Merge branch 'master' into less-apache

2025-03-09 15:40:17 +00:00 · 2021-08-04 10:11:47 -04:00 · 2021-08-04 10:11:47 -04:00 · 9676a9a03e
commit 9676a9a03e
parent 99ff2b95ba 1f94166a23
45 changed files with 463 additions and 353 deletions
--- a/roles/0-init/defaults/main.yml
+++ b/roles/0-init/defaults/main.yml
@ -1,31 +1,54 @@
 # adm_cons_force_ssl: False
 # All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml
 # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
 # SEE ALSO /opt/iiab/iiab/roles/1-prep/defaults/main.yml
 # 2021-07-30: Primarily for Admin Console: later change to 443 for #2811 HTTPS?
 gui_port: 80
 #is_F18: False                  # 2021-07-30: No longer used
 # (PRE-)release version number, for {{ iiab_env_file }} = /etc/iiab/iiab.env
-# iiab_base_ver: 7.1
+# iiab_base_ver: 8.0
 # iiab_revision: 0
-# ABOVE MOVED TO /opt/iiab/iiab/vars/default_vars.yml
+# ABOVE 3 LINES MOVED TO /opt/iiab/iiab/vars/default_vars.yml
 # These entries should never be changed in this file.
 # These are defaults for boolean routines.
 # 2021-07-30: This variable (first_run) is still used in 2 places:
 #   (1) roles/1-prep/tasks/main.yml for raspberry_pi.yml
 #   (2) roles/network/tasks/named.yml
 # ...after it is set in 0-init/tasks/main.yml
 first_run: False
-rpi_model: none
+rpi_model: none                 # 2021-07-30: Broadly used!
-xo_model: none
+#xo_model: none                 # 2021-07-30: No longer used
 # 2021-07-30: Recorded to /etc/iiab/iiab.ini but not used programmatically:
 gw_active: False
 # 2021-07-30: Broadly used, but not in an organized way -- most all IIAB
 # outfitting/provisioning happens online -- in situations where connectivity
 # failures should be reported to the operator, rather than papered over:
 internet_available: False
-discovered_wan_iface: none
+discovered_wan_iface: none      # 2021-07-30: Very broadly used!
-# Old defs
+# 2021-07-30: Barely used -- for {named, dhcpd, squid} in
-gui_port: 80
+# roles/network/tasks/main.yml -- after being set in 0-init/tasks/network.yml
-is_F18: False
+FQDN_changed: False
-# Set default 1-prep discovered hardware
+#rtc_id: none                   # 2021-07-30: Moved to 1-prep/defaults/main.yml
-rtc_id: none
+#NUC6_firmware_needed: False    # 2021-07-30: Apparently never used
 NUC6_firmware_needed: False
-# Used in 2-common/tasks/xo.yml
+#wifi_id: none          # 2021-07-30: Had been used in 2-common/tasks/xo.yml
 wifi_id: none
-# Used in 2-common, 3-base-server and roles/network
+# 2021-07-30: roles/network/tasks/squid.yml#L16 to stop Squid
 # ("when: not installing") is the only non-Fedora use of this var.
 # Earlier, this var HAD also been used in 2-common and 3-base-server.
 installing: False
-# Network
+# 2021-07-30: Broadly used across roles/network/tasks/*.yml -- but things might
 # possibly change if roles/network becomes optional per PR #2876 ?
 no_net_restart: False
-no_NM_reload: False
+#no_NM_reload: False    # 2021-07-30: Was used in roles/network/tasks/fedora/*
--- a/roles/0-init/tasks/create_iiab_ini.yml
+++ b/roles/0-init/tasks/create_iiab_ini.yml
@ -35,7 +35,7 @@
      value: "{{ ansible_local.local_facts.iiab_commit }}"
    - option: install_date
      value: "{{ ansible_date_time.iso8601 }}"
-    - option: xo_model
+    #- option: xo_model
-      value: "{{ xo_model }}"
+    #  value: "{{ xo_model }}"
    - option: rpi_model
      value: "{{ rpi_model }}"
--- a/roles/0-init/tasks/main.yml
+++ b/roles/0-init/tasks/main.yml
@ -7,12 +7,17 @@
 # Higher-level purpose explained at the bottom of:
 # https://github.com/iiab/iiab/blob/master/vars/default_vars.yml
- name: "Ansible just ran /etc/ansible/facts.d/local_facts.fact to set 11 vars -- here we extract 3 of those -- rpi_model: {{ ansible_local.local_facts.rpi_model }}, xo_model: {{ ansible_local.local_facts.xo_model }}, iiab_stage: {{ ansible_local.local_facts.stage }}"
+- name: "Ansible just ran /etc/ansible/facts.d/local_facts.fact to set 10 vars -- here we extract 2 of those -- rpi_model: {{ ansible_local.local_facts.rpi_model }}, iiab_stage: {{ ansible_local.local_facts.stage }}"
  set_fact:
    rpi_model: "{{ ansible_local.local_facts.rpi_model }}"
-    xo_model: "{{ ansible_local.local_facts.xo_model }}"
+    #xo_model: "{{ ansible_local.local_facts.xo_model }}"
    iiab_stage: "{{ ansible_local.local_facts.stage }}"
 # 2020-10-29: Appears no longer nec (see 3 above ansible_local.local_facts.*)
 #- name: Re-read local_facts.facts from /etc/ansible/facts.d
 #  setup:
 #    filter: ansible_local
 # Initialize /etc/iiab/iiab.ini writing the 'location' and 'version' sections
 # once and only once, to preserve the install date and git hash.
 - name: Create {{ iiab_ini_file }}, if it doesn't exist
@ -29,11 +34,6 @@
    first_run: True
  when: not iiab_ini_test.stat.exists
 # 2020-10-29: Appears no longer nec (see 3 above ansible_local.local_facts.*)
 #- name: Re-read local_facts.facts from /etc/ansible/facts.d
 #  setup:
 #    filter: ansible_local
 # Copies the latest/known version of iiab-diagnostics into /usr/bin (so it can
 # be run even if local source tree /opt/iiab/iiab is deleted to conserve disk).
@ -56,7 +56,7 @@
 - name: "Time Zone / TZ: Set symlink /etc/localtime to UTC if it doesn't exist?"
