@
-- name: "Set 'apache_install: True' and 'apache_enabled: True'"
+# 2021-05-22: FYI nginx_high_php_limits is effectively now auto-enabled by
-  set_fact:
+# www_options/tasks/main.yml#L100-L112 (as required by Moodle 3.11 w/ PHP 8) IF
-    apache_install: True
+# 'moodle_install: True'. Happens at the end of 4-server-options/tasks/main.yml
-    apache_enabled: True
+# See the 6 settings in /etc/php/{{ php_version }}/fpm/php.ini
 
-- name: APACHE - run 'httpd' role
+# 2021-06-28: This ALSO now happens in /etc/php/{{ php_version }}/cli/php.ini
-  include_role:
+# (as required by Moodle's CLI installer, DESPITE it using fpm/php.ini later!)
-    name: httpd
 
 
 - name: "Set 'postgresql_install: True' and 'postgresql_enabled: True'"
@@ -18,70 +17,55 @@
     name: postgresql
 
 
-- name: Install 8 php packages (debuntu)
+# 2021-07-02: Let's monitor & learn from these 2 pages year-by-year:
+# https://docs.moodle.org/19/en/PHP_settings_by_Moodle_version#PHP_Extensions_and_libraries
+# https://github.com/moodlebox/moodlebox/blob/master/roles/packages/vars/main.yml
+- name: Install ghostscript + libsodium23 + 8 PHP packages (run 'php -m' or 'php -i' to verify)
   package:
     name:
-      - php{{ php_version }}-pgsql
+      #- php-apcu                        # 2021-07-02: Experiment with fewer dependencies
-      - php{{ php_version }}-curl
+      - ghostscript                      # 2021-07-02: OPTIONAL -- but useful for annotation of PDF's / assignments
-      - php{{ php_version }}-zip
+      - libsodium23                      # 2021-06-28: Likewise installed in nginx/tasks/install.yml via php{{ php_version }}-fpm AND httpd/tasks/install.yml via libapache2-mod-php{{ php_version }} AND wordpress/tasks/install.yml -- it can ALSO be auto-installed by phpX.Y-cgi OR phpX.Y-cli as confirmed by 'apt rdepends libsodium23' -- Recommended by Moodle 3.11+ at https://docs.moodle.org/311/en/Environment_-_PHP_extension_sodium -- whereas https://www.php.net/manual/en/sodium.installation.php says it's always bundled with PHP 7.2+ -- VERIFY USING 'php -i | grep sodium' AND 'apt list "*sodium*"'
-      - php{{ php_version }}-gd
+      #- php{{ php_version }}-common     # 2021-06-27: Auto-installed as an apt dependency.  REGARDLESS: php{{ php_version }}-common superset php{{ php_version }}-cli is auto-installed by php{{ php_version }}-fpm in nginx/tasks/install.yml
-      - php{{ php_version }}-mbstring    # 2020-06-15: Required by Moodle 3.9+
+      #- php{{ php_version }}-cli        # 2021-06-27: Compare to php{{ php_version }}-common just above!  2020-06-15: In the past this included (below) mbstring?  However this is not true on Ubuntu Server 20.04 LTS.
-      - php{{ php_version }}-cli         # 2020-06-15: In the past this included (above) mbstring? However this is not true on Ubuntu Server 20.04 LTS.
+      - php{{ php_version }}-curl        # 2021-06-27: Likewise installed in nextcloud/tasks/install.yml, pbx/tasks/freepbx_dependencies.yml, wordpress/tasks/install.yml
-      - php{{ php_version }}-intl        # 2020-12-03: Required by Moodle 3.10+
+      - php{{ php_version }}-gd          # 2021-06-27: Likewise installed in nextcloud/tasks/install.yml, pbx/tasks/freepbx_dependencies.yml
+      - php{{ php_version }}-intl        # 2020-12-03: Required by Moodle 3.10+ -- Likewise installed in mediawiki/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml
+      - php{{ php_version }}-mbstring    # 2020-06-15: Required by Moodle 3.9+ -- Likewise installed in mediawiki/tasks/install.yml, nextcloud/tasks/install.yml, pbx/tasks/freepbx_dependencies.yml, wordpress/tasks/install.yml
+      - php{{ php_version }}-pgsql       # 2021-06-27: Required for PostgreSQL
+      #- php{{ php_version }}-json       # 2021-07-02: Not requested by Moodle's PHP doc above.  Package baked into PHP 8+.  FWIW with PHP < 8, phpX.Y-json is already auto-installed by phpX.Y-fpm in 3-base-server's nginx/tasks/install.yml
+      #- php{{ php_version }}-opcache    # 2021-07-02: Experiment with fewer dependencies
+      #- php{{ php_version }}-readline   # 2021-07-02: Experiment with fewer dependencies
       - php{{ php_version }}-soap        # 2020-12-03: Recommended by Moodle 3.10+
-      #- php-sodium                      # 2021-05-17: Recommended by Moodle 3.11+ at https://docs.moodle.org/311/en/Environment_-_PHP_extension_sodium AND ALREADY PRE-ENABLED BY PHP 7.2+ https://www.php.net/manual/en/sodium.installation.php AS CONFIRMED BY 'php -i | grep sodium' AND 'apt list "*sodium*"'
+      - php{{ php_version }}-xml         # 2021-06-28: Likewise installed in mediawiki/tasks/install.yml, nextcloud/tasks/install.yml, pbx/tasks/freepbx_dependencies.yml, wordpress/tasks/install.yml -- AND REGARDLESS dragged in later by Admin Console's use of php-pear for roles/cmdsrv/tasks/main.yml -- run 'php -m | grep -i xml' which in the end shows {libxml, SimpleXML, xml, xmlreader, xmlwriter}
+      #- php{{ php_version }}-xmlrpc     # 2021-07-02: Doesn't exist with PHP 8.0 -- officially required per https://docs.moodle.org/19/en/PHP_settings_by_Moodle_version#PHP_Extensions_and_libraries BUT UNMAINTAINED FOR YEARS (POSSIBLE SECURITY RISK) SO MOVED TO PECL: https://php.watch/versions/8.0/xmlrpc
+      - php{{ php_version }}-zip         # 2021-06-27: Likewise installed in nextcloud/tasks/install.yml, pbx/tasks/freepbx_dependencies.yml, wordpress/tasks/install.yml
     state: present
-  when: is_debuntu
 
-- name: Does {{ moodle_base }}/config-dist.php exist? (indicating Moodle is/was installed)
+- name: Download (clone) {{ moodle_repo_url }} to {{ moodle_base }} (~350MB initially, ~371MB later)
-  stat:
-    path: "{{ moodle_base }}/config-dist.php"    # /opt/iiab/moodle
-  register: moodle
-
-- name: Clone (i.e. use git to download) {{ moodle_repo_url }} to {{ moodle_base }} (~300 MB)
   git:
-    repo: "{{ moodle_repo_url }}"
+    repo: "{{ moodle_repo_url }}"    # https://github.com/moodle/moodle
-    dest: "{{ moodle_base }}"
+    dest: "{{ moodle_base }}"        # /opt/iiab/moodle
     depth: 1
-    force: yes
     version: "MOODLE_{{ moodle_version }}_STABLE"
     #version: master   # TEMPORARY DURING MAY 2018 TESTING, installed 3.5beta+ = https://download.moodle.org/releases/development/
   #ignore_errors: yes
-  when: internet_available and moodle.stat.exists is defined and not moodle.stat.exists
 
-- name: Create dir {{ moodle_base }} owned by {{ apache_user }} (for config file?)
+- name: chown -R {{ apache_user }}:{{ apache_user }} {{ moodle_base }} (by default dirs 755 & files 644)
   file:
-    state: directory
     path: "{{ moodle_base }}"
     owner: "{{ apache_user }}"    # www-data
+    group: "{{ apache_user }}"
     recurse: yes
 
-- name: Create dir {{ content_base }}/dbdata/moodle owned by {{ apache_user }}
+- name: Create dir {{ moodle_data }} ({{ apache_user }}:{{ apache_user }}) (by default 755 = drwxr-xr-x initially, but moodle_installer sets drwxrwsrwx below)
-  file:
-    state: directory
-    path: "{{ content_base }}/dbdata/moodle"    # /library
-    owner: "{{ apache_user }}"
-
-- name: Create dir {{ moodle_data }} ({{ apache_user }}:{{ apache_user }}, '0770')
   file:
     state: directory
     path: "{{ moodle_data }}"    # /library/moodle
     owner: "{{ apache_user }}"
     group: "{{ apache_user }}"
-    #mode: '0770'    # Regardless, permissions end up as: drwxrwsrwx
 
-- name: Remove stock /etc/{{ apache_conf_dir }}/moodle.conf
-  file:
-    path: "/etc/{{ apache_conf_dir }}/moodle.conf"    # apache2/sites-available
-    state: absent
 
-# 2021-02-01: Not nec if we can hopefully migrate from Apache to NGINX soon!
-- name: Install /etc/{{ apache_conf_dir }}/022-moodle.conf from template
-  template:
-    src: 022-moodle.j2
-    dest: "/etc/{{ apache_conf_dir }}/022-moodle.conf"
-
-# roles/postgresql/templates/postgresql-iiab.service WAS INSTALLED HERE:
 # /etc/systemd/system/postgresql-iiab.service
 - name: Start 'postgresql-iiab' systemd service, to configure Moodle's DB
   systemd:
@@ -108,38 +92,53 @@
   become: yes
   become_user: postgres
 
-- name: Install {{ moodle_base }}/moodle_installer from template ('0755')
-  template:
-    src: moodle_installer
-    dest: "{{ moodle_base }}"
-    mode: '0755'
-
 - name: (Re)Start 'postgresql-iiab' systemd service
   systemd:
     name: postgresql-iiab
     state: restarted
     #enabled: yes    # Service ends up enabled regardless
 
-- name: (Re)Start '{{ apache_service }}' systemd service
-  systemd:
-    name: "{{ apache_service }}"
-    state: restarted
 
-- name: Does {{ moodle_base }}/config.php exist?
+- name: Install {{ moodle_base }}/moodle_installer from template (0755)
-  stat:
+  template:
-    path: "{{ moodle_base }}/config.php"
+    src: moodle_installer
-  register: config
+    dest: "{{ moodle_base }}"
+    mode: 0755
 
-- name: Execute {{ moodle_base }}/moodle_installer
+- name: Execute {{ moodle_base }}/moodle_installer IF {{ moodle_base }}/config.php doesn't yet exist -- REQUIRES 'max_input_vars = 5000' (or higher) in /etc/php/{{ php_version }}/cli/php.ini with PHP 8+ (as set up by www_options/tasks/main.yml) -- WHEREAS LATER Moodle uses /etc/php/{{ php_version }}/fpm/php.ini during regular operation
   shell: "{{ moodle_base }}/moodle_installer"
-  when: config.stat.exists is defined and not config.stat.exists
+  args:
+    creates: "{{ moodle_base }}/config.php"
 
-# 2021-02-01: Let's stick with Moodle's default (640)
+# 2021-07-05: For /opt/iiab/moodle, let's stick with default permissions from
-#- name: Make {{ moodle_base }}/config.php readable, with permission '0644'
+# above (755 dirs & 644 files), and ownership (www-data:www-data), as we do in
-#  #command: chown -R {{ apache_user }} {{ moodle_base }}
+# moodle/tasks/mathjax.yml
-#  file:
+
-#    path: "{{ moodle_base }}/config.php"    # /opt/iiab/moodle
+# 2021-07-05: Seems like a good idea but Moodle's permissions recommendations
-#    mode: '0644'
+# at https://docs.moodle.org/20/en/Creating_Moodle_site_data_directory don't
+# actually mandate this:
+#
+# - name: chmod -R o-rwx {{ moodle_data }} e.g. drwxrwsrwx to drwxrws---
+#   file:
+#     path: "{{ moodle_data }}"    # /library/moodle
+#     mode: o-rwx
+#     recurse: yes
+
+# https://docs.moodle.org/311/en/Nginx#XSendfile_aka_X-Accel-Redirect
+# https://github.com/moodle/moodle/blob/master/config-dist.php#L274-L287
+- name: Write extra parameters to {{ moodle_base }}/config.php -- "Setting Moodle and Nginx to use XSendfile functionality is a big win as it frees PHP from delivering files allowing Nginx to do what it does best, i.e. deliver files"
+  lineinfile:
+    path: "{{ moodle_base }}/config.php"
+    line: '$CFG->{{ item.name }} = {{ item.value }};'
+    insertbefore: '^\$CFG->directorypermissions'
+  with_items:
+    #- { name: 'backuptempdir', value: "'{{ moodlebox_moodle_data_dir }}/backup'" }
+    - { name: 'xsendfile', value: "'X-Accel-Redirect'" }
+    - { name: 'xsendfilealiases', value: "array('/dataroot/' => $CFG->dataroot)" }
+    #- { name: 'customfiletypes', value: "array(\n  (object)array(\n    'extension' => 'crt',\n    'icon' => 'sourcecode',\n    'type' => 'application/x-x509-ca-cert',\n    'customdescription' => 'X.509 CA certificate'\n  )\n)"}
+    #- { name: 'showcampaigncontent', value: 'false' }
+
+- include_tasks: mathjax.yml
 
 
 # RECORD Moodle AS INSTALLED

roles/moodle/tasks/main.yml

@@ -29,19 +29,16 @@
     postgresql_install: True
     postgresql_enabled: True    # Revert just below if...
 
