From a546c5132aef0f7a661a18b34e21327a6267527e Mon Sep 17 00:00:00 2001
From: A Holt <holta@users.noreply.github.com>
Date: Mon, 4 Dec 2023 16:54:05 -0500
Subject: [PATCH 1/3] Recommend ansible-core 2.16.1

---
 scripts/ansible | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/ansible b/scripts/ansible
index 48d337b19..0caaaef87 100755
--- a/scripts/ansible
+++ b/scripts/ansible
@@ -7,8 +7,8 @@
 # https://github.com/iiab/iiab/wiki/Technical-Contributors-Guide#female_detective-understanding-ansible
 
 APT_PATH=/usr/bin     # Avoids problematic /usr/local/bin/apt on Linux Mint
-CURR_VER=undefined    # Ansible version you have installed, e.g. [core 2.16.0]
-GOOD_VER=2.16.0       # Orig for 'yum install [rpm]' & XO laptops (pip install)
+CURR_VER=undefined    # Ansible version you have installed, e.g. [core 2.16.1]
+GOOD_VER=2.16.1       # Orig for 'yum install [rpm]' & XO laptops (pip install)
 
 # 2021-06-22: The apt approach (with PPA source in /etc/apt/sources.list.d/ and
 # .gpg key etc) are commented out with ### below.  Associated guidance/comments

From af9597d5b25e4f2b7322e830ffb0f856a71e8283 Mon Sep 17 00:00:00 2001
From: A Holt <holta@users.noreply.github.com>
Date: Mon, 4 Dec 2023 17:11:07 -0500
Subject: [PATCH 2/3] iiab-install: Set MIN_ANSIBLE_VER=2.14.12 (2.13 EOL on
 2023-11-06)

---
 iiab-install | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/iiab-install b/iiab-install
index bc887d659..e09527224 100755
--- a/iiab-install
+++ b/iiab-install
@@ -11,7 +11,7 @@ CWD=`pwd`
 OS=`grep ^ID= /etc/os-release | cut -d= -f2`
 OS=${OS//\"/}    # Remove all '"'
 MIN_RPI_KERN=5.4.0         # Do not use 'rpi-update' unless absolutely necessary: https://github.com/iiab/iiab/issues/1993
-MIN_ANSIBLE_VER=2.14.11    # 2023-05-22: ansible-core 2.12 EOL per https://docs.ansible.com/ansible/latest/reference_appendices/release_and_maintenance.html#ansible-core-support-matrix  2022-11-09: Raspberry Pi 3 (and 3 B+ etc?) apparently install (and require?) ansible-core 2.11 for now -- @deldesir can explain more on PR #3419.  Historical: Ansible 2.8.3 and 2.8.6 had serious bugs, preventing their use with IIAB.
+MIN_ANSIBLE_VER=2.14.12    # 2023-05-22: ansible-core 2.12 EOL per https://docs.ansible.com/ansible/latest/reference_appendices/release_and_maintenance.html#ansible-core-support-matrix  2022-11-09: Raspberry Pi 3 (and 3 B+ etc?) apparently install (and require?) ansible-core 2.11 for now -- @deldesir can explain more on PR #3419.  Historical: Ansible 2.8.3 and 2.8.6 had serious bugs, preventing their use with IIAB.
 
 REINSTALL=false
 DEBUG=false

From 9f00b7b41b69efe80641944b2b24c0dbee393c8e Mon Sep 17 00:00:00 2001
From: root <holta@users.noreply.github.com>
Date: Mon, 4 Dec 2023 18:01:55 -0500
Subject: [PATCH 3/3] validate_vars.yml: ansible-core 2.16.1 req 'loop' not
 'with_items' w/ 'assert' templating

---
 roles/0-init/tasks/validate_vars.yml | 42 ++++++++++++++++++++--------
 1 file changed, 30 insertions(+), 12 deletions(-)

diff --git a/roles/0-init/tasks/validate_vars.yml b/roles/0-init/tasks/validate_vars.yml
index 3617715dd..383f911a3 100644
--- a/roles/0-init/tasks/validate_vars.yml
+++ b/roles/0-init/tasks/validate_vars.yml
@@ -158,20 +158,38 @@
   when: item != 'mysql' and item != 'postgresql' and item != 'mongodb' and item != 'nodejs' and item != 'yarn'    # Exclude auto-installed dependencies
   loop: "{{ vars_checklist }}"
 
+
+- name: Set vars_deprecated_list for 4+ vars ("XYZ_install") to be checked
+  set_fact:
+    vars_deprecated_list:
+      - dhcpd               # Deprecated
+      - named               # Deprecated
+      - wondershaper        # Deprecated
+      - dansguardian        # Deprecated
+      #- xo_services        # Unmaintained
+      #- activity_server    # Unmaintained
+      #- ejabberd_xs        # Unmaintained
+      #- idmgr              # Unmaintained
+      #- dokuwiki           # Unmaintained
+      #- ejabberd           # Unmaintained
+      #- elgg               # Unmaintained
+
 - name: 'DISALLOW "XYZ_install: True" if deprecated'
   assert:
     that: "{{ item }}_install is undefined or not {{ item }}_install"
     fail_msg: "DISALLOWED: '{{ item }}_install: True' (e.g. in /etc/iiab/local_vars.yml)"
     quiet: yes
-  with_items:
-    - dhcpd               # Deprecated
-    - named               # Deprecated
-    - wondershaper        # Deprecated
-    - dansguardian        # Deprecated
-    #- xo_services        # Unmaintained
-    #- activity_server    # Unmaintained
-    #- ejabberd_xs        # Unmaintained
-    #- idmgr              # Unmaintained
-    #- dokuwiki           # Unmaintained
-    #- ejabberd           # Unmaintained
-    #- elgg               # Unmaintained
+  loop: "{{ vars_deprecated_list }}"
+  # 2023-12-04: ansible-core 2.16.1 suddenly no longer allows 'assert' with
+  # 'with_items' below (whereas 'loop' construct above works!)  BACKGROUND:
+  #
+  #  'due to mitigation of security issue CVE-2023-5764 in ansible-core 2.16.1,
+  #  conditional expressions with embedded template blocks can fail with the
+  #  message “Conditional is marked as unsafe, and cannot be evaluated.”'
+  #  https://docs.ansible.com/ansible-core/2.16/porting_guides/porting_guide_core_2.16.html#playbook
+  #
+  # with_items:
+  #   - dhcpd               # Deprecated
+  #   - named               # Deprecated
+  #   - wondershaper        # Deprecated
+  #   - dansguardian        # Deprecated