  include_tasks: tz.yml
- name: Test Gateway + Test Internet + Set new hostname if nec + Set 'gui_port' to 80 or 443 for Admin Console
+- name: Test Gateway + Test Internet + Set new hostname/domain (hostname.yml) if nec + Set 'gui_port' to 80 or 443 for Admin Console
  include_tasks: network.yml
@ -95,14 +95,14 @@
      value: "{{ rpi_model }}"
    - option: first_run
      value: "{{ first_run }}"
-    - option: local_tz    # e.g. EDT after Ansible interprets /etc/localtime below
+    - option: local_tz    # e.g. 'EDT' (summer) or 'EST' (winter) after Ansible interprets symlink /etc/localtime -- or 'UTC' if /etc/localtime doesn't exist
      value: "{{ local_tz }}"
-    - option: etc_localtime.stdout    # e.g. America/New_York
+    - option: etc_localtime.stdout    # e.g. 'America/New_York' direct from symlink /etc/localtime -- or '' if /etc/localtime doesn't exist
      value: "{{ etc_localtime.stdout }}"
-    - option: no_NM_reload
+    #- option: no_NM_reload
-      value: "{{ no_NM_reload }}"
+    #  value: "{{ no_NM_reload }}"
-    - option: is_F18
+    #- option: is_F18
-      value: "{{ is_F18 }}"
+    #  value: "{{ is_F18 }}"
    - option: FQDN_changed
      value: "{{ FQDN_changed }}"
--- a/roles/0-init/tasks/network.yml
+++ b/roles/0-init/tasks/network.yml
@ -46,15 +46,18 @@
    iiab_fqdn: "{{ iiab_hostname }}.{{ iiab_domain }}"
    FQDN_changed: False
- name: "Set 'FQDN_changed: True' when iiab_fqdn != ansible_fqdn ({{ ansible_fqdn }})"
+- name: Set hostname / domain (etc) in various places -- if iiab_fqdn != ansible_fqdn ({{ ansible_fqdn }})
  include_tasks: hostname.yml
  when: iiab_fqdn != ansible_fqdn
 # 2021-07-30: FQDN_changed isn't used as in the past -- its remaining use is
 # for {named, dhcpd, squid} in roles/network/tasks/main.yml -- possibly it
 # should be reconsidered?  See PR #2876: roles/network might become optional?
 - name: "Also set 'FQDN_changed: True' -- if iiab_fqdn != ansible_fqdn ({{ ansible_fqdn }})"
  set_fact:
    FQDN_changed: True
  when: iiab_fqdn != ansible_fqdn
 - name: Set hostname if FQDN_changed
  include_tasks: hostname.yml
  when: FQDN_changed
 - name: "Set 'gui_port: 80' for Admin Console if not adm_cons_force_ssl"
  set_fact:
--- a/roles/0-init/tasks/tz.yml
+++ b/roles/0-init/tasks/tz.yml
@ -11,7 +11,7 @@
  register: etc_localtime
 - name: "/etc/localtime now specifies: {{ etc_localtime.stdout }}"
-  command: echo    # 'meta: noop' is not enough to force var instantiation above
+  command: echo    # 'meta: noop' is not enough to force instantiation of 'name: {{ var }}' just above
 #- name: Check for a /etc/localtime symlink to TZ - NEVER FAILS DUE TO PIPE
--- a/roles/1-prep/README.rst
+++ b/roles/1-prep/README.rst
@ -2,21 +2,24 @@
 1-prep README
 =============
-This 1st `stage <https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide#ansible>`_ (1-prep) is primarily hardware-focused, prior to OS
+This 1st `stage <https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide#ansible>`_ (1-prep) arranges low-level things like remote support infra, DNS prep, hardware, low-level OS quirks, and basic security:
 additions/mods — but also includes critical pieces sometimes needed for
 remote support:
- dnsmasq
+- SSHD
- /etc/iiab/uuid
+- OpenVPN if/as needed later for remote support
- Customizing /var/log/* for Ubermix on each boot, using /etc/tmpfiles.d
+- `iiab-admin <https://github.com/iiab/iiab/tree/master/roles/iiab-admin#iiab-admin-readme>`_ username and group, to log into Admin Console
- SSH
+- dnsmasq (install now, configure later!)
- `iiab-admin <https://github.com/iiab/iiab/tree/master/roles/iiab-admin>`_ username and group to log into Admin Console
+- Universally unique identifier: /etc/iiab/uuid
- OpenVPN software if/as needed later for remote support
+- Ubermix (distro) needs /etc/tmpfiles.d/iiab.conf to create essential /var/log subdirs on each boot
- `raspberry_pi.yml <tasks/raspberry_pi.yml>`_ including RTC, essential packages, and networking basics
+- Hardware actions:
   - `raspberry_pi.yml <tasks/raspberry_pi.yml>`_:
      - RTC (real-time clock): install udev rule, configure, enable
      - Install packages related to:
         - growpart
         - swapfile
         - fake-hwclock (as RTC is often missing or dead!)
         - Wi-Fi
      - Increase swap file size
      - `rootfs auto-resizing <https://github.com/iiab/iiab/blob/master/roles/1-prep/templates/iiab-rpi-max-rootfs.sh>`_
   - NUC 6 Wi-Fi firmware
-Traditionally 1-prep also included preliminaries like hostname and
+Recap: Similar to 0-init, 2-common, 3-base-server, 4 server-options and 5-xo-services — this 1st stage installs core server infra (that is not user-facing).
 hardware-oriented things specific to a particular platform (such as
 One Laptop Per Child's XO laptop) i.e. critical setup prior to the
 bulk of IIAB's software install.