-- name: "Set 'postgresql_enabled: False' if 'not moodle_enabled and not (pathagar_enabled is defined and pathagar_enabled)'"
+- name: "Set 'postgresql_enabled: False' if not moodle_enabled"
   set_fact:
     postgresql_enabled: False
-  when: not moodle_enabled and not (pathagar_enabled is defined and pathagar_enabled)
+  when: not moodle_enabled    # and not (pathagar_enabled is defined and pathagar_enabled)
 
 - name: POSTGRESQL - run 'postgresql' role (Enable&Start or Disable&Stop PostgreSQL)
   include_role:
     name: postgresql
 
 
-- name: SHIM FOR NOW SO ALWAYS DO THE...Enable/Disable/Restart Apache
-  include_tasks: apache.yml
-
 - name: Enable/Disable/Restart NGINX
   include_tasks: nginx.yml
 

roles/moodle/tasks/mathjax.yml

@@ -0,0 +1,27 @@
+# 2021-07-05: Thanks to https://github.com/moodlebox/moodlebox/blob/master/roles/moodleinstall/tasks/mathjax.yml
+
+# Verify this Moodle plugin after installation at:
+# http://box.lan/moodle/admin/plugins.php
+# http://box.lan/moodle/admin/settings.php?section=filtersettingmathjaxloader
+
+- name: Download (clone) MathJax library/plugin from https://github.com/mathjax/MathJax to {{ moodle_base }}/lib/MathJax
+  git:
+    repo: https://github.com/mathjax/MathJax    # Or: git://github.com/mathjax/MathJax.git
+    dest: "{{ moodle_base }}/lib/MathJax"       # /opt/iiab/moodle
+    #version: "{{ moodle_mathjax_version }}"    # 2021-07-05: https://github.com/moodlebox/moodlebox/blob/master/default.config.yml uses 2.7.9 from 2020-08-25 -- whereas https://github.com/mathjax/MathJax/releases offers 3.2.0 from 2021-07-17
+    depth: 1
+
+- name: chown -R {{ apache_user }}:{{ apache_user }} {{ moodle_base }}/lib/MathJax
+  file:
+    path: "{{ moodle_base }}/lib/MathJax"
+    owner: "{{ apache_user }}"    # www-data
+    group: "{{ apache_user }}"    # MoodleBox uses {{ moodlebox_username }} set to 'moodlebox' in https://github.com/moodlebox/moodlebox/blob/master/default.config.yml
+    #mode: ug+w,o-w               # 2021-07-05: Let's stick with Moodle's default (755 dirs & 644 files), as we do in moodle/tasks/install.yml
+    recurse: yes
+
+# SEE https://github.com/moodle/moodle/blob/master/filter/mathjaxloader/lang/en/filter_mathjaxloader.php
+- name: Run {{ moodle_base }}/admin/cli/cfg.php --component=filter_mathjaxloader to change MathJax library/plugin URL
+  command: >
+    /usr/bin/php {{ moodle_base }}/admin/cli/cfg.php --component=filter_mathjaxloader --name=httpsurl --set=/lib/MathJax/MathJax.js
+  register: mathjax_url_result
+  changed_when: mathjax_url_result.rc == 0

roles/moodle/templates/moodle-nginx.conf.j2

@@ -1,13 +1,37 @@
-location /moodle {
+# 2021-07-02: Let's monitor & learn from these 3 pages year-by-year:
-    proxy_set_header X-Real-IP  $remote_addr;
+# https://docs.moodle.org/311/en/Nginx
-    proxy_set_header X-Forwarded-For $remote_addr;
+# https://github.com/moodlebox/moodlebox/blob/master/roles/moodleinstall/tasks/coreinstall.yml
-    proxy_set_header Host $host;
+# https://github.com/moodlebox/moodlebox/blob/master/roles/webserver/templates/etc/nginx/sites-available/default.j2
-    proxy_pass http://127.0.0.1:{{ apache_port }};
+
+# This passes 404 pages to Moodle so they can be themed
+#error_page 404 /error/index.php;    error_page 403 =404 /error/index.php;
+
+# https://docs.moodle.org/311/en/Nginx#XSendfile_aka_X-Accel-Redirect
+# https://github.com/moodle/moodle/blob/master/config-dist.php#L274-L287
+location /dataroot/ {
+    internal;
+    alias {{ moodle_data }}/;
 }
 
-location ~ ^/moodle.*\.php$ {
+location ~ ^/moodle(.*)\.php(.*)$ {
-    proxy_set_header X-Real-IP  $remote_addr;
+    alias {{ moodle_base }}$1.php$2;
-    proxy_set_header X-Forwarded-For $remote_addr;
+
-    proxy_set_header Host $host;
+    fastcgi_split_path_info ^(.+\.php)(/.+)$;
-    proxy_pass http://127.0.0.1:{{ apache_port }};
+    fastcgi_index index.php;
+    fastcgi_pass php;
+
+    fastcgi_read_timeout 300;    # Default is 60s
+
+    include fastcgi_params;    # fastcgi.conf also works
+    fastcgi_param PATH_INFO $fastcgi_path_info;
+    fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
+
+    # Uncomment to override /etc/php/<VERSION>/fpm/php.ini -- FYI Stage 4's
+    # roles/www_options/tasks/main.yml FORCES these same settings and more
+    # (equivalent to 'nginx_high_php_limits: True') when 'moodle_install: True' 
+    #fastcgi_param PHP_VALUE "max_execution_time=300\n upload_max_filesize=500M\n post_max_size=500M\n max_input_vars=5000";
+}
+
+location ~ ^/moodle {
+    root {{ iiab_base }};
 }

roles/moodle/templates/moodle-nginx.conf.j2.native

@@ -1,16 +0,0 @@
-location ^/moodle {
-   alias /opt/iiab/moodle;
-   try_files $uri $uri/ index.php =404;
-}
-location ~ /moodle/(.*)\.php {
-    root /opt/iiab/;
-    proxy_set_header X-Real-IP  $remote_addr;
-    proxy_set_header X-Forwarded-For $remote_addr;
-    proxy_set_header Host $host;
-    include fastcgi_params;
-    fastcgi_index index.php;
-    fastcgi_pass php;
-    fastcgi_split_path_info ^(.+\.php)(/.+)$;
-    fastcgi_param   SCRIPT_FILENAME    $document_root$fastcgi_script_name;
-    fastcgi_param   SCRIPT_NAME        $fastcgi_script_name;
-}

roles/moodle/templates/moodle-nginx.conf.j2.unused

@@ -0,0 +1,13 @@
+location /moodle {
+    proxy_set_header X-Real-IP  $remote_addr;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header Host $host;
+    proxy_pass http://127.0.0.1:{{ apache_port }};
+}
+
+location ~ ^/moodle.*\.php$ {
+    proxy_set_header X-Real-IP  $remote_addr;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header Host $host;
+    proxy_pass http://127.0.0.1:{{ apache_port }};
+}

roles/moodle/templates/moodle_installer

@@ -6,17 +6,25 @@
 # a capital letter, in keeping with Internet-in-a-Box's other server apps?
 
 sudo -u {{ apache_user }} \
-     /usr/bin/php {{ moodle_base }}/admin/cli/install.php \
+    /usr/bin/php {{ moodle_base }}/admin/cli/install.php \
-     --wwwroot=http://{{ iiab_hostname }}.{{ iiab_domain }}/moodle \
+    --wwwroot=http://{{ iiab_hostname }}.{{ iiab_domain }}/moodle \
-     --dataroot={{ moodle_data }} \
+    --dataroot={{ moodle_data }} \
-     --dbtype=pgsql \
+    --dbtype=pgsql \
-     --dbname={{ moodle_database_name }} \
+    --dbname={{ moodle_database_name }} \
-     --dbuser=Admin --dbpass=changeme \
+    --dbuser=Admin --dbpass=changeme \
-     --fullname=Your_School \
+    --fullname=Your_School \
-     --shortname=School \
+    --shortname=School \
-     --adminuser=admin --adminpass=changeme \
+    --adminuser=admin --adminpass=changeme \
-     --non-interactive \
+    --non-interactive \
-     --agree-license \
+    --agree-license \
-     --allow-unstable   # TEMPORARY DURING MAY 2018 TESTING
+    --allow-unstable   # TEMPORARY DURING MAY 2018 TESTING
+# 2021-07-05 ideas from https://github.com/moodlebox/moodlebox/blob/master/roles/moodleinstall/tasks/coreinstall.yml :
+#    --lang=    # moodlebox_moodle_lang
+#    --dbtype=mariadb
+#    --prefix=    # moodlebox_moodle_db_prefix
+#    --summary=    # moodlebox_moodle_summary
+#    --adminemail=    # moodlebox_moodle_username @ moodlebox_hostname .invalid
+# Above vars set in https://github.com/moodlebox/moodlebox/blob/master/default.config.yml
 
-chown {{ apache_user }}:{{ apache_user }} {{ moodle_base }}/config.php
+# 2021-07-05: No longer needed
+#chown {{ apache_user }}:{{ apache_user }} {{ moodle_base }}/config.php

roles/mysql/tasks/install.yml

@@ -5,13 +5,14 @@
 # - 7 DB config
 # - 2 record as installed
 
-- name: 'Install MySQL packages: mariadb-server, mariadb-client (debuntu)'
+- name: 'Install MySQL packages: mariadb-server, mariadb-client, php{{ php_version }}-mysql'
   package:
     name:
       - mariadb-server
       - mariadb-client
+      #- php{{ php_version }}-common    # Auto-installed as an apt dependency.  REGARDLESS: php{{ php_version }}-common superset php{{ php_version }}-cli is auto-installed by php{{ php_version }}-fpm in nginx/tasks/install.yml
+      - php{{ php_version }}-mysql      # Likewise installed in nextcloud/tasks/install.yml, pbx/tasks/freepbx_dependencies.yml, wordpress/tasks/install.yml
     state: present
-  when: is_debuntu
 
 # 2020-07-11:
 # 10 PHP package installs moved to roles/www_base/tasks/main.yml

roles/nextcloud/README.md

@@ -25,19 +25,20 @@ The Nextcloud suite is divided into three main categories:
 
 To further refine Nextcloud access controls based on IPv4 addresses, you can edit `/etc/apache2/sites-available/nextcloud.conf` _after_ it's created by this template: [/opt/iiab/iiab/roles/nextcloud/templates/nextcloud.conf.j2](https://github.com/iiab/iiab/blob/master/roles/nextcloud/templates/nextcloud.conf.j2)</strike>
 
-(3) Strongly consider also setting `nginx_high_php_limits: True` in your /etc/iiab/local_vars.yml, to allocate important RAM/resources to PHP.  Of course, enabling this might cause excess use of RAM/disk or other resources if not calibrated to your hardware and network!  So _after_ install is complete, verify and evaluate these 5 settings in /etc/php/[ACTUAL PHP VERSION]/fpm/php.ini:
+(3) Strongly consider also setting `nginx_high_php_limits: True` in your /etc/iiab/local_vars.yml, to allocate important RAM/resources to PHP.  Of course, enabling this might cause excess use of RAM/disk or other resources if not calibrated to your hardware and network!  So _after_ install is complete, verify and evaluate these 6 settings in /etc/php/[ACTUAL PHP VERSION]/fpm/php.ini:
 
 - upload_max_filesize
 - post_max_size
 - memory_limit (Nextcloud recommends 512+ MB)
 - max_execution_time
 - max_input_time
+- max_input_vars (Moodle 3.11+ requires 5000+ with PHP 8+)
 
-Useful PHP recommendations for these settings (while largely tailored to WordPress, and aimed at very low-end hardware) can be found here: [/opt/iiab/iiab/roles/www_options/tasks/main.yml#L47-L51](../www_options/tasks/main.yml#L47-L51)
+Useful PHP recommendations for these settings (while largely tailored to WordPress, and aimed at very low-end hardware) can be found here: [/opt/iiab/iiab/roles/www_options/tasks/main.yml#L53-L133](../www_options/tasks/main.yml#L53-L133)
 
-(4) If you're running Nextcloud 21+ in production, carefully check that Nextcloud's latest formal prereqs (required AND recommended) are included per your community's needs.  In places like these:
+(4) If you're running Nextcloud 22+ in production, carefully check that Nextcloud's latest formal prereqs (required AND recommended) are included per your community's needs.  In places like these:
 
-- https://docs.nextcloud.com/server/21/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation
+- https://docs.nextcloud.com/server/22/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation
 - https://github.com/iiab/iiab/blob/master/roles/nextcloud/tasks/install.yml
 