 Recap: Similar to 0-init, 2-common, 3-base-server, 4 server-options and 5-xo-services ⁠— this 1st stage installs core server infra (that is not user-facing).
--- a/roles/1-prep/defaults/main.yml
+++ b/roles/1-prep/defaults/main.yml
@ -0,0 +1,11 @@
 # Real-time clock: RTC chip family.  Future auto-detection plausible?
 # rtc_id: none    # Or ds3231 ?  Used in 1-prep/tasks/raspberry_pi.yml
 # All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml
 # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
 # SEE ALSO /opt/iiab/iiab/roles/0-init/defaults/main.yml
 #NUC6_firmware_needed: False    # 2021-07-30: Apparently never used
--- a/roles/1-prep/tasks/hardware.yml
+++ b/roles/1-prep/tasks/hardware.yml
@ -0,0 +1,17 @@
 ##  DISCOVER PLATFORMS ######
 # Put conditional actions for hardware platforms here
 - include_tasks: raspberry_pi.yml
  when: first_run and rpi_model != "none"
 - name: Check if the identifier for Intel's NUC6 built-in WiFi is present
  shell: "lsusb | grep 8087:0a2b | wc | awk '{print $1}'"
  register: usb_NUC6
  ignore_errors: True
 - name: Download {{ iiab_download_url }}/iwlwifi-8000C-13.ucode to /lib/firmware for built-in WiFi on NUC6    # iiab_download_url is http://download.iiab.io/packages
  get_url:
    url: "{{ iiab_download_url }}/iwlwifi-8000C-13.ucode"
    dest: /lib/firmware
    timeout: "{{ download_timeout }}"
  when: internet_available and usb_NUC6.stdout|int > 0
--- a/roles/1-prep/tasks/main.yml
+++ b/roles/1-prep/tasks/main.yml
@ -1,85 +1,31 @@
-# Preparations (Hardware Level)
+# Preparations (low-level e.g. remote support, DNS prep, HW/OS, basic security)
 - name: ...IS BEGINNING ============================================
  meta: noop
 - name: dnsmasq (install now, configure LATER in 'network', after Stage 9)
  include_tasks: roles/network/tasks/dnsmasq.yml
  #when: dnsmasq_install    # Flag might be used in future?
 - name: 'Install packages: sudo, uuid-runtime'
  package:
    name:
      - sudo
      - uuid-runtime
    state: present
 - name: Does /etc/iiab/uuid exist?
  stat:
    path: /etc/iiab/uuid
  register: uuid_file
 - name: If not, run 'uuidgen' to create a uuid, in register uuid_response
  command: uuidgen
  register: uuid_response
  when: not uuid_file.stat.exists
 - name: Save it to /etc/iiab/uuid
  shell: echo {{ uuid_response.stdout_lines[0] }} > /etc/iiab/uuid
  when: not uuid_file.stat.exists
 - name: Load /etc/iiab/uuid, into register stored_uuid
  command: cat /etc/iiab/uuid
  register: stored_uuid
 - name: Store it in Ansible variable 'uuid'
  set_fact:
    uuid: "{{ stored_uuid.stdout_lines[0] }}"
 - name: Does 'ubermix' exist in /etc/lsb-release?
  shell: grep -i ubermix /etc/lsb-release    # Pipe to cat to avoid red errors?
  register: grep_ubermix
  failed_when: False    # Universal way to hide alarmist red errors!
  #ignore_errors: True
  #check_mode: no
 - name: If so, install /etc/tmpfiles.d/iiab.conf to create /var/log subdirs on each boot, so {Apache, MongoDB, Munin} run on Ubermix
  copy:
    src: roles/1-prep/files/iiab.conf
    dest: /etc/tmpfiles.d/
    # owner: root
    # group: root
    # mode: '0644'
    force: yes
  when: grep_ubermix.rc == 0    # 1 if absent in file, 2 if file doesn't exist
 # 2020-03-19: for KA Lite, but moved from roles/kalite/tasks/install.yml
 # This effectively does nothing at all on Ubuntu & Raspbian, where libgeos-*
 # pkgs are not installed FWIW.  But it's included to safeguard us across all
 # OS's, in case others OS's like Ubermix later appear.  See #1382 for details.
 # Removing pkgs libgeos-3.6.2 & libgeos-c1v5 fixed the situation on Ubermix!
 - name: Remove libgeos-* pkgs, avoiding KA Lite Django failure on Ubermix
  shell: apt -y remove "libgeos-*"
  when: grep_ubermix.rc == 0    # 1 if absent in file, 2 if file doesn't exist
 - name: SSHD -- required by OpenVPN below -- also run by roles/4-server-options/tasks/main.yml
  include_role:
    name: sshd
  when: sshd_install
 - name: IIAB-ADMIN
  include_role:
    name: iiab-admin
  #when: iiab_admin_install    # Flag might be created in future?
 - name: OPENVPN
  include_role:
    name: openvpn
  when: openvpn_install
 - name: IIAB-ADMIN -- includes roles/iiab-admin/tasks/access.yml
  include_role:
    name: iiab-admin
  #when: iiab_admin_install    # Flag might be created in future?
 - name: Install dnsmasq -- configure LATER in 'network', after Stage 9
  include_tasks: roles/network/tasks/dnsmasq.yml
  #when: dnsmasq_install    # Flag might be used in future?
 - include_tasks: uuid.yml
 - include_tasks: ubermix.yml
 - include_tasks: hardware.yml    # Can run raspberry_pi.yml
 # Debian 10 "Buster" is apparently enabling AppArmor in 2019:
 # https://wiki.debian.org/AppArmor/Progress
@ -109,25 +55,6 @@
 #  when: not is_debuntu and selinux_disabled is defined and selinux_disabled.changed
 ##  DISCOVER PLATFORMS ######
 # Put conditional actions for hardware platforms here
 - include_tasks: raspberry_pi.yml
  when: first_run and rpi_model != "none"
 - name: Check if the identifier for Intel's NUC6 built-in WiFi is present
  shell: "lsusb | grep 8087:0a2b | wc | awk '{print $1}'"
  register: usb_NUC6
  ignore_errors: True
 - name: Download {{ iiab_download_url }}/iwlwifi-8000C-13.ucode to /lib/firmware for built-in WiFi on NUC6    # iiab_download_url is http://download.iiab.io/packages
  get_url:
    url: "{{ iiab_download_url }}/iwlwifi-8000C-13.ucode"
    dest: /lib/firmware
    timeout: "{{ download_timeout }}"
  when: internet_available and usb_NUC6.stdout|int > 0
 - name: Recording STAGE 1 HAS COMPLETED ============================
  template:
    src: roles/1-prep/templates/iiab.env.j2
--- a/roles/1-prep/tasks/raspberry_pi.yml
+++ b/roles/1-prep/tasks/raspberry_pi.yml
@ -31,6 +31,7 @@
 #    line: 'include btcfg.txt'
 #  when: is_ubuntu
 - name: '2021-07-27: SEE ALSO ~4 networking packages LATER installed by https://github.com/iiab/iiab/blob/master/roles/2-common/tasks/packages.yml'
  meta: noop
@ -55,6 +56,7 @@
      - wireless-tools    # 2021-07-27: RaspiOS installs this regardless -- manipulate Linux Wireless Extensions
    state: present
 - name: Increase swap file size (to CONF_SWAPSIZE={{ pi_swap_file_size }} in /etc/dphys-swapfile) as kalite pip download fails
  lineinfile:
    path: /etc/dphys-swapfile
@ -67,6 +69,7 @@
    name: dphys-swapfile
    state: restarted
 - name: Install RPi rootfs resizing (/usr/sbin/iiab-rpi-max-rootfs.sh) and its systemd service (/etc/systemd/system/iiab-rpi-root-resize.service), from templates (root:root by default)
  template:
    src: "{{ item.src }}"
--- a/roles/1-prep/tasks/ubermix.yml
+++ b/roles/1-prep/tasks/ubermix.yml
@ -0,0 +1,25 @@
 - name: Does 'ubermix' exist in /etc/lsb-release?
  shell: grep -i ubermix /etc/lsb-release    # Pipe to cat to avoid red errors?
  register: grep_ubermix
  failed_when: False    # Universal way to hide alarmist red errors!
  #ignore_errors: True
  #check_mode: no
 - name: If so, install /etc/tmpfiles.d/iiab.conf to create /var/log subdirs on each boot, so {Apache, MongoDB, Munin} run on Ubermix (root:root, 0644 by default)
  copy:
    src: roles/1-prep/files/iiab.conf
    dest: /etc/tmpfiles.d/
    # owner: root
    # group: root
    # mode: 0644
    force: yes
  when: grep_ubermix.rc == 0    # 1 if absent in file, 2 if file doesn't exist
 # 2020-03-19: for KA Lite, but moved from roles/kalite/tasks/install.yml
 # This effectively does nothing at all on Ubuntu & Raspbian, where libgeos-*
 # pkgs are not installed FWIW.  But it's included to safeguard us across all
 # OS's, in case others OS's like Ubermix later appear.  See #1382 for details.
 # Removing pkgs libgeos-3.6.2 & libgeos-c1v5 fixed the situation on Ubermix!
 - name: Remove libgeos-* pkgs, avoiding KA Lite Django failure on Ubermix
  shell: apt -y remove "libgeos-*"
  when: grep_ubermix.rc == 0    # 1 if absent in file, 2 if file doesn't exist
--- a/roles/1-prep/tasks/uuid.yml
+++ b/roles/1-prep/tasks/uuid.yml
@ -0,0 +1,26 @@
 - name: "Install packages: uuid-runtime"
  package:
    name: uuid-runtime
    state: present
 - name: Does /etc/iiab/uuid exist?
  stat:
    path: /etc/iiab/uuid
  register: uuid_file
 - name: If not, run 'uuidgen' to create a uuid, in register uuid_response
  command: uuidgen
  register: uuid_response
  when: not uuid_file.stat.exists
 - name: Save it to /etc/iiab/uuid
  shell: echo {{ uuid_response.stdout_lines[0] }} > /etc/iiab/uuid
  when: not uuid_file.stat.exists
 - name: Load /etc/iiab/uuid, into register stored_uuid
  command: cat /etc/iiab/uuid
  register: stored_uuid
 - name: Store it in Ansible variable 'uuid'
  set_fact:
    uuid: "{{ stored_uuid.stdout_lines[0] }}"
--- a/roles/1-prep/templates/chrony.conf.j2.unused
+++ b/roles/1-prep/templates/chrony.conf.j2.unused
--- a/roles/2-common/tasks/main.yml
+++ b/roles/2-common/tasks/main.yml
@ -8,11 +8,12 @@
 - include_tasks: packages.yml
- name: 'Network prep, including partial setup of iptables (firewall) -- SEE ALSO: 1-prep/tasks/raspberry_pi.yml'
+- name: "Network prep, including partial setup of iptables (firewall) -- SEE ALSO: 1-prep/tasks/raspberry_pi.yml"
  include_tasks: network.yml
 - include_tasks: iiab-startup.yml
 # UNMAINTAINED
 #- include_tasks: centos.yml
 #  when: ansible_distribution == "CentOS"
@ -39,6 +40,7 @@
 #    dest: /etc/profile.d/zzz_iiab.sh
 #    src: zzz_iiab.sh
 - name: Recording STAGE 2 HAS COMPLETED ==========================
  lineinfile:
    path: "{{ iiab_env_file }}"
--- a/roles/2-common/tasks/packages.yml
+++ b/roles/2-common/tasks/packages.yml
@ -26,14 +26,14 @@
      #- make              # 2021-07-27: Currently used by roles/pbx and no other roles
      - mlocate
      - net-tools          # 2021-04-26: @jvonau suggests possibly deleting this...unless oldtimers really want these older commands in iiab-diagnostics output?