 ## Using It

roles/nextcloud/tasks/install.yml

@@ -40,38 +40,51 @@
 #     var: php_new
 
 
-# https://docs.nextcloud.com/server/18/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation
+# February 2020: See @m-anish's PR #2119 and follow-up PR #2258.
 # 2021-04-11: If you're running Nextcloud 21+ in production, carefully check the latest required AND recommended prereqs:
 # https://docs.nextcloud.com/server/21/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation
-- name: Install ffmpeg + libxml2 + 13 php packages
+# 2021-06-27: Use this after Nextcloud 22 is released "2021-07-06" :
+# https://docs.nextcloud.com/server/22/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation
+- name: Install ffmpeg + libxml2 + 11 PHP packages (run 'php -m' or 'php -i' to verify)
   package:
     name:
       #- dnsutils    # NOT REQUESTED by Nextcloud
       - ffmpeg       # Optional (for preview generation)
       - libxml2      # php-libxml requires libxml2 >= 2.7.0
       #- libapache2-mod-php    # 2020-02-15: NO LONGER NEEDED?
-      - php{{ php_version }}-bcmath        # Highly recommended by Nextcloud 21 for "improved performance and better compatibility"
+      - php{{ php_version }}-bcmath        # Highly recommended by Nextcloud 21 for "improved performance and better compatibility" -- Likewise installed in pbx/tasks/freepbx_dependencies.yml, wordpress/tasks/install.yml
-      - php{{ php_version }}-bz2           # Optional (for extraction of apps)
+      - php{{ php_version }}-bz2           # OPTIONAL (for extraction of apps)
-      - php{{ php_version }}-cli           # Likely optional?  @jvonau says this drags in php{{ php_version }}-common as @m-anish wanted in PR #2119 / #2258
+      #- php{{ php_version }}-common       # Auto-installed as an apt dependency.  REGARDLESS: php{{ php_version }}-common superset php{{ php_version }}-cli is auto-installed by php{{ php_version }}-fpm in nginx/tasks/install.yml
-      - php{{ php_version }}-curl
+      - php{{ php_version }}-curl          # Likewise installed in moodle/tasks/install.yml, pbx/tasks/freepbx_dependencies.yml, wordpress/tasks/install.yml
-      - php{{ php_version }}-gd
+      #- php{{ php_version }}-exif         # Optional (for image rotation in pictures app) but somehow already installed in our PHP core.
-      - php{{ php_version }}-gmp           # Optional (for SFTP storage)
+      - php{{ php_version }}-gd            # Likewise installed in moodle/tasks/install.yml, pbx/tasks/freepbx_dependencies.yml
-      - php{{ php_version }}-imagick       # Optional (for preview generation)
+      - php{{ php_version }}-gmp           # OPTIONAL (for SFTP storage)
-      - php{{ php_version }}-intl          # Optional (increases language translation performance and fixes sorting of non-ASCII characters)
+      - php-imagick                        # OPTIONAL (for preview generation).  BUT drags in Apache's libapache2-mod-phpX.Y etc, as confirmed by 'apt depends php-imagick' -- while php{{ php_version }}-imagick installs (despite not being shown within 'apt list "php*imagick"') it's no better -- and 'apt depends phpX.Y-imagick' mysteriously does NOT show its deps.  Likewise installed in wordpress/tasks/install.yml
-      - php{{ php_version }}-json
+      - php{{ php_version }}-intl          # OPTIONAL (increases language translation performance and fixes sorting of non-ASCII characters): Likewise installed in mediawiki/tasks/install.yml, moodle/tasks/install.yml, wordpress/tasks/install.yml
+      #- php{{ php_version }}-json         # See stanza just below
       #- php{{ php_version }}-libxml       # NOT INSTALLABLE: ENABLED BY DEFAULT (https://www.php.net/manual/en/libxml.installation.php)
-      - php{{ php_version }}-mbstring
+      - php{{ php_version }}-mbstring      # Likewise installed in mediawiki/tasks/install.yml, moodle/tasks/install.yml, pbx/tasks/freepbx_dependencies.yml, wordpress/tasks/install.yml
-      - php{{ php_version }}-mysql
+      - php{{ php_version }}-mysql         # Likewise installed in mysql/tasks/install.yml, pbx/tasks/freepbx_dependencies.yml, wordpress/tasks/install.yml
       #- php{{ php_version }}-openssl      # NOT INSTALLABLE: ENABLED BY DEFAULT?
-      #- php{{ php_version }}-pdo_mysql    # NOT INSTALLABLE: php-mysql handles this on all OS's?
+      #- php{{ php_version }}-pdo_mysql    # NOT INSTALLABLE: php{{ php_version }}-mysql handles this on all OS's?
       #- php{{ php_version }}-redis        # @m-anish future work?
       #- php{{ php_version }}-session      # NOT INSTALLABLE: ENABLED BY DEFAULT?
       #- php{{ php_version }}-smbclient    # Optional (SMB/CIFS integration)
-      - php{{ php_version }}-xml           # NOT FORMALLY REQUESTED by Nextcloud (BUT hopefully delivers php-simplexml if not {php-xmlreader, php-xmlwriter} on Raspbian?)
+      - php{{ php_version }}-xml           # Likewise installed in mediawiki/tasks/install.yml, moodle/tasks/install.yml, pbx/tasks/freepbx_dependencies.yml, wordpress/tasks/install.yml -- AND REGARDLESS dragged in later by Admin Console's use of php-pear for roles/cmdsrv/tasks/main.yml -- Nextcloud's official requirements include {SimpleXML, XMLReader, XMLWriter} as confirmed by 'php -m | grep -i xml' which in the end shows {libxml, SimpleXML, xml, xmlreader, xmlwriter}
-      - php{{ php_version }}-zip
+      #- php{{ php_version }}-xmlrpc       # 2021-06-27: Experimentally remove, as explained in moodle/tasks/install.yml
+      - php{{ php_version }}-zip           # Likewise installed in moodle/tasks/install.yml, pbx/tasks/freepbx_dependencies.yml, wordpress/tasks/install.yml
       #- php{{ php_version }}-zlib         # NOT INSTALLABLE: ENABLED BY DEFAULT?
     state: present
 
+# For PHP >= 8.0: phpX.Y-json is baked into PHP itself.
+# For PHP <  8.0: phpX.Y-json auto-installed by phpX.Y-fpm AND phpX.Y-cli in 3-base-server's nginx/tasks/install.yml, as confirmed by: apt rdepends phpX.Y-json
+#
+#- name: Install php{{ php_version }}-json if PHP < 8.0
+#  package:
+#    name: php{{ php_version }}-json
+#    state: present
+#  when: php_version is version('8.0', '<')
+
 # https://docs.nextcloud.com/server/18/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation
 #- name: Install 9 additional php packages, if OS is not Raspbian (these are not available on Raspbian on RPi, as of Feb 2020)
 #  package:
@@ -94,7 +107,7 @@
     state: directory
     path: "{{ nextcloud_root_dir }}"    # /library/www/nextcloud
 
-- name: Unarchive {{ nextcloud_dl_url }} (100+ MB) to {{ nextcloud_root_dir }} (~449 MB, {{ apache_user }}:{{ apache_user }})
+- name: Unarchive {{ nextcloud_dl_url }} (100+ MB) to {{ nextcloud_root_dir }} (434-450 MB, {{ apache_user }}:{{ apache_user }})
   unarchive:
     remote_src: yes    # Overwrite even if "already exists on the target"
     src: "{{ nextcloud_dl_url }}"

roles/nextcloud/tasks/nginx.yml

@@ -16,4 +16,4 @@
     state: restarted
   with_items:
     - nginx
-    - "php{{ php_version }}-fpm"
+    - php{{ php_version }}-fpm

roles/nginx/README.md

@@ -1,27 +1,31 @@
 ### Transition to NGINX
 
-1. Initial testing strategy (December 2019 - February 2020) is to move NGINX to [port 80](https://github.com/iiab/iiab/wiki/IIAB-Networking#list-of-ports--services), and proxy everything to Apache on [port 8090](https://github.com/iiab/iiab/wiki/IIAB-Networking#list-of-ports--services) — creating "Shims" for each IIAB App/Service in *Section iii.* below.
+1. Initial testing strategy (December 2019 - February 2020) was to move NGINX to [port 80](https://github.com/iiab/iiab/wiki/IIAB-Networking#list-of-ports--services), and proxy everything to Apache on [port 8090](https://github.com/iiab/iiab/wiki/IIAB-Networking#list-of-ports--services) — creating "Shims" for each IIAB App/Service in *Section iii.* below.
 
-   Until "Native" NGINX is later implemented for that IIAB App/Service — allowing it to move up to *Section ii.* below.
+   Until "Native" NGINX is later implemented for each such IIAB App/Service — allowing each to move up to *Section ii.* below.
+
+   And potentially later moving each up to *Section i.* if its Apache support is dropped!
 
-   And potentially later moving it up to *Section i.* if its Apache support is dropped!
-   
    (Background: IIAB Apps/Services are generally [Ansible roles](https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide#ansible) that live in [/opt/iiab/iiab/roles](https://github.com/iiab/iiab/tree/master/roles))
 
 2. Without PHP available via FastCGI, any function at all for PHP-based applications validates NGINX.
 
-3. Current state of IIAB App/Service migrations as of 2021-05-15:
+3. Current state of IIAB App/Service migrations as of 2021-07-06: *(SEE ALSO [#2762](https://github.com/iiab/iiab/issues/2762))*
 
    1. These support "Native" NGINX but ***NOT*** Apache
+
       * Admin Console
       * captiveportal
       * IIAB documentation (http://box/info)
       * jupyterhub
+      * moodle
+      * nodered
       * osm-vector-maps
       * OER2Go/RACHEL modules
       * usb_lib
 
    2. These support "Native" NGINX ***AND*** Apache, a.k.a. "dual support" for legacy testing (if suitable "Shims" from *Section iii.* below are preserved!)  Both "Native" NGINX and "Shim" proxying from NGINX to Apache port 8090 *cannot be enabled simultaneously* for these IIAB Apps/Service:<!--But if you want to attempt their "Shim" proxying legacy testing mode, try setting your *primary web server* to Apache using `apache_install: True` and `apache_enabled: True` (and `nginx_enabled: False` to disable NGINX) in [/etc/iiab/local_vars.yml](http://wiki.laptop.org/go/IIAB/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F) before you install IIAB.  You may also need to run `cd /opt/iiab/iiab; ./runrole httpd` since this has been removed from [roles/3-base-server/tasks/main.yml](https://github.com/iiab/iiab/blob/master/roles/3-base-server/tasks/main.yml)-->
+
       * awstats
       * calibre-web
       * gitea
@@ -34,16 +38,16 @@
       * sugarizer
       * wordpress
 
-   3. These support Apache but ***NOT*** "Native" NGINX.  They use a "Shim" to [proxy_pass](https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/) from NGINX to Apache on port 8090.  See [roles/3-base-server/tasks/main.yml#L11](../3-base-server/tasks/main.yml#L11) for a list of IIAB Apps/Services that auto-enable Apache.
+   3. These support Apache but ***NOT*** "Native" NGINX.  They use a "Shim" to [proxy_pass](https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/) from NGINX to Apache on port 8090.  See [roles/3-base-server/tasks/main.yml#L11](../3-base-server/tasks/main.yml#L11) for a list of ~6 IIAB Apps/Services that auto-enable Apache.
+
       * elgg
-      * moodle
-      * nodered
 
    4. These each run their own web server or non-web / backend services, e.g. off of their own [unique port(s)](https://github.com/iiab/iiab/wiki/IIAB-Networking#list-of-ports--services) (IIAB home pages link directly to these destinations).  In future we'd like mnemonic URL's for all of these: (e.g. http://box/calibre, http://box/archive, http://box/kalite)
+
       * bluetooth
       * calibre (menu goes directly to port 8080)
-      * cups [(available on port 631) * shim not yet in place.]
+      * cups (menu goes directly to port 631) [*, shim not yet in place, [PR #2775](https://github.com/iiab/iiab/pull/2775)]
-      * internetarchive (menu goes directly to port 4244, [PR #2120](https://github.com/iiab/iiab/pull/2120)) [*]
+      * internetarchive (menu goes directly to port 4244) [*, [PR #2120](https://github.com/iiab/iiab/pull/2120)]
       * kalite (menu goes directly to ports 8006-8008)
       * minetest
       * mosquitto
@@ -55,4 +59,4 @@
       * transmission
       * vnstat
 
-[*] The 4 above starred roles could use improvement, as of 2021-05-15.
+[*] The 4 above starred roles could use improvement, as of 2021-07-06.

roles/nginx/tasks/install.yml

@@ -5,16 +5,15 @@
   ignore_errors: yes
   # 'when: apache_installed is defined' insuff b/c mysql's php installs apache2
 
-- name: Install required and helper packages for NGINX
+- name: 'Install 5 packages for NGINX: libnginx-mod-http-subs-filter, nginx-extras, php{{ php_version }}-fpm, uwsgi, uwsgi-plugin-python3'
   package:
-    name: "{{ item }}"
+    name:
+      - libnginx-mod-http-subs-filter
+      - nginx-extras
+      - php{{ php_version }}-fpm    # Drags in [1] php{{ php_version }}-cli (superset of php{{ php_version }}-common) [2] libsodium23 (likewise installed in moodle/tasks/install.yml AND wordpress/tasks/install.yml) [3] php{{ php_version }}-json if PHP < 8.0 (NEEDED FOR nextcloud/tasks/install.yml AND pbx/tasks/freepbx_dependencies.yml AND wordpress/tasks/install.yml)
+      - uwsgi                   # Admin Console & roles/captiveportal should really install
+      - uwsgi-plugin-python3    # these 2 packages on demand (not every IIAB needs these).
     state: present
-  with_items:
-    - nginx-extras
-    - uwsgi
-    - uwsgi-plugin-python3
-    - php-fpm
-    - libnginx-mod-http-subs-filter
 
 # 2020-10-16: Removed per #2560
 #- name: Add user '{{ apache_user }}' to shadow group, so it can authenticate Admin Console
@@ -27,7 +26,7 @@
     path: /etc/nginx/sites-enabled/default
     state: absent
 