-      #- ntfs-3g           # 2021-07-27: RaspiOS installs this regardless -- but this should no longer be nec with 5.4+ kernels, similar to exfat packages above -- however, see also this symlink warning: https://superuser.com/questions/1050544/mount-with-kernel-ntfs-and-not-ntfs-3g
+      #- ntfs-3g           # 2021-07-31: RaspiOS installs this regardless -- but this should no longer be nec with 5.4+ kernels, similar to exfat packages above -- however, see also this symlink warning: https://superuser.com/questions/1050544/mount-with-kernel-ntfs-and-not-ntfs-3g -- and upcoming kernel 5.15 improvements: https://www.phoronix.com/scan.php?page=news_item&px=New-NTFS-Likely-For-Linux-5.15
      #- openssh-server    # ssh (Raspbian) or openssh-server (other OS's) already installed by 1-prep's roles/sshd/tasks/main.yml
      - pandoc             # For /usr/bin/iiab-refresh-wiki-docs
      - pastebinit         # For /usr/bin/iiab-diagnostics
      - rsync
      #- screen            # Installed by 1-prep's roles/iiab-admin/tasks/access.yml
      - sqlite3
-      #- sudo              # Installed by 1-prep's roles/iiab-admin/tasks/sudo-prereqs.yml
+      #- sudo              # (1) Should be installed prior to installing IIAB, (2) Can also be installed by roles/1-prep's roles/openvpn/tasks/install.yml, (3) Is definitely installed by 1-prep's roles/iiab-admin/tasks/sudo-prereqs.yml
      - tar
      - unzip
      #- usbmount          # Moved to roles/usb_lib/tasks/install.yml
--- a/roles/4-server-options/tasks/main.yml
+++ b/roles/4-server-options/tasks/main.yml
@ -23,6 +23,7 @@
    name: sshd
  when: sshd_install
 # UNMAINTAINED
 - name: Install named / BIND
  include_tasks: roles/network/tasks/named.yml
@ -38,6 +39,7 @@
  include_tasks: roles/network/tasks/squid.yml
  when: squid_install is defined and squid_install
 - name: Install Bluetooth - only on Raspberry Pi
  include_role:
    name: bluetooth
@ -69,6 +71,7 @@
    name: www_options
  #when: www_options_install    # Flag might be created in future?
 - name: Recording STAGE 4 HAS COMPLETED ==================
  lineinfile:
    path: "{{ iiab_env_file }}"
--- a/roles/6-generic-apps/tasks/main.yml
+++ b/roles/6-generic-apps/tasks/main.yml
@ -62,11 +62,6 @@
    name: nextcloud
  when: nextcloud_install
 - name: PBX
  include_role:
    name: pbx
  when: pbx_install
 - name: WORDPRESS
  include_role:
    name: wordpress
--- a/roles/9-local-addons/tasks/main.yml
+++ b/roles/9-local-addons/tasks/main.yml
@ -3,32 +3,39 @@
 - name: ...IS BEGINNING ====================================
  meta: noop
 - name: INTERNETARCHIVE
  include_role:
    name: internetarchive
  when: internetarchive_install
 # Is porting to Python 3 complete, and if so does this belong elsewhere?
 - name: CAPTIVE PORTAL
  include_role:
    name: captiveportal
  when: captiveportal_install
 - name: INTERNETARCHIVE
  include_role:
    name: internetarchive
  when: internetarchive_install
 - name: MINETEST
  include_role:
    name: minetest
  when: minetest_install
-# KEEP AT THE END as this installs dependencies from Debian's 'testing' branch!
+- name: CALIBRE-WEB
  include_role:
    name: calibre-web
  when: calibreweb_install
 # KEEP NEAR THE VERY END as this installs dependencies from Debian's 'testing' branch!
 - name: CALIBRE
  include_role:
    name: calibre
  when: calibre_install
- name: CALIBRE-WEB
+# Pulls in a large number of devel packages, via asterisk.yml -> 'install_prereq install'
 # https://github.com/asterisk/asterisk/blob/master/contrib/scripts/install_prereq#L21-L35
 - name: PBX - Asterisk & FreePBX
  include_role:
-    name: calibre-web
+    name: pbx
-  when: calibreweb_install
+  when: pbx_install
 - name: "2021-06-27 TEMPORARY CODE TO INSTALL 'php-pear' UNTIL ADMIN CONSOLE DECLARES ITS OWN DEPENDENCY FOR: https://github.com/iiab/iiab-admin-console/blob/master/roles/cmdsrv/tasks/main.yml#L19"
  package:
--- a/roles/iiab-admin/tasks/sudo-prereqs.yml
+++ b/roles/iiab-admin/tasks/sudo-prereqs.yml
@ -1,7 +1,6 @@
 # roles/2-common/tasks/packages.yml also installed sudo, but that's too late
 - name: 'Install package: sudo'
  package:
-    name: sudo
+    name: sudo    # (1) Should be installed prior to installing IIAB, (2) Can also be installed by roles/1-prep's roles/openvpn/tasks/install.yml, (3) Is definitely installed by 1-prep here, (4) Used to be installed by roles/2-common/tasks/packages.yml (but that's too late!)
 - name: Temporarily make file /etc/sudoers editable (0640)
  file:
--- a/roles/jupyterhub/tasks/enable-or-disable.yml
+++ b/roles/jupyterhub/tasks/enable-or-disable.yml
@ -1,17 +1,14 @@
 - name: systemd daemon-reload
  systemd:
    daemon_reload: yes
 - name: Enable & Restart jupyterhub.service
  systemd:
    daemon_reload: yes
    name: jupyterhub
    enabled: yes
    state: restarted
  when: jupyterhub_enabled
- name: Disable jupyterhub.service
+- name: Disable & Stop jupyterhub.service
  systemd:
    daemon_reload: yes
    name: jupyterhub
    enabled: no
    state: stopped
--- a/roles/mysql/tasks/centos.yml.unused
+++ b/roles/mysql/tasks/centos.yml.unused
--- a/roles/mysql/tasks/fedora.yml.unused
+++ b/roles/mysql/tasks/fedora.yml.unused
--- a/roles/mysql/tasks/install.yml
+++ b/roles/mysql/tasks/install.yml
@ -1,8 +1,8 @@
-# Stanzas as of 2020-05-21:
+# Stanzas as of 2021-08-02:
 #
 # - 1 base install
 # - 6 double timeout for slow CPUs
-# - 7 DB config
+# - 2 DB config
 # - 2 record as installed
 - name: 'Install MySQL packages: mariadb-server, mariadb-client, php{{ php_version }}-mysql'
@ -98,7 +98,7 @@
  when: mariadb_unit_file.stat.exists
-# 7 STANZAS BELOW...could later be put into setup.yml or config.yml or or provision.yml ?
+# 2 STANZAS BELOW...could later be put into setup.yml or config.yml or or provision.yml ?
 # Name of MySQL service varies by OS, so hardcoded in /opt/iiab/iiab/vars/<OS>.yml (formerly in roles/0-init/tasks/main.yml)
 - name: Start MySQL systemd service ({{ mysql_service }}) to permit configuration
@ -107,7 +107,7 @@
    daemon_reload: yes
    state: restarted
- name: Install /root/.my.cnf file from template, with root password credentials
+- name: "Install /root/.my.cnf file from template -- used to contain root password credential, prior to 2020-08-24: https://github.com/iiab/iiab/pull/2488"
  template:
    src: my.cnf.j2
    dest: /root/.my.cnf
--- a/roles/network/tasks/computed_network.yml
+++ b/roles/network/tasks/computed_network.yml
@ -1,15 +1,18 @@
 # just lie about active gateway present on XOs to suppress ifcfg-WAN
 # auto-creation/moving with XOs using NM/system-connections/ via keyfile.
 # ifcfg-rh acts on /etc/sys*/net*/ifcfg-* where we search for devices.
 - name: Setting XO has WiFi gateway
  set_fact:
    user_wan_iface: "{{ discovered_wan_iface }}"
  when: not (discovered_wan_iface == "none") and not (xo_model == "none") and has_ifcfg_gw == "none"
- name: XO laptop wants USB WiFi interface as AP mode
+# 2021-07-30: Var 'xo_model' is being deprecated
-  set_fact:
+#- name: Setting XO has WiFi gateway
-    iiab_wireless_lan_iface: "{{ discovered_lan_iface }}"
+#  set_fact:
-  when: num_wifi_interfaces >= "2" and not (xo_model == "none") and not (discovered_wan_iface == "none") and discovered_wireless_iface == "eth0"
+#    user_wan_iface: "{{ discovered_wan_iface }}"
 #  when: not (discovered_wan_iface == "none") and not (xo_model == "none") and has_ifcfg_gw == "none"
 # 2021-07-30: Var 'xo_model' is being deprecated
 #- name: XO laptop wants USB WiFi interface as AP mode
 #  set_fact:
 #    iiab_wireless_lan_iface: "{{ discovered_lan_iface }}"
 #  when: num_wifi_interfaces >= "2" and not (xo_model == "none") and not (discovered_wan_iface == "none") and discovered_wireless_iface == "eth0"
 # static backout suppy new template file
 - name: gui-static-wan
--- a/roles/nextcloud/README.md
+++ b/roles/nextcloud/README.md
@ -1,4 +1,4 @@
-# Nextcloud
+# Nextcloud README
 Students and teachers can store their documents, calendars, contacts and photos locally within [Nextcloud](https://nextcloud.com), which is much like having a (local) version of Dropbox or Google Drive on your very own [Internet-in-a-Box](http://internet-in-a-box.org).
--- a/roles/nginx/templates/server.conf.j2
+++ b/roles/nginx/templates/server.conf.j2
@ -20,9 +20,10 @@ server {
        include fastcgi_params;
    }
-    location /cgi-bin {
+    # 2021-07-30: Security risk identified by @tim-moody
-        root /usr/lib;
+    #location /cgi-bin {
-    }
+    #    root /usr/lib;
    #}
    # if you don't like seeing all the errors for missing favicon.ico in root
    location = /favicon.ico { access_log off; log_not_found off; }
--- a/roles/openvpn/tasks/install.yml
+++ b/roles/openvpn/tasks/install.yml
@ -1,8 +1,9 @@
- name: Install OpenVPN and Nmap packages
+- name: "Install packages: nmap, openvpn, sudo"
  package:
    name:
      - openvpn
      - nmap
      - openvpn
      - sudo    # (1) Should be installed prior to installing IIAB, (2) Can also be installed by 1-prep here, (3) Is definitely installed by 1-prep's roles/iiab-admin/tasks/sudo-prereqs.yml, (4) Used to be installed by roles/2-common/tasks/packages.yml (but that's too late!)
    state: present
 # Newer versions of NMap do not include NCat, needed to announce /etc/iiab/openvpn_handle
--- a/roles/pbx/README.rst
+++ b/roles/pbx/README.rst
@ -1,10 +1,27 @@
 .. |ss| raw:: html
   <strike>
 .. |se| raw:: html
   </strike>
 .. |nbsp| unicode:: 0xA0
   :trim:
 ==========
 PBX README
 ==========
-This 'pbx' playbook adds `Asterisk <https://asterisk.org/>`_ and `FreePBX <https://freepbx.org/>`_ to Internet-in-a-Box (IIAB) for VoIP and SIP functionality e.g. for rural telephony.
+This "pbx" playbook adds `Asterisk <https://asterisk.org/>`_ and `FreePBX <https://freepbx.org/>`_ to Internet-in-a-Box (IIAB) for VoIP and SIP functionality e.g. for rural telephony.