-- name: 'Install 2 (of 4) files from template: /etc/nginx/server.conf, /etc/nginx/nginx.conf'
+- name: 'Install 3 (of 5) files from template: /etc/nginx/server.conf, /etc/nginx/nginx.conf, /etc/nginx/mime.types'
   template:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"

roles/nginx/templates/nginx.conf.j2

@@ -1,6 +1,6 @@
 # IIAB notes:
-# /etc/nginx/sites-enabled is for server declarations
+# /etc/nginx/conf.d/* are included by /etc/nginx/server.conf
-# /etc/nginx/conf.d is for location declarations within the main server block
+# /etc/nginx/sites-enabled/*.conf includes other sites
 
 user www-data;
 worker_processes auto;
@@ -79,6 +79,13 @@ http {
         ''      close;
     }
 
+    # 2021-06-22: Enables HTTP/1.1 byte-range, so Kolibri videos play on Apple
+    # and LG devices: https://github.com/learningequality/kolibri/issues/8164
+    # http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_force_ranges
+    # This should help all roles!  RECAP: when unproxied, Kolibri videos worked
+    # (http://box:8009/kolibri/) but not when proxied (http://box/kolibri/).
+    proxy_force_ranges on;
+
     ##
     # Virtual Host Configs
     ##

roles/nginx/templates/server.conf.j2

@@ -1,35 +1,35 @@
 server {
-      root {{ doc_root }};
+    root {{ doc_root }};
-      server_name {{ iiab_hostname }};
+    server_name {{ iiab_hostname }};
-      listen 80;
+    listen 80;
- 
-      index  index.php index.html index.htm;
 
-      # let individual services drop location blocks in conf.d
+    index index.php index.html index.htm;
-      include {{ nginx_conf_dir }}/*;
- 
-      location ~ .*\.php$ {
-          proxy_set_header X-Real-IP  $remote_addr;
-          proxy_set_header X-Forwarded-For $remote_addr;
-          proxy_set_header Host $host;
-          fastcgi_pass php;
-          fastcgi_index index.php;
-          fastcgi_split_path_info ^(.+\.php)(/.+)$;
-          fastcgi_param   SCRIPT_FILENAME    $document_root$fastcgi_script_name;
-          fastcgi_param   SCRIPT_NAME        $fastcgi_script_name;
-          include fastcgi_params;
-       }
- 
-      location /cgi-bin {
-         root /usr/lib;
-      }
 
-       # if you don't like seeing all the errors for missing favicon.ico in root
+    # let individual services drop location blocks in conf.d
-       location = /favicon.ico { access_log off; log_not_found off; }
+    include {{ nginx_conf_dir }}/*;
- 
+
-       # if you don't like seeing errors for a missing robots.txt in root
+    location ~ .*\.php$ {
-       location = /robots.txt { access_log off; log_not_found off; }
+        proxy_set_header X-Real-IP  $remote_addr;
- 
+        proxy_set_header X-Forwarded-For $remote_addr;
-       # this will prevent files like .htaccess .htpassword .secret etc from being served
+        proxy_set_header Host $host;
-       location ~ /\. { deny all; }
+        fastcgi_pass php;
+        fastcgi_index index.php;
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param SCRIPT_NAME $fastcgi_script_name;
+        include fastcgi_params;
+    }
+
+    location /cgi-bin {
+        root /usr/lib;
+    }
+
+    # if you don't like seeing all the errors for missing favicon.ico in root
+    location = /favicon.ico { access_log off; log_not_found off; }
+
+    # if you don't like seeing errors for a missing robots.txt in root
+    location = /robots.txt { access_log off; log_not_found off; }
+
+    # this will prevent files like .htaccess .htpassword .secret etc from being served
+    location ~ /\. { deny all; }
 }

roles/nodejs/defaults/main.yml

@@ -1,15 +1,11 @@
-# 2020-01-23: nodejs_install is completely ignored as Node.js is installed on
+# 2021-06-17: BOTH VALUES BELOW ARE INITIALLY IGNORED as Node.js is installed
-# demand as a dependency -- by Node-RED, Sugarizer and/or Internet Archive --
+# on demand as a dependency by 4 roles -- internetarchive (Internet Archive),
-# but for now we set fake value 'nodejs_install: True' for
+# nodered (Node-RED), pbx (Asterix, FreePBX) &/or Sugarizer:
-# 'nodejs_installed is defined' tests e.g. in 0-init/tasks/validate_vars.yml
 
-# nodejs_install: True
+# nodejs_install: False
 # nodejs_enabled: False
 
-# Node.js version used by roles/nodejs/tasks/main.yml for 3 roles:
+# nodejs_version: 16.x    # was 8.x til 2019-02-02, 10.x til 2019-12-21, 12.x til 2020-10-29, 14.x til 2021-06-17
-# nodered (Node-RED), pbx (Asterix, FreePBX) & sugarizer (Sugarizer)
-
-# nodejs_version: 14.x    # was 8.x til 2019-02-02, 10.x til 2019-12-21, 12.x til 2020-10-29
 
 # All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml
 # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!

roles/nodejs/tasks/install.yml

@@ -32,7 +32,7 @@
 #      /etc/iiab/local_vars.yml -- then re-run this IIAB installer.
 #  when: nodejs_version_installed is defined and nodejs_version_installed.stdout != nodejs_version and nodejs_version_installed.stderr == ""
 
-# Forces < 12 or > 12 to be removed, ignored if file is absent
+# Forces < 16.x or > 16.x to be removed, ignored if file is absent
 - name: Remove /etc/apt/sources.list.d/nodesource.list if nodejs_version_installed.stdout is not {{ nodejs_version }}
   file:
     state: absent
@@ -40,14 +40,14 @@
   when: nodejs_version_installed is defined and nodejs_version_installed.stdout != nodejs_version and nodejs_version_installed.stdout != ""
 
 # BRUTAL but ensures consistency across OS's / distros like Raspbian Desktop & Ubermix that often include an older version of Node.js
-# Forces < 12 or > 12 to be uninstalled
+# Forces < 16.x or > 16.x to be uninstalled
 - name: ASK apt/yum/dnf TO REMOVE PRE-EXISTING Node.js {{ nodejs_version_installed.stdout }} (IF IT'S NOT {{ nodejs_version }})
   package:
     name: nodejs
     state: absent
   when: nodejs_version_installed is defined and nodejs_version_installed.stdout != nodejs_version and nodejs_version_installed.stdout != ""
 
-# Forces == 12
+# Forces == 16.x
 - name: Warn if Node.js {{ nodejs_version}} already installed & might be updated
   debug:
     msg: "WARN: YOUR Node.js {{ nodejs_version }} MIGHT NOW BE UPDATED USING nodesource.com"

roles/nodejs/tasks/main.yml

@@ -1,4 +1,4 @@
-# SEE VAR nodejs_version: 14.x IN /opt/iiab/iiab/vars/default_vars.yml (FOR
+# SEE VAR nodejs_version: 16.x IN /opt/iiab/iiab/vars/default_vars.yml (FOR
 # NOW!) AND IF NEC OVERRIDE THIS IN /etc/iiab/local_vars.yml
 
 # Duplicate Node.js code unified by @jvonau.  Revised by @holta.  Used by:

roles/nodered/tasks/install.yml

@@ -1,15 +1,5 @@
-- name: "Set 'apache_install: True' and 'apache_enabled: True'"
+# 2019-01-16: @jvonau's PR #1403 moved installation of Node.js [8.x at the time]
-  set_fact:
+# and npm to roles/nodejs/tasks/main.yml
-    apache_install: True
-    apache_enabled: True
-
-- name: APACHE - run 'httpd' role
-  include_role:
-    name: httpd
-
-
-# 2019-01-16: @jvonau's PR #1403 moved installation of Node.js (8.x for now) &
-# npm to roles/nodejs/tasks/main.yml
 
 - name: "Set 'nodejs_install: True' and 'nodejs_enabled: True'"
   set_fact:
@@ -48,7 +38,7 @@
     state: absent
   when: nodered_install
 
-# 2012-02-13: the 6 RPi stanzas below recreate Raspbian Desktop's Node-RED
+# 2019-02-13: the 6 RPi stanzas below recreate Raspbian Desktop's Node-RED
 # environment, inspired by:
 # https://nodered.org/docs/hardware/raspberrypi
 # https://github.com/node-red/raspbian-deb-package/blob/master/resources/update-nodejs-and-nodered
@@ -112,18 +102,11 @@
     dest: /etc/systemd/system/nodered.service
     # mode: '0666'
 
-- name: Install /etc/{{ apache_conf_dir }}/nodered.conf from template
-  template:
-    backup: yes
-    src: nodered.conf.j2
-    dest: "/etc/{{ apache_conf_dir }}/nodered.conf"
-    # mode: '0666'
-
 # SEE ALSO THE apache2_module SECTION IN roles/httpd/tasks/main.yml
-- name: Enable proxy_wstunnel apache2 module
+#- name: Enable proxy_wstunnel apache2 module
-  apache2_module:
+#  apache2_module:
-    state: present
+#    state: present
-    name: proxy_wstunnel
+#    name: proxy_wstunnel
 
 
 # RECORD Node-RED AS INSTALLED

roles/nodered/tasks/main.yml

@@ -39,14 +39,8 @@
     state: stopped
   when: not nodered_enabled
 
-#- name: Enable/Disable/Restart Apache if primary
+- name: Enable/Disable/Restart NGINX
-- name: SHIM FOR NOW SO ALWAYS DO THE...Enable/Disable/Restart Apache
-  include_tasks: apache.yml
-  #when: not nginx_enabled
-
-- name: Enable/Disable/Restart NGINX if primary
   include_tasks: nginx.yml
-  when: nginx_enabled
 
 
 - name: Add 'nodered' variable values to {{ iiab_ini_file }}

roles/nodered/templates/nodered-nginx.conf.j2

@@ -1,3 +1,26 @@
+# 'nodered_port: 1880' is set in /opt/iiab/iiab/vars/default_vars.yml
+# https://github.com/iiab/iiab/wiki/IIAB-Networking#list-of-ports--services
+
 location /nodered/ {
-  proxy_pass http://127.0.0.1:{{ apache_port }}/nodered/;
+    proxy_pass http://127.0.0.1:{{ nodered_port }}/nodered/;
+
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
 }
+
+#location /nodered/debug/ws/ {
+#    proxy_pass http://127.0.0.1:{{ nodered_port }}/nodered/debug/ws;
+#
+#    proxy_http_version 1.1;
+#    proxy_set_header Upgrade $http_upgrade;
+#    proxy_set_header Connection "upgrade";
+#}
+
+#location /nodered/comms/ {
+#    proxy_pass http://127.0.0.1:{{ nodered_port }}/nodered/comms;
+#
+#    proxy_http_version 1.1;
+#    proxy_set_header Upgrade $http_upgrade;
+#    proxy_set_header Connection "upgrade";
+#}

roles/osm-vector-maps/tasks/install.yml

@@ -170,16 +170,17 @@
     dest: "{{ vector_map_path }}/maplist/index.html"
     force: yes
 
-- name: Get packages necessary for map installation
+- name: "Install packages for map installation: python3-wget, php{{ php_version }}-sqlite3, python3-geojson, python3-pil"
   package:
     state: present
     name:
       - python3-wget
-      - "php{{ php_version }}-sqlite3"
+      #- php{{ php_version }}-common    # Auto-installed as an apt dependency.  REGARDLESS: php{{ php_version }}-common superset php{{ php_version }}-cli is auto-installed by php{{ php_version }}-fpm in nginx/tasks/install.yml
+      - php{{ php_version }}-sqlite3
       - python3-geojson
       - python3-pil
 
-- name: Copy a scripts to download tiles
+- name: Copy 6 scripts to /usr/bin, for downloading tiles
   get_url:
     url: "{{ osm_repo_url }}/{{ maps_branch }}/osm-source/pages/viewer/scripts/{{ item }}"
     dest: /usr/bin/

roles/pbx/tasks/freepbx_dependencies.yml

@@ -1,30 +1,39 @@
-- name: FreePBX - Install dependencies
+- name: FreePBX - Install dependencies (run 'php -m' or 'php -i' to verify PHP modules)
   package:
     name:
       - wget
-      - git 
+      - git
       - unixodbc     # for Asterisk CDR (Call Detail Records)
       - sudo         # required by FreePBX install script
       - net-tools    # required by FWConsole (command-line utility, that controls FreePBX)
       - cron         # required by FreePBX UCP package (User Control Panel)
       - sox          # required for CDR web-playback
-      - php 
+      #- php{{ php_version }}           # Basically drags in phpX.Y-cgi (already below!)
-      - php-pear
+      - php{{ php_version }}-bcmath     # Likewise installed in nextcloud/tasks/install.yml, wordpress/tasks/install.yml
-      - php-cgi
+      - php{{ php_version }}-cgi
-      - php-common
+      #- php{{ php_version }}-common    # Auto-installed as an apt dependency.  REGARDLESS: php{{ php_version }}-common superset php{{ php_version }}-cli is auto-installed by php{{ php_version }}-fpm in nginx/tasks/install.yml
-      - php-curl
+      - php{{ php_version }}-curl       # Likewise installed in moodle/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml
-      - php-mbstring
+      - php{{ php_version }}-fpm        # Likewise installed in nginx/tasks/install.yml
-      - php-gd
+      #- php{{ php_version }}-gettext
-      - php-mysql
+      - php{{ php_version }}-gd         # Likewise installed in moodle/tasks/install.yml, nextcloud/tasks/install.yml
-#      - php-gettext
+      - php{{ php_version }}-imap
-      - php-bcmath
+      #- php{{ php_version }}-json      # See stanza just below
-      - php-zip
+      - php{{ php_version }}-mbstring   # Likewise installed in mediawiki/tasks/install.yml, moodle/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml
-      - php-xml
+      - php{{ php_version }}-mysql      # Likewise installed in mysql/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml
-      - php-imap
+      - php-pear                        # Likewise installed for ADMIN CONSOLE https://github.com/iiab/iiab-admin-console/blob/master/roles/cmdsrv/tasks/main.yml#L19
-      - php-json
+      - php{{ php_version }}-snmp
-      - php-snmp 
+      - php{{ php_version }}-xml        # Likewise installed in mediawiki/tasks/install.yml, moodle/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml -- AND REGARDLESS dragged in later by Admin Console's use of php-pear for roles/cmdsrv/tasks/main.yml -- run 'php -m | grep -i xml' which in the end shows {libxml, SimpleXML, xml, xmlreader, xmlwriter}
-      - php-fpm
+      - php{{ php_version }}-zip        # Likewise installed in moodle/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml
       - libapache2-mod-php
-#      - python-mysqldb        # https://github.com/Yannik/ansible-role-freepbx/blob/master/tasks/freepbx.yml#L33
+      #- python-mysqldb        # https://github.com/Yannik/ansible-role-freepbx/blob/master/tasks/freepbx.yml#L33
       - libapache2-mpm-itk    # To serve FreePBX through a VirtualHost as asterisk user
     state: latest
+
+# For PHP >= 8.0: phpX.Y-json is baked into PHP itself.
+# For PHP <  8.0: phpX.Y-json auto-installed by phpX.Y-fpm AND phpX.Y-cli in 3-base-server's nginx/tasks/install.yml, as confirmed by: apt rdepends phpX.Y-json
+#
+#- name: Install php{{ php_version }}-json if PHP < 8.0
+#  package:
+#    name: php{{ php_version }}-json
+#    state: present
+#  when: php_version is version('8.0', '<')

roles/phpmyadmin/defaults/main.yml

@@ -4,6 +4,6 @@
 # All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml
 # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
 