-This initial release (for IIAB 6.7 in February 2019) supports Ubuntu 18.04, Debian 9 "Stretch" — and experimentally supports Raspberry Pi: `#1467 <https://github.com/iiab/iiab/issues/1467>`_
+The initial release (for IIAB 6.7 in February 2019) supported Ubuntu 18.04, Debian 9 "Stretch" — and experimentally, Raspberry Pi: `#1467 <https://github.com/iiab/iiab/issues/1467>`_
 *2021-08-02 GOOD NEWS: IIAB has upgraded from Asterisk 16.x (released 2018-10-09) to 18.x (released 2020-10-20*, `docs <https://wiki.asterisk.org/wiki/display/AST/Asterisk+18+Documentation>`_): `PR #2896 <https://github.com/iiab/iiab/pull/2896>`_
 *2021-08-02 WORK IN PROGRESS: The latest versions of Ubuntu (20.04, 20.10, 21.04), Debian 11 "Bullseye" and the imminent Raspberry Pi OS 11 "Bullseye" all include PHP 7.4 — which does not work with FreePBX 15 — so IIAB is making the transition to* `FreePBX 16 Beta <https://www.freepbx.org/freepbx-16-beta-is-here/>`_ *which emerged on 2021-06-21:* `PR #2899 <https://github.com/iiab/iiab/pull/2899>`_
 *PLEASE UNDERSTAND THIS MEANS THAT: IIAB no longer supports FreePBX 15 (i.e. Linux distros with PHP <= 7.3, e.g. on Raspberry Pi OS 10 "Buster").  Thank you for your understanding, as we look to the future together!*
 What Asterisk & FreePBX Do
 --------------------------
@ -31,19 +48,21 @@ You can monitor the FreePBX service with command::
  systemctl status freepbx
-Raspberry Pi Known Issue
+Raspberry Pi Known Issues
------------------------
+-------------------------
-As of 2019-02-14, "systemctl restart freepbx" fails more than 50% of the time when run on a `BIG-sized <http://wiki.laptop.org/go/IIAB/FAQ#What_services_.28IIAB_apps.29_are_suggested_during_installation.3F>`_ install of IIAB 6.7 on RPi 3 or RPi 3 B+.
+|ss| As of 2019-02-14, "systemctl restart freepbx" failed more than 50% of the time when run on a `BIG-sized <http://wiki.laptop.org/go/IIAB/FAQ#What_services_.28IIAB_apps.29_are_suggested_during_installation.3F>`_ install of IIAB 6.7 on RPi 3 or RPi 3 B+.
-It is possible that FreePBX restarts much more reliably when run on a MIN-sized install of IIAB?  Please `contact us <http://wiki.laptop.org/go/IIAB/FAQ#What_are_the_best_places_for_community_support.3F>`_ if you can assist here in any way: `#1493 <https://github.com/iiab/iiab/issues/1493>`_
+It is possible that FreePBX restarts much more reliably when run on a MIN-sized install of IIAB?  Please `contact us <http://wiki.laptop.org/go/IIAB/FAQ#What_are_the_best_places_for_community_support.3F>`_ if you can assist here in any way: `#1493 <https://github.com/iiab/iiab/issues/1493>`_ |se|
 Raspberry Pi Zero W Warning
 ---------------------------
 Node.js applications like Asterisk/FreePBX, Node-RED and Sugarizer won't work on Raspberry Pi Zero W (ARMv6) if you installed Node.js while on RPi 3, 3 B+ (ARMv7) or RPi 4 (ARMv8).  If necessary, run ``apt remove nodejs`` or ``apt purge nodejs`` then ``rm /etc/apt/sources.list.d/nodesource.list; apt update`` then (`attempt! <https://nodered.org/docs/hardware/raspberrypi#swapping-sd-cards>`_) to `install Node.js <https://github.com/iiab/iiab/blob/master/roles/nodejs/tasks/main.yml>`_ *on the Raspberry Pi Zero W itself* (a better approach than "cd /opt/iiab/iiab; ./runrole nodejs" is to try ``apt install nodejs`` or try installing the tar file mentioned at `#2082 <https://github.com/iiab/iiab/issues/2082#issuecomment-569344617>`_).  You might also need ``apt install npm``.  Whatever versions of Node.js and npm you install, make sure ``/etc/iiab/iiab_state.yml`` contains the line ``nodejs_installed: True`` (add it if nec!)  Finally, proceed to install Asterisk/FreePBX, Node-RED and/or Sugarizer.  `#1799 <https://github.com/iiab/iiab/issues/1799>`_
 Please also check the "Known Issues" at the bottom of `IIAB's latest release notes <https://github.com/iiab/iiab/wiki#our-evolution>`_.
 Attribution
 -----------
-This 'pbx' playbook was heavily inspired by Yannik Sembritzki's `Asterisk <https://github.com/Yannik/ansible-role-asterisk>`_ and `FreePBX <https://github.com/Yannik/ansible-role-freepbx>`_ Ansible work, Thank You!
+This "pbx" playbook was heavily inspired by Yannik Sembritzki's `Asterisk <https://github.com/Yannik/ansible-role-asterisk>`_ and `FreePBX <https://github.com/Yannik/ansible-role-freepbx>`_ Ansible work, Thank You!
--- a/roles/pbx/defaults/main.yml
+++ b/roles/pbx/defaults/main.yml
@ -1,5 +1,6 @@
 # A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX.
-# Works on Ubuntu 18.04, Debian 9 w/ Node.js 10.x.  Experimental on RPi 3.
+# 2019: Worked on Ubuntu 18.04, Debian 9 w/ Node.js 10.x, and seemingly RPi 3+.