-phpmyadmin_version: 5.1.0
+phpmyadmin_version: 5.1.1
 phpmyadmin_name: "phpMyAdmin-{{ phpmyadmin_version }}-all-languages"
 phpmyadmin_dl_url: "https://files.phpmyadmin.net/phpMyAdmin/{{ phpmyadmin_version }}/{{ phpmyadmin_name }}.tar.xz"

roles/sugarizer/tasks/install.yml

@@ -29,7 +29,7 @@
 
 # 2. DOWNLOAD+LINK /opt/iiab/sugarizer
 
-- name: Clone llaske/sugarizer ({{ sugarizer_git_version }} branch/version) from GitHub to /opt/iiab/{{ sugarizer_dir_version }} (DOWNLOADS ~717 MB)
+- name: Clone llaske/sugarizer ({{ sugarizer_git_version }} branch/version) from GitHub to /opt/iiab/{{ sugarizer_dir_version }} (DOWNLOADS ~469 MB)
   git:
     repo: https://github.com/llaske/sugarizer
     dest: "{{ iiab_base }}/{{ sugarizer_dir_version }}"

roles/wordpress/tasks/install.yml

@@ -11,6 +11,33 @@
 # and security enhancements using timestamps under /library/wordpress, as these
 # can arise without warning when WordPress is online, since WordPress ~4.8
 
+# 2021-06-29: PHP modules, covering "RECOMMENDED" and "OPTIONAL" sections here:
+# https://make.wordpress.org/hosting/handbook/server-environment/
+- name: Install libsodium23 + 8 PHP packages (run 'php -m' or 'php -i' to verify)
+  package:
+    name:
+      - libsodium23                      # Likewise installed in nginx/tasks/install.yml via php{{ php_version }}-fpm AND httpd/tasks/install.yml via libapache2-mod-php{{ php_version }} AND moodle/tasks/install.yml -- it can ALSO be auto-installed by phpX.Y-cgi OR phpX.Y-cli as confirmed by 'apt rdepends libsodium23' -- VERIFY USING 'php -i | grep sodium' AND 'apt list "*sodium*"'
+      - php{{ php_version }}-bcmath      # OPTIONAL: Likewise installed in nextcloud/tasks/install.yml, pbx/tasks/freepbx_dependencies.yml
+      #- php{{ php_version }}-common     # Auto-installed as an apt dependency.  REGARDLESS: php{{ php_version }}-common superset php{{ php_version }}-cli is auto-installed by php{{ php_version }}-fpm in nginx/tasks/install.yml
+      - php{{ php_version }}-curl        # Likewise installed in moodle/tasks/install.yml, nextcloud/tasks/install.yml, pbx/tasks/freepbx_dependencies.yml
+      - php-imagick                      # BUT drags in Apache's libapache2-mod-phpX.Y etc, as confirmed by 'apt depends php-imagick' -- while php{{ php_version }}-imagick installs (despite not being shown within 'apt list "php*imagick"') it's no better -- and 'apt depends phpX.Y-imagick' mysteriously does NOT show its deps.  Likewise installed in nextcloud/tasks/install.yml
+      - php{{ php_version }}-intl        # OPTIONAL: Likewise installed in mediawiki/tasks/install.yml, moodle/tasks/install.yml, nextcloud/tasks/install.yml
+      #- php{{ php_version }}-json       # See stanza just below
+      - php{{ php_version }}-mbstring    # Likewise installed in mediawiki/tasks/install.yml, moodle/tasks/install.yml, nextcloud/tasks/install.yml, pbx/tasks/freepbx_dependencies.yml
+      - php{{ php_version }}-mysql       # Likewise installed in mysql/tasks/install.yml, nextcloud/tasks/install.yml, pbx/tasks/freepbx_dependencies.yml
+      - php{{ php_version }}-xml         # Likewise installed in mediawiki/tasks/install.yml, moodle/tasks/install.yml, nextcloud/tasks/install.yml, pbx/tasks/freepbx_dependencies.yml -- AND REGARDLESS dragged in later by Admin Console's use of php-pear for roles/cmdsrv/tasks/main.yml -- run 'php -m | grep -i xml' which in the end shows {libxml, SimpleXML, xml, xmlreader, xmlwriter}
+      - php{{ php_version }}-zip         # Likewise installed in moodle/tasks/install.yml, nextcloud/tasks/install.yml, pbx/tasks/freepbx_dependencies.yml
+    state: present
+
+# For PHP >= 8.0: phpX.Y-json is baked into PHP itself.
+# For PHP <  8.0: phpX.Y-json auto-installed by phpX.Y-fpm AND phpX.Y-cli in 3-base-server's nginx/tasks/install.yml, as confirmed by: apt rdepends phpX.Y-json
+#
+#- name: Install php{{ php_version }}-json if PHP < 8.0
+#  package:
+#    name: php{{ php_version }}-json
+#    state: present
+#  when: php_version is version('8.0', '<')
+
 - name: Download {{ wordpress_download_base_url }}/{{ wordpress_src }} to {{ downloads_dir }}
   get_url:
     url: "{{ wordpress_download_base_url }}/{{ wordpress_src }}"

roles/www_base/tasks/main.yml

@@ -1,23 +1,26 @@
 # Role "www_base" runs here, probably in 3-BASE-SERVER.
 # Role "www_options" runs later, likely in 4-SERVER-OPTIONS.
 
-- name: 'Install ~10 PHP packages (debuntu)'
+# 2021-06-27: Antifragile roles can become less brittle by fully declaring
-  package:
+# their own dependencies (i.e. for modularity, separation-of-concerns,
-    name:
+# encapsulation, compartmentalization, scope sanity, etc).
-      # - php{{ php_version }}    # On Ubuntu 20.04 (and prob other OS's) this forces the install of: apache2 apache2-bin apache2-data apache2-utils libapache2-mod-php{{ php_version }} ETC
+#
-      - php{{ php_version }}-common    # 2020-05-21: @jvonau suggests this to avoid Apache above.  Or its superset php{{ php_version }}-cli if absolutely nec?
+#- name: Install 10 PHP packages (run 'php -m' or 'php -i' to verify)
-      - php{{ php_version }}-curl
+#  package:
-      - php{{ php_version }}-gd
+#    name:
-      - php{{ php_version }}-imap
+#      - php{{ php_version }}           # On Ubuntu 20.04 (and prob other OS's) this unfortunately forces the install of: apache2 apache2-bin apache2-data apache2-utils libapache2-mod-php{{ php_version }} ETC
-      - php{{ php_version }}-ldap
+#      - php{{ php_version }}-common    # 2021-06-27: @jvonau suggested this (2020-05-21) to avoid Apache packages dragged in above.  REGARDLESS: php{{ php_version }}-common superset php{{ php_version }}-cli is auto-installed by php{{ php_version }}-fpm in nginx/tasks/install.yml
-      - php{{ php_version }}-mysql
+#      - php{{ php_version }}-curl      # 2021-06-30: Installed in moodle/tasks/main.yml, nextcloud/tasks/install.yml, pbx/tasks/freepbx_dependencies.yml, wordpress/tasks/main.yml
-      - php{{ php_version }}-odbc
+#      - php{{ php_version }}-gd        # 2021-06-30: Installed in moodle/tasks/main.yml, nextcloud/tasks/install.yml, pbx/tasks/freepbx_dependencies.yml
-      - php-pear
+#      - php{{ php_version }}-imap      # 2021-06-27: Installed in pbx/tasks/freepbx_dependencies.yml
-      # - php{{ php_version }}-sqlite3    # 2020-07-10: Experimentally install this within roles/osm-vector-maps/tasks/install.yml only, as part of OSM fix PR #2464 for #2461.
+#      - php{{ php_version }}-ldap      # 2021-06-27: Experimentally remove
-      - php{{ php_version }}-xml    # Was below
+#      - php{{ php_version }}-mysql     # 2021-06-30: Installed in mysql/tasks/install.yml, nextcloud/tasks/install.yml, pbx/tasks/freepbx_dependencies.yml, wordpress/tasks/main.yml
-      - php{{ php_version }}-xmlrpc
+#      - php{{ php_version }}-odbc      # 2021-06-27: Experimentally remove
-    state: present
+#      - php-pear                       # 2021-06-27: REQUIRED BY ADMIN CONSOLE https://github.com/iiab/iiab-admin-console/blob/master/roles/cmdsrv/tasks/main.yml#L19
-  when: is_debuntu
+#      - php{{ php_version }}-sqlite3   # 2020-07-10: Installed in osm-vector-maps/tasks/install.yml as part of OSM fix PR #2464 for #2461
+#      - php{{ php_version }}-xml       # 2021-06-30: Installed in mediawiki/tasks/install.yml, moodle/tasks/install.yml, nextcloud/tasks/install.yml, pbx/tasks/freepbx_dependencies.yml, wordpress/tasks/main.yml
+#      - php{{ php_version }}-xmlrpc    # 2021-06-27: Experimentally remove -- SEE EXPLANATION IN moodle/tasks/main.yml
+#    state: present
 
 - name: Using html.yml
   include_tasks: html.yml

roles/www_options/tasks/main.yml

@@ -49,17 +49,17 @@
   when:
       lxde_present.stat.exists and chromium_present.stat.exists
 
+
 - debug:
-    msg: 'THE 3 ANSIBLE STANZAS BELOW ONLY RUN... when: (moodle_install or nextcloud_install or pbx_install or wordpress_install) and nginx_enabled'
+    msg: 'THE 5 ANSIBLE STANZAS BELOW ONLY RUN... when: moodle_install or nextcloud_install or pbx_install or wordpress_install'
 
-- block:    # 3-STANZA BLOCK BEGINS
+- block:    # 5-STANZA BLOCK BEGINS
 
-  # FYI roles/nginx has already installed package php-fpm, in 3-base-server
+  # roles/nginx has installed pkg 'php{{ php_version }}-fpm' in 3-base-server
 
-  - name: Raise 2+2 PHP default values in /etc/php/{{ php_version }}/fpm/php.ini for lightweight use of WordPress/Nextcloud/Moodle/PBX (allow photos/docs up to 100MB, 100s timeouts, but preserve PHP's 128MB RAM limit)
+  - name: "Enact 'nginx_high_php_limits: False' in /etc/php/{{ php_version }}/fpm/php.ini for lightweight use of WordPress/Nextcloud/PBX (allow photos/docs up to 100MB, 100s timeouts, with 2 PHP system defaults: memory_limit = 128M, max_input_vars = 1000)"
     lineinfile:
-      path: "/etc/php/{{ php_version }}/fpm/php.ini"
+      path: /etc/php/{{ php_version }}/fpm/php.ini    # COMPARE /etc/php/{{ php_version }}/cli/php.ini AND /etc/php/{{ php_version }}/apache2/php.ini
-      #path: "/etc/php/{{ php_version }}/{{ apache_service }}/php.ini"
       regexp: "{{ item.regexp }}"
       line: "{{ item.line }}"
     with_items:
@@ -68,20 +68,38 @@
       - { regexp: '^max_execution_time', line: 'max_execution_time = 100    ; default is 30' }
       - { regexp: '^max_input_time', line: 'max_input_time = 100    ; default is 60' }
       - { regexp: '^memory_limit', line: 'memory_limit = 128M    ; default is 128M / Nextcloud requests 512M' }
-      - { regexp: '^max_input_vars', line: 'max_input_vars = 1000    ; default is 1000 / Moodle 3.11+ requests 5000' }
+      - { regexp: '^max_input_vars', line: 'max_input_vars = 1000    ; default is 1000 / Moodle 3.11+ requires 5000+ with PHP 8+' }
-    when: not nginx_high_php_limits    # REMINDER: THIS ENTIRE 3-STANZA BLOCK IS ONLY INVOKED... when: (moodle_install or nextcloud_install or pbx_install or wordpress_install) and nginx_enabled
+    when: not nginx_high_php_limits and not moodle_install    # REMINDER: THIS ENTIRE 5-STANZA BLOCK IS ONLY INVOKED... when: moodle_install or nextcloud_install or pbx_install or wordpress_install
 
-  # 2020-03-08: IIAB does not support uninstalling apps, so a 3rd clause
+  - name: "Enact 'nginx_high_php_limits: False' in /etc/php/{{ php_version }}/cli/php.ini for lightweight use of WordPress/Nextcloud/PBX (allow photos/docs up to 100MB, 100s timeouts, with 2 PHP system defaults: memory_limit = 128M, max_input_vars = 1000)"
-  # (to reset/restore PHP's defaults) is not necessary at this time.
+    lineinfile:
+      path: /etc/php/{{ php_version }}/cli/php.ini    # COMPARE /etc/php/{{ php_version }}/fpm/php.ini AND /etc/php/{{ php_version }}/apache2/php.ini
+      regexp: "{{ item.regexp }}"
+      line: "{{ item.line }}"
+    with_items:
+      - { regexp: '^upload_max_filesize', line: 'upload_max_filesize = 100M    ; default is 2M' }
+      - { regexp: '^post_max_size', line: 'post_max_size = 100M    ; default is 8M' }
+      - { regexp: '^max_execution_time', line: 'max_execution_time = 100    ; default is 30' }
+      - { regexp: '^max_input_time', line: 'max_input_time = 100    ; default is 60' }
+      - { regexp: '^memory_limit', line: 'memory_limit = 128M    ; default is 128M / Nextcloud requests 512M' }
+      - { regexp: '^max_input_vars', line: 'max_input_vars = 1000    ; default is 1000 / Moodle 3.11+ requires 5000+ with PHP 8+' }
+    when: not nginx_high_php_limits and not moodle_install    # REMINDER: THIS ENTIRE 5-STANZA BLOCK IS ONLY INVOKED... when: moodle_install or nextcloud_install or pbx_install or wordpress_install
 
-  # COMPARE apache_allow_sudo further below.
+  # 2020-03-08: IIAB DOES NOT SUPPORT UNINSTALLING APPS, so additional
+  # clauses (to reset/restore PHP's defaults) are not necessary at this time.
+
+  # 2021-06-28: WITH PHP 8, MOODLE'S CLI INSTALLER UNFORTUNATELY *REQUIRES*
+  # editing /etc/php/{{ php_version }}/cli/php.ini (below) -- even though during
+  # regular operation it instead uses .../apache2/php.ini or .../fpm/php.ini
+  #
+  # SEE ALSO roles/moodle/tasks/install.yml WHERE SIMILAR SURGERY'S DONE TO
+  # /etc/php/{{ php_version }}/apache2/php.ini UNTIL MOODLE'S PORTED TO NGINX!
 
   # WARNING: This might cause excess use of RAM/disk or other resources!
-  # The 5 values below were chosen by @ericnitschke and @kananigit in ~2018.
+  # The 5 first values below were chosen by @ericnitschke and @kananigit in ~2018.
-  - name: Enact nginx_high_php_limits in /etc/php/{{ php_version }}/fpm/php.ini for schools that use WordPress/Nextcloud/Moodle/PBX intensively (allow photos/docs up to 500MB, 300s timeouts, 512MB RAM limit)
+  - name: "Enact 'nginx_high_php_limits: True' in /etc/php/{{ php_version }}/fpm/php.ini for schools that use WordPress/Moodle/Nextcloud/PBX intensively (allow photos/docs up to 500MB, 300s timeouts, memory_limit = 512M for Nextcloud, max_input_vars = 5000 for Moodle)"
     lineinfile:
-      path: "/etc/php/{{ php_version }}/fpm/php.ini"
+      path: /etc/php/{{ php_version }}/fpm/php.ini    # COMPARE /etc/php/{{ php_version }}/cli/php.ini AND /etc/php/{{ php_version }}/apache2/php.ini
-      #path: "/etc/php/{{ php_version }}/{{ apache_service }}/php.ini"
       regexp: "{{ item.regexp }}"
       line: "{{ item.line }}"
     with_items:
@@ -90,15 +108,29 @@
       - { regexp: '^max_execution_time', line: 'max_execution_time = 300    ; default is 30' }
       - { regexp: '^max_input_time', line: 'max_input_time = 300    ; default is 60' }
       - { regexp: '^memory_limit', line: 'memory_limit = 512M    ; default is 128M / Nextcloud requests 512M' }
-      - { regexp: '^max_input_vars', line: 'max_input_vars = 5000    ; default is 1000 / Moodle 3.11+ requests 5000' }
+      - { regexp: '^max_input_vars', line: 'max_input_vars = 5000    ; default is 1000 / Moodle 3.11+ requires 5000+ with PHP 8+' }
-    when: nginx_high_php_limits    # REMINDER: THIS ENTIRE 3-STANZA BLOCK IS ONLY INVOKED... when: (moodle_install or nextcloud_install or pbx_install or wordpress_install) and nginx_enabled
+    when: nginx_high_php_limits or moodle_install    # REMINDER: THIS ENTIRE 5-STANZA BLOCK IS ONLY INVOKED... when: moodle_install or nextcloud_install or pbx_install or wordpress_install
+
+  - name: "Enact 'nginx_high_php_limits: True' in /etc/php/{{ php_version }}/cli/php.ini for schools that use WordPress/Moodle/Nextcloud/PBX intensively (allow photos/docs up to 500MB, 300s timeouts, memory_limit = 512M for Nextcloud, max_input_vars = 5000 for Moodle)"
+    lineinfile:
+      path: /etc/php/{{ php_version }}/cli/php.ini    # COMPARE /etc/php/{{ php_version }}/fpm/php.ini AND /etc/php/{{ php_version }}/apache2/php.ini
+      regexp: "{{ item.regexp }}"
+      line: "{{ item.line }}"
+    with_items:
+      - { regexp: '^upload_max_filesize', line: 'upload_max_filesize = 500M    ; default is 2M' }
+      - { regexp: '^post_max_size', line: 'post_max_size = 500M    ; default is 8M' }
+      - { regexp: '^max_execution_time', line: 'max_execution_time = 300    ; default is 30' }
+      - { regexp: '^max_input_time', line: 'max_input_time = 300    ; default is 60' }
+      - { regexp: '^memory_limit', line: 'memory_limit = 512M    ; default is 128M / Nextcloud requests 512M' }
+      - { regexp: '^max_input_vars', line: 'max_input_vars = 5000    ; default is 1000 / Moodle 3.11+ requires 5000+ with PHP 8+' }
+    when: nginx_high_php_limits or moodle_install    # REMINDER: THIS ENTIRE 5-STANZA BLOCK IS ONLY INVOKED... when: moodle_install or nextcloud_install or pbx_install or wordpress_install
 
   - name: Restart 'php{{ php_version }}-fpm' systemd service
     systemd:
-      name: "php{{ php_version }}-fpm"
+      name: php{{ php_version }}-fpm
       state: restarted
 
-  when: (moodle_install or nextcloud_install or pbx_install or wordpress_install) and nginx_enabled    # 3-STANZA BLOCK ENDS
+  when: moodle_install or nextcloud_install or pbx_install or wordpress_install    # 5-STANZA BLOCK ENDS.  COMPARE apache_allow_sudo conditionals below.
 
 
 # 'Is a "Rapid Power Off" button possible for low-electricity environments?'

scripts/ansible

@@ -9,31 +9,32 @@
 
 APT_PATH=/usr/bin     # Avoids problematic /usr/local/bin/apt on Linux Mint
 CURR_VER=undefined    # Ansible version you currently have installed
-GOOD_VER=2.11.0       # Orig for 'yum install [rpm]' & XO laptops (pip install)
+GOOD_VER=2.11.2       # Orig for 'yum install [rpm]' & XO laptops (pip install)
+
+# 2021-06-22: The apt approach (with PPA source in /etc/apt/sources.list.d/ and
+# .gpg key etc) are commented out with ### below.  Associated guidance/comments
+# are intentionally preserved.
 
 # 2021-05-19 PR #2743: As a result of Ansible / Red Hat / IBM's extensive
 # delays in publishing the PPA (.deb installer files) for ansible-core, this
 # file bypasses the apt approach (and associated PPA source) in favor of:
 #
-# pip3 install ansible-core
+# pip3 install --upgrade ansible-core
-#
-# What the future holds for 2022+ is not yet clear.  So the apt approach (with
-# PPA source in /etc/apt/sources.list.d and .gpg key etc) and much associated
-# guidance/comments below are NOT being commented out or deleted at this time.
 
-# We install the latest 'ansible-core' from PPA, using an OS 'CODENAME' below:
+# 2021-02-25: Latest 'ansible-base' was being installed from PPA, using either
-# https://launchpad.net/~ansible/+archive/ubuntu/ansible
+# OS 'CODENAME' below: https://launchpad.net/~ansible/+archive/ubuntu/ansible
 
 # 'lsb_release -sc' gives Mint 20 codename 'ulyana' etc: (TOO FINE-GRAINED)
-if grep -q buster /etc/os-release /etc/debian_version; then
+###if grep -q buster /etc/os-release /etc/debian_version; then
-    CODENAME=bionic    # Debian 10, RaspiOS 10 & Buster-like distros
+###    CODENAME=bionic    # Debian 10, RaspiOS 10 & Buster-like distros
-else
+###else
-    CODENAME=focal     # Debian 11+, RaspiOS 11+, Ubuntu 20.04+, Mint 20+ (ETC)
+###    CODENAME=focal     # Debian 11+, RaspiOS 11+, Ubuntu 20.04+, Mint 20+ (ETC)
-fi
+###fi
 
 # APRIL 2021 - ansible-base (2.10) was renamed to ansible-core (2.11+):
 # https://www.ansible.com/blog/ansible-3.0.0-qa
 # https://github.com/ansible/ansible/releases
+# https://github.com/ansible/ansible/commits/stable-2.11
 # https://pypi.org/project/ansible-base/
 # https://pypi.org/project/ansible-core/
 # https://releases.ansible.com/ansible-base/
@@ -47,25 +48,24 @@ fi
 # https://github.com/ansible/ansible/blob/devel/docs/docsite/rst/roadmap/ROADMAP_2_10.rst
 # https://github.com/ansible/ansible/blob/devel/docs/docsite/rst/roadmap/ROADMAP_2_11.rst
 
-# FYI .travis.yml installs ansible-core in a slightly different way (PRs #2689, #2742 or #2743 ?)
+# FYI .travis.yml installs ansible-core in a slightly different way (PRs #2689 & #2743)
 
 # IIAB implementers might instead consider these 4 GENERAL TECHNIQUES below
 # ("in an emergency!") e.g. if apt fails & you need a newer/older Ansible:
 
 # TEMPORARILY USE pip3 to install the latest ansible-core as listed at
 # https://pypi.org/project/ansible-core/ (REMOVE W/ "pip3 uninstall ansible-core")
-#apt install python3-pip
-#pip3 install ansible-core    # Then start a new shell, so /usr/local/bin works
 #apt install python3-pymysql python3-psycopg2 python3-passlib python3-pip python3-setuptools python3-packaging python3-venv virtualenv
+#pip3 install --upgrade ansible-core    # Then start a new shell, so /usr/local/bin works
 #ansible-galaxy collection install -r collections.yml
 
-# TEMPORARILY USE ansible-base 2.10.9 (REMOVE W/ "pip3 uninstall ansible-base")
+# TEMPORARILY USE ansible-base 2.10.11 (REMOVE W/ "pip3 uninstall ansible-base")
 #apt install python3-pip
-#pip3 install ansible-base==2.10.9   # Start new shell, so /usr/local/bin works
+#pip3 install ansible-base==2.10.11   # Start new shell, so /usr/local/bin works
 
-# TEMPORARILY USE ANSIBLE 2.9.21 (REMOVE IT WITH "pip uninstall ansible")
+# TEMPORARILY USE ANSIBLE 2.9.23 (REMOVE IT WITH "pip3 uninstall ansible")
 #apt install python3-pip
-#pip3 install ansible==2.9.21
+#pip3 install ansible==2.9.23
 
 # TEMPORARILY USE ANSIBLE 2.4.2 DUE TO 2.4.3 MEMORY BUG. Details: iiab/iiab#669
 #echo "Install http://download.iiab.io/packages/ansible_2.4.2.0-1ppa~xenial_all.deb"
@@ -77,7 +77,7 @@ export DEBIAN_FRONTEND=noninteractive
 # Why 'noninteractive' appears needed:
 # https://github.com/iiab/iiab/issues/564#issuecomment-347264985
 