 # 2021-08-03: Attempts FreePBX 16 Beta -- as required w/ PHP 7.4 OS's for #2897
 # pbx_install: False
 # pbx_enabled: False
@ -14,14 +15,12 @@
 # All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml
 # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
 #pbx_installed: False
 asterisk_url: http://downloads.asterisk.org/pub/telephony/asterisk/
-asterisk_src_file: asterisk-16-current.tar.gz
+asterisk_src_file: asterisk-18-current.tar.gz
 asterisk_src_dir: /opt/iiab/asterisk
-freepbx_url: http://mirror.freepbx.org/modules/packages/freepbx/
+freepbx_url: http://mirror.freepbx.org/modules/packages/freepbx/7.4/
-freepbx_src_file: freepbx-15.0-latest.tgz
+freepbx_src_file: freepbx-16.0-latest.tgz    # Beta as of 2021-06-21 but looking great!  Does NOT support PHP < 7.4 (you've been warned!)  Please review https://github.com/iiab/iiab/blob/master/roles/pbx/README.rst
 freepbx_src_dir: /opt/iiab/freepbx
 freepbx_install_dir: /var/www/html/freepbx
--- a/roles/pbx/tasks/asterisk.yml
+++ b/roles/pbx/tasks/asterisk.yml
@ -1,30 +1,31 @@
- name: Asterisk - Install dependencies
+# 2021-08-03: Asterisk's own install_prereq (below) handles these?
-  include: asterisk_dependencies.yml
+#- name: Asterisk - Install dependencies
 #  include: asterisk_dependencies.yml
- name: Asterisk - Download software to /opt/iiab/downloads
+- name: Asterisk - Download software to {{ downloads_dir }}
  get_url:
    url: "{{ asterisk_url }}/{{ asterisk_src_file }}"
-    dest: "{{ downloads_dir }}/{{ asterisk_src_file }}"
+    dest: "{{ downloads_dir }}/{{ asterisk_src_file }}"    # e.g. /opt/iiab/downloads/asterisk-18-current.tar.gz
    timeout: "{{ download_timeout }}"
  when: internet_available
- name: Asterisk - Check for /opt/iiab/downloads/{{ asterisk_src_file }}
+- name: Asterisk - Check for {{ downloads_dir }}/{{ asterisk_src_file }}
  stat:
    path: "{{ downloads_dir }}/{{ asterisk_src_file }}"
  register: asterisk_src
- name: Asterisk - FAIL (force Ansible to exit) IF /opt/iiab/downloads/{{ asterisk_src_file }} doesn't exist
+- name: Asterisk - FAIL (force Ansible to exit) IF {{ downloads_dir }}/{{ asterisk_src_file }} doesn't exist
  fail:
-    msg: "{ downloads_dir }}/{{ asterisk_src_file }} is REQUIRED in order to install."
+    msg: "{{ downloads_dir }}/{{ asterisk_src_file }} is REQUIRED in order to install."
  when: not asterisk_src.stat.exists
- name: Asterisk - Create install source directory
+- name: Asterisk - Create install source dir {{ asterisk_src_dir }}
-  file: 
+  file:
-    path: "{{ asterisk_src_dir }}"
+    path: "{{ asterisk_src_dir }}"    # /opt/iiab/asterisk
    state: directory
 - name: Asterisk - Extract source
-  unarchive: 
+  unarchive:
    src: "{{ downloads_dir }}/{{ asterisk_src_file }}"
    dest: "{{ asterisk_src_dir }}"
    owner: root
@ -32,53 +33,58 @@
    extra_opts: [--strip-components=1]
    creates: "{{ asterisk_src_dir }}/Makefile"
 # 2021-08-03: Asterisk's install_prereq script (stanza just below) installs
 # 'aptitude' regardless, within handle_debian() here:
 # https://github.com/asterisk/asterisk/blob/master/contrib/scripts/install_prereq#L262-L271
 #
 #- name: Asterisk - Install aptitude (otherwise install_prereq fails?)
 #  package:
 #    name: aptitude
 #    state: latest
 - name: Asterisk - Run 'install_prereq install' for dependencies - CAN TAKE 5 MIN OR LONGER!
  shell: export DEBIAN_FRONTEND=noninteractive && ./contrib/scripts/install_prereq install
  args:
    chdir: "{{ asterisk_src_dir }}"
 # 2021-08-03: Requires subversion (installed just above)
 - name: Asterisk - Download mp3 decoder library into source tree
-  command: "./contrib/scripts/get_mp3_source.sh"
+  command: ./contrib/scripts/get_mp3_source.sh
  args:
    chdir: "{{ asterisk_src_dir }}"
    creates: "addons/mp3/mpg123.h"
 - name: Asterisk - Install aptitude (otherwise install_prereq fails?)
  package: 
    name: aptitude
    state: latest
 - name: Asterisk - Ensure all dependencies are resolved - CAN TAKE 5 MIN OR LONGER!
  shell: export DEBIAN_FRONTEND=noninteractive && ./contrib/scripts/install_prereq install 
  args:
    chdir: "{{ asterisk_src_dir }}"
    creates: addons/mp3/mpg123.h
 - name: Asterisk - Run the configure script
-  command: "./configure --with-jansson-bundled"
+  command: ./configure --with-jansson-bundled
  args:
    chdir: "{{ asterisk_src_dir }}"
- name: Asterisk - Run make menuselect.makeopts
+- name: Asterisk - Run 'make menuselect.makeopts'
-  command: "make menuselect.makeopts"
+  command: make menuselect.makeopts
  args:
    chdir: "{{ asterisk_src_dir }}"
-    creates: "menuselect.makeopts"  
+    creates: menuselect.makeopts
 - name: Asterisk - Do a bit of menuselect configuration
  command: >
    menuselect/menuselect --enable app_macro --enable format_mp3
    --enable CORE-SOUNDS-EN-WAV --enable CORE-SOUNDS-EN-G722
    --enable EXTRA-SOUNDS-EN-WAV --enable EXTRA-SOUNDS-EN-G722 --enable EXTRA-SOUNDS-EN-GSM
-    --disable-category MENUSELECT_MOH        
+    --disable-category MENUSELECT_MOH
  args:
    chdir: "{{ asterisk_src_dir }}"
 - name: Asterisk - Run 