-echo -e "\n\nYOU ARE RUNNING: /opt/iiab/iiab/scripts/ansible (TO INSTALL ANSIBLE)\n"
+echo -e "\n\nYOU ARE RUNNING: /opt/iiab/iiab/scripts/ansible (TO INSTALL ANSIBLE ETC)\n"
 #echo -e 'Alternative:     /opt/iiab/iiab/scripts/ansible-2.9.x ("Slow Food")\n'
 
 echo -e "RECOMMENDED PREREQUISITES:"
@@ -121,8 +121,8 @@ fi
 #$APT_PATH/apt update
 #$APT_PATH/apt -y install dirmngr
 #echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu $CODENAME main" \
-echo "deb [signed-by=/usr/share/keyrings/iiab-ansible-keyring.gpg] http://ppa.launchpad.net/ansible/ansible/ubuntu $CODENAME main" \
+###echo "deb [signed-by=/usr/share/keyrings/iiab-ansible-keyring.gpg] http://ppa.launchpad.net/ansible/ansible/ubuntu $CODENAME main" \
-     > /etc/apt/sources.list.d/iiab-ansible.list
+###     > /etc/apt/sources.list.d/iiab-ansible.list
 
 # In future we might instead consider 'add-apt-repository ppa:ansible/ansible'
 # or 'apt-add-repository ppa:ansible/bionic/ansible' etc, e.g. for streamlined
@@ -140,25 +140,26 @@ echo "deb [signed-by=/usr/share/keyrings/iiab-ansible-keyring.gpg] http://ppa.la
 # 2021-04-26: JV & @holta WIP: (see above)
 #echo -e '\nIF YOU FACE ERROR "signatures couldn'"'"'t be verified because the public key is not available" THEN REPEATEDLY RE-RUN "sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 93C4A3FD7BB9C367"\n'
 #apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 93C4A3FD7BB9C367
-cp /opt/iiab/iiab/scripts/iiab-ansible-keyring.gpg /usr/share/keyrings/iiab-ansible-keyring.gpg
+###cp /opt/iiab/iiab/scripts/iiab-ansible-keyring.gpg /usr/share/keyrings/iiab-ansible-keyring.gpg
 #chmod 644 /usr/share/keyrings/iiab-ansible-keyring.gpg
 
-echo -e 'PPA source "deb [signed-by=/usr/share/keyrings/iiab-ansible-keyring.gpg] http://ppa.launchpad.net/ansible/ansible/ubuntu '$CODENAME' main"'
+###echo -e 'PPA source "deb [signed-by=/usr/share/keyrings/iiab-ansible-keyring.gpg] http://ppa.launchpad.net/ansible/ansible/ubuntu '$CODENAME' main"'
-echo -e "successfully saved to /etc/apt/sources.list.d/iiab-ansible.list\n"
+###echo -e "successfully saved to /etc/apt/sources.list.d/iiab-ansible.list\n"
-echo -e "IF *OTHER* ANSIBLE SOURCES APPEAR BELOW, PLEASE MANUALLY REMOVE THEM TO"
+###echo -e "IF *OTHER* ANSIBLE SOURCES APPEAR BELOW, PLEASE MANUALLY REMOVE THEM TO"
-echo -e 'ENSURE ANSIBLE UPDATES CLEANLY: (then re-run this script to be sure!)\n'
+###echo -e 'ENSURE ANSIBLE UPDATES CLEANLY: (then re-run this script to be sure!)\n'
-grep '^deb .*ansible' /etc/apt/sources.list /etc/apt/sources.list.d/*.list | grep -v '^/etc/apt/sources.list.d/iiab-ansible.list:' || true    # Override bash -e (instead of aborting at 1st error)
+###grep '^deb .*ansible' /etc/apt/sources.list /etc/apt/sources.list.d/*.list | grep -v '^/etc/apt/sources.list.d/iiab-ansible.list:' || true    # Override bash -e (instead of aborting at 1st error)
 
-echo -e "\napt update; apt install ansible-core and python3 dependencies explained at:"
+echo -e "\napt update; apt install of python3-* / virtualenv packages explained at:"
 echo -e "https://github.com/iiab/iiab/blob/master/scripts/ansible.md\n"
 $APT_PATH/apt update
-$APT_PATH/apt -y install python3-pip
-pip3 install ansible-core
 #$APT_PATH/apt -y --allow-downgrades install ansible-core \
-$APT_PATH/apt -y --allow-downgrades install \
+$APT_PATH/apt -y install \
               python3-pymysql python3-psycopg2 python3-passlib python3-pip \
               python3-setuptools python3-packaging python3-venv virtualenv
 
+echo -e "\n\n'pip3 install --upgrade ansible-core' will now run:\n"
+pip3 install --upgrade ansible-core
+
 # (Re)running collection installs appears safe, with --force-with-deps to force
 # upgrade of collection and dependencies it pulls in.  Note Ansible may support
 # explicit upgrading of collections (--upgrade / -U flag) in version "2.11"
@@ -178,7 +179,9 @@ ansible-galaxy collection install --force-with-deps \
 #mkdir -p /etc/ansible    # LIKELY REDUNDANT, due to above installation of Ansible
 #echo -e '[local]\nlocalhost\n' > /etc/ansible/hosts    # LIKELY REDUNDANT, due to https://github.com/iiab/iiab/blob/master/ansible_hosts
 
-echo -e "SUCCESS INSTALLING ANSIBLE!  PLEASE VERIFY WITH COMMANDS LIKE:"
+echo -e "\n\nSUCCESS!  PLEASE VERIFY ANSIBLE WITH COMMANDS LIKE:\n"
 echo -e "    ansible --version"
 echo -e "    pip show ansible-core"
-echo -e "    apt -a list ansible-core\n\n"
+echo -e '    apt -a list "ansible*"'
+echo -e "    ansible-galaxy collection list\n"
+echo -e "WARNING: Start a new Linux shell, if it changed from /usr/bin to /usr/local/bin\n\n"

scripts/ansible.md

@@ -7,7 +7,7 @@ Starting in November 2019, IIAB's Ansible installer ([/opt/iiab/iiab/scripts/ans
 1. Ansible module: [pip](https://docs.ansible.com/ansible/latest/modules/pip_module.html)
 
    IIAB installs apt packages:
-   - **python3-pip** (for IIAB's [Admin Console](https://github.com/iiab/iiab-admin-console))
+   - **python3-pip** (for `pip3 install ansible-core` & IIAB's [Admin Console](https://github.com/iiab/iiab-admin-console))
    - **python3-setuptools**
    - **virtualenv** (is Python 3 only, for [roles/kalite](https://github.com/iiab/iiab/tree/master/roles/kalite) & [roles/calibre-web](https://github.com/iiab/iiab/tree/master/roles/calibre-web) ?) and pulls in additional packages... (`apt show virtualenv` shows "Depends: python3, python3-virtualenv")
       - **python3-virtualenv** and pulls in additional package... (`apt show python3-virtualenv` shows "Depends: python-pip-whl (>= 8.1.1-2), python3, python3-distutils, python3-pkg-resources") 

scripts/local_facts.fact

@@ -60,8 +60,9 @@ OS_VER=$OS-$VERSION_ID
 # 2020-10-21: Debian 11 (Bullseye) not yet supported but adding this line to
 # its /etc/os-release can help testing this unreleased OS: VERSION_ID="11"
 
-# 2020-11-14: Ubuntu 21.04 (Hirsute Hippo) not yet supported but this
+# 2021-06-19: Ubuntu 21.10 (Impish Indri) not yet supported but this
-# unreleased OS can help testing.
+# unreleased OS can help testing.  For now this means MANUALLY changing
+# php_version: 7.4 to 8.0 in /opt/iiab/iiab/vars/ubuntu-21.yml
 
 case $OS_VER in
     "debian-10"    | \
@@ -69,7 +70,8 @@ case $OS_VER in
     "ubuntu-20"    | \
     "ubuntu-21"    | \
     "linuxmint-20" | \
-    "raspbian-10")
+    "raspbian-10"  | \
+    "raspbian-11")
        ;;
     *) OS_VER="OS_not_supported"
        ;;

vars/debian-10.yml

@@ -1,5 +1,7 @@
+# Every is_<OS> var is initially set to 'False' at the bottom of
+# /opt/iiab/iiab/vars/default_vars.yml -- these 'True' lines override that:
 is_debuntu: True
-is_debian: True
+is_debian: True    # Opposite of is_ubuntu for now
 is_debian_10: True
 
 # 2019-01-31: These apply if-only-if named_install and/or dhcpd_install are True

vars/debian-11.yml

@@ -1,5 +1,7 @@
+# Every is_<OS> var is initially set to 'False' at the bottom of
+# /opt/iiab/iiab/vars/default_vars.yml -- these 'True' lines override that:
 is_debuntu: True
-is_debian: True
+is_debian: True    # Opposite of is_ubuntu for now
 is_debian_11: True
 
 # 2019-01-31: These apply if-only-if named_install and/or dhcpd_install are True

vars/default_vars.yml

@@ -265,9 +265,10 @@ nginx_log_dir: /var/log/nginx
 # For schools that use WordPress/Nextcloud/Moodle/PBX intensively:
 nginx_high_php_limits: False
 # WARNING: Enabling this might cause excess use of RAM/disk or other resources!
-# SO AFTER INSTALLING IIAB, VERIFY THAT THESE 5 SETTINGS...
+# roles/www_options & roles/moodle FORCE high limits if 'moodle_install: True'
-# https://github.com/iiab/iiab/blob/master/roles/www_options/tasks/main.yml#L52-L66
+# REGARDLESS: AFTER INSTALLING IIAB, PLEASE VERIFY THESE 6 SETTINGS...
-# ...ARE SUITABLE FOR YOUR HARDWARE, for: /etc/php/<VERSION>/fpm/php.ini
+# https://github.com/iiab/iiab/blob/master/roles/www_options/tasks/main.yml#L53-L133
+# ...ARE SUITABLE FOR YOUR HARDWARE, as saved in: /etc/php/<VERSION>/*/php.ini
 
 # Make this False to disable http://box/common/services/power_off.php button:
 apache_allow_sudo: True
@@ -392,6 +393,7 @@ lokole_enabled: False
 # lokole_sim_type can be: 'hologram', 'Ethernet', 'LocalOnly', or 'mkwvconf'
 # Details: https://github.com/ascoderu/lokole/blob/master/install.py#L35
 lokole_sim_type: LocalOnly
+lokole_client_id: None
 
 mediawiki_install: False
 mediawiki_enabled: False
@@ -401,13 +403,12 @@ mosquitto_install: False
 mosquitto_enabled: False
 mosquitto_port: 1883
 
-# 2020-09-24: BOTH VALUES BELOW ARE IGNORED as Node.js is installed on demand
+# 2021-06-17: BOTH VALUES BELOW ARE INITIALLY IGNORED as Node.js is installed
-# as a dependency -- by Node-RED, Sugarizer &/or Internet Archive
+# on demand as a dependency by 4 roles -- internetarchive (Internet Archive),
+# nodered (Node-RED), pbx (Asterix, FreePBX) &/or Sugarizer:
 nodejs_install: False
 nodejs_enabled: False
-# Node.js version used by roles/nodejs/tasks/main.yml for 3 roles:
+nodejs_version: 16.x    # was 8.x til 2019-02-02, 10.x til 2019-12-21, 12.x til 2020-10-29, 14.x til 2021-06-17
-# nodered (Node-RED), pbx (Asterix, FreePBX) & sugarizer (Sugarizer)
-nodejs_version: 14.x    # was 8.x til 2019-02-02, 10.x til 2019-12-21, 12.x til 2020-10-29
 
 # Flow-based visual programming for wiring together IoT hardware devices etc
 nodered_install: False
@@ -432,7 +433,8 @@ nextcloud_enabled: False
 # nextcloud_dl_url: http://d.iiab.io/packages/latest.tar.bz2
 
 # A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX.
-# Works on Ubuntu 18.04, Debian 9 w/ Node.js 10.x.  Experimental on RPi 3.
+# Untested since Ubuntu 18.04, Debian 9 w/ Node.js 10.x.  Experimental on RPi.
+# If using PBX intensively, set nginx_high_php_limits further above.
 pbx_install: False
 pbx_enabled: False
 asterisk_chan_dongle: False
@@ -456,7 +458,7 @@ kalite_root: "{{ content_base }}/ka-lite"    # /library/ka-lite
 
 kolibri_install: False
 kolibri_enabled: False
-kolibri_language: en    # ar,bn-bd,en,es-es,fa,fr-fr,hi-in,mr,nyn,pt-br,sw-tz,ta,te,ur-pk,yo,zu
+kolibri_language: en    # See KOLIBRI_SUPPORTED_LANGUAGES at the bottom of https://github.com/learningequality/kolibri/blob/develop/kolibri/utils/i18n.py
 kolibri_http_port: 8009
 
 # kiwix_install: True is REQUIRED, if you install IIAB's Admin Console
@@ -473,6 +475,7 @@ kiwix_apk_src: https://download.kiwix.org/release/kiwix-android/kiwix.apk
 postgresql_install: False
 postgresql_enabled: False
 
+# Warning: Moodle is a serious LMS, that takes a while to install.
 moodle_install: False
 moodle_enabled: False
 # If using Moodle intensively, set nginx_high_php_limits further above.
@@ -719,6 +722,7 @@ is_debian_9: False
 is_debian_8: False
 
 is_raspbian: False    # Covers both: RPi HW + non-RPi HW versions of Raspberry Pi OS (Raspbian)
+is_raspbian_11: False
 is_raspbian_10: False
 is_raspbian_9: False
 is_raspbian_8: False

vars/linuxmint-20.yml

@@ -1,5 +1,7 @@
+# Every is_<OS> var is initially set to 'False' at the bottom of
+# /opt/iiab/iiab/vars/default_vars.yml -- these 'True' lines override that:
 is_debuntu: True
-is_ubuntu: True
+is_ubuntu: True    # Opposite of is_debian for now
 is_ubuntu_20: True
 is_linuxmint: True
 is_linuxmint_20: True

vars/local_vars_big.yml

@@ -168,9 +168,10 @@ pi_swap_file_size: 1024
 # For schools that use WordPress/Nextcloud/Moodle/PBX intensively:
 nginx_high_php_limits: False
 # WARNING: Enabling this might cause excess use of RAM/disk or other resources!
-# SO AFTER INSTALLING IIAB, VERIFY THAT THESE 5 SETTINGS...
+# roles/www_options & roles/moodle FORCE high limits if 'moodle_install: True'
-# https://github.com/iiab/iiab/blob/master/roles/www_options/tasks/main.yml#L52-L66
+# REGARDLESS: AFTER INSTALLING IIAB, PLEASE VERIFY THESE 6 SETTINGS...
-# ...ARE SUITABLE FOR YOUR HARDWARE, for: /etc/php/<VERSION>/fpm/php.ini
+# https://github.com/iiab/iiab/blob/master/roles/www_options/tasks/main.yml#L53-L133
+# ...ARE SUITABLE FOR YOUR HARDWARE, as saved in: /etc/php/<VERSION>/*/php.ini
 
 # See also Apache vars {default_language, language_priority} @ top of this file
 #
@@ -260,9 +261,6 @@ jupyterhub_enabled: True
 # Lokole (email for rural communities) from https://ascoderu.ca
 lokole_install: True
 lokole_enabled: True
-# lokole_sim_type can be: 'hologram', 'Ethernet', 'LocalOnly', or 'mkwvconf'
-# Details: https://github.com/ascoderu/lokole/blob/master/install.py#L35
-lokole_sim_type: LocalOnly
 
 mediawiki_install: True
 mediawiki_enabled: True
@@ -292,7 +290,8 @@ nextcloud_enabled: True
 # nextcloud_dl_url: http://d.iiab.io/packages/latest.tar.bz2
 
 # A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX.
-# Works on Ubuntu 18.04, Debian 9 w/ Node.js 10.x.  Experimental on RPi 3.
+# Untested since Ubuntu 18.04, Debian 9 w/ Node.js 10.x.  Experimental on RPi.
+# If using PBX intensively, set nginx_high_php_limits further above.
 pbx_install: False
 pbx_enabled: False
 asterisk_chan_dongle: False
@@ -310,7 +309,7 @@ kalite_enabled: True
 
 kolibri_install: True
 kolibri_enabled: True
-kolibri_language: en    # ar,bn-bd,en,es-es,fa,fr-fr,hi-in,mr,nyn,pt-br,sw-tz,ta,te,ur-pk,yo,zu
+kolibri_language: en    # ar,bg-bg,bn-bd,de,en,es-es,es-419,fa,fr-fr,ff-cm,gu-in,hi-in,it,km,ko,mr,my,nyn,pt-br,sw-tz,te,ur-pk,vi,yo,zh-hans
 
 # kiwix_install: True is REQUIRED, if you install IIAB's Admin Console
 kiwix_install: True
@@ -409,4 +408,4 @@ calibreweb_port: 8083       # PORT VARIABLE HAS NO EFFECT (as of January 2019)
 calibreweb_url1: /books     # For SHORT URL http://box/books  (English)
 calibreweb_url2: /libros    # For SHORT URL http://box/libros (Spanish)
 calibreweb_url3: /livres    # For SHORT URL http://box/livres (French)
-calibreweb_home: "{{ content_base }}/calibre-web"    # /library/calibre-web
+calibreweb_home: /library/calibre-web    # default_vars.yml uses: "{{ content_base }}/calibre-web"

vars/local_vars_medium.yml

@@ -168,9 +168,10 @@ pi_swap_file_size: 1024
 # For schools that use WordPress/Nextcloud/Moodle/PBX intensively:
 nginx_high_php_limits: False
 # WARNING: Enabling this might cause excess use of RAM/disk or other resources!
-# SO AFTER INSTALLING IIAB, VERIFY THAT THESE 5 SETTINGS...
+# roles/www_options & roles/moodle FORCE high limits if 'moodle_install: True'
-# https://github.com/iiab/iiab/blob/master/roles/www_options/tasks/main.yml#L52-L66
+# REGARDLESS: AFTER INSTALLING IIAB, PLEASE VERIFY THESE 6 SETTINGS...
-# ...ARE SUITABLE FOR YOUR HARDWARE, for: /etc/php/<VERSION>/fpm/php.ini
+# https://github.com/iiab/iiab/blob/master/roles/www_options/tasks/main.yml#L53-L133
+# ...ARE SUITABLE FOR YOUR HARDWARE, as saved in: /etc/php/<VERSION>/*/php.ini
 
 # See also Apache vars {default_language, language_priority} @ top of this file
 #
@@ -260,9 +261,6 @@ jupyterhub_enabled: False
 # Lokole (email for rural communities) from https://ascoderu.ca
 lokole_install: False
 lokole_enabled: False
-# lokole_sim_type can be: 'hologram', 'Ethernet', 'LocalOnly', or 'mkwvconf'
-# Details: https://github.com/ascoderu/lokole/blob/master/install.py#L35
-lokole_sim_type: LocalOnly
 
 mediawiki_install: False
 mediawiki_enabled: False
@@ -292,7 +290,8 @@ nextcloud_enabled: True
 # nextcloud_dl_url: http://d.iiab.io/packages/latest.tar.bz2
 
 # A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX.
-# Works on Ubuntu 18.04, Debian 9 w/ Node.js 10.x.  Experimental on RPi 3.
+# Untested since Ubuntu 18.04, Debian 9 w/ Node.js 10.x.  Experimental on RPi.
+# If using PBX intensively, set nginx_high_php_limits further above.
 pbx_install: False
 pbx_enabled: False
 asterisk_chan_dongle: False
@@ -310,7 +309,7 @@ kalite_enabled: True
 
 kolibri_install: False
 kolibri_enabled: False
-kolibri_language: en    # ar,bn-bd,en,es-es,fa,fr-fr,hi-in,mr,nyn,pt-br,sw-tz,ta,te,ur-pk,yo,zu
+kolibri_language: en    # ar,bg-bg,bn-bd,de,en,es-es,es-419,fa,fr-fr,ff-cm,gu-in,hi-in,it,km,ko,mr,my,nyn,pt-br,sw-tz,te,ur-pk,vi,yo,zh-hans
 
 # kiwix_install: True is REQUIRED, if you install IIAB's Admin Console
 kiwix_install: True
@@ -409,4 +408,4 @@ calibreweb_port: 8083       # PORT VARIABLE HAS NO EFFECT (as of January 2019)
 calibreweb_url1: /books     # For SHORT URL http://box/books  (English)
 calibreweb_url2: /libros    # For SHORT URL http://box/libros (Spanish)
 calibreweb_url3: /livres    # For SHORT URL http://box/livres (French)
-calibreweb_home: "{{ content_base }}/calibre-web"    # /library/calibre-web
+calibreweb_home: /library/calibre-web    # default_vars.yml uses: "{{ content_base }}/calibre-web"

vars/local_vars_min.yml

@@ -168,9 +168,10 @@ pi_swap_file_size: 1024
 # For schools that use WordPress/Nextcloud/Moodle/PBX intensively:
 nginx_high_php_limits: False
 # WARNING: Enabling this might cause excess use of RAM/disk or other resources!
-# SO AFTER INSTALLING IIAB, VERIFY THAT THESE 5 SETTINGS...
+# roles/www_options & roles/moodle FORCE high limits if 'moodle_install: True'
-# https://github.com/iiab/iiab/blob/master/roles/www_options/tasks/main.yml#L52-L66
+# REGARDLESS: AFTER INSTALLING IIAB, PLEASE VERIFY THESE 6 SETTINGS...
-# ...ARE SUITABLE FOR YOUR HARDWARE, for: /etc/php/<VERSION>/fpm/php.ini
+# https://github.com/iiab/iiab/blob/master/roles/www_options/tasks/main.yml#L53-L133
+# ...ARE SUITABLE FOR YOUR HARDWARE, as saved in: /etc/php/<VERSION>/*/php.ini
 
 # See also Apache vars {default_language, language_priority} @ top of this file
 #
@@ -260,9 +261,6 @@ jupyterhub_enabled: False
 # Lokole (email for rural communities) from https://ascoderu.ca
 lokole_install: False
 lokole_enabled: False
-# lokole_sim_type can be: 'hologram', 'Ethernet', 'LocalOnly', or 'mkwvconf'
-# Details: https://github.com/ascoderu/lokole/blob/master/install.py#L35
-lokole_sim_type: LocalOnly
 
 mediawiki_install: False
 mediawiki_enabled: False
@@ -292,7 +290,8 @@ nextcloud_enabled: False
 # nextcloud_dl_url: http://d.iiab.io/packages/latest.tar.bz2
 
 # A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX.
-# Works on Ubuntu 18.04, Debian 9 w/ Node.js 10.x.  Experimental on RPi 3.
+# Untested since Ubuntu 18.04, Debian 9 w/ Node.js 10.x.  Experimental on RPi.
+# If using PBX intensively, set nginx_high_php_limits further above.
 pbx_install: False
 pbx_enabled: False
 asterisk_chan_dongle: False
@@ -310,7 +309,7 @@ kalite_enabled: True
 
 kolibri_install: False
 kolibri_enabled: False
-kolibri_language: en    # ar,bn-bd,en,es-es,fa,fr-fr,hi-in,mr,nyn,pt-br,sw-tz,ta,te,ur-pk,yo,zu
+kolibri_language: en    # ar,bg-bg,bn-bd,de,en,es-es,es-419,fa,fr-fr,ff-cm,gu-in,hi-in,it,km,ko,mr,my,nyn,pt-br,sw-tz,te,ur-pk,vi,yo,zh-hans
 
 # kiwix_install: True is REQUIRED, if you install IIAB's Admin Console
 kiwix_install: True
@@ -409,4 +408,4 @@ calibreweb_port: 8083       # PORT VARIABLE HAS NO EFFECT (as of January 2019)
 calibreweb_url1: /books     # For SHORT URL http://box/books  (English)
 calibreweb_url2: /libros    # For SHORT URL http://box/libros (Spanish)
 calibreweb_url3: /livres    # For SHORT URL http://box/livres (French)
-calibreweb_home: "{{ content_base }}/calibre-web"    # /library/calibre-web
+calibreweb_home: /library/calibre-web    # default_vars.yml uses: "{{ content_base }}/calibre-web"

vars/raspbian-10.yml

@@ -1,5 +1,7 @@
+# Every is_<OS> var is initially set to 'False' at the bottom of
+# /opt/iiab/iiab/vars/default_vars.yml -- these 'True' lines override that:
 is_debuntu: True
-is_debian: True
+is_debian: True    # Opposite of is_ubuntu for now
 is_debian_10: True
 is_raspbian: True
 is_raspbian_10: True

vars/raspbian-11.yml

@@ -0,0 +1,40 @@
+# Every is_<OS> var is initially set to 'False' at the bottom of
+# /opt/iiab/iiab/vars/default_vars.yml -- these 'True' lines override that:
+is_debuntu: True
+is_debian: True    # Opposite of is_ubuntu for now
+is_debian_11: True
+is_raspbian: True
+is_raspbian_11: True
+
+# 2019-03-23: These apply if-only-if named_install and/or dhcpd_install are True
+# (This is quite rare now that vars/default_vars.yml sets dnsmasq_install: True)
+dns_service: bind9
+dns_user: bind
+dhcp_service: isc-dhcp-server
+
+proxy: squid
+proxy_user: proxy
+apache_service: apache2
+apache_conf_dir: apache2/sites-available
+apache_user: www-data
+apache_log_dir: /var/log/apache2
+smb_service: smbd
+nmb_service: nmbd
+systemctl_program: /bin/systemctl
+mysql_service: mariadb
+apache_log: /var/log/apache2/access.log
+sshd_package: ssh
+sshd_service: ssh
+php_version: 7.4
+postgresql_version: 13
+systemd_location: /lib/systemd/system
+python_ver: 3.9
+
+# Minetest for RPi
+minetest_server_bin: /library/games/minetest/bin/minetestserver
+minetest_working_dir: /library/games/minetest
+minetest_game_dir: /library/games/minetest/games/minetest_game
+minetest_rpi_src_tar: minetest.5.1.1.tar.gz
+#minetest_rpi_src_url: "http://www.nathansalapat.com/downloads/{{ minetest_rpi_src_tar }}"
+minetest_rpi_src_url: "http://d.iiab.io/packages/{{ minetest_rpi_src_tar }}"
+minetest_rpi_src_untarred: Minetest

vars/ubuntu-20.yml

@@ -1,5 +1,7 @@
+# Every is_<OS> var is initially set to 'False' at the bottom of
+# /opt/iiab/iiab/vars/default_vars.yml -- these 'True' lines override that:
 is_debuntu: True
-is_ubuntu: True
+is_ubuntu: True    # Opposite of is_debian for now
 is_ubuntu_20: True
 
 # 2019-03-23: These apply if-only-if named_install and/or dhcpd_install are True

vars/ubuntu-21.yml

@@ -1,5 +1,7 @@
+# Every is_<OS> var is initially set to 'False' at the bottom of
+# /opt/iiab/iiab/vars/default_vars.yml -- these 'True' lines override that:
 is_debuntu: True
-is_ubuntu: True
+is_ubuntu: True    # Opposite of is_debian for now
 is_ubuntu_21: True
 
 # 2019-03-23: These apply if-only-if named_install and/or dhcpd_install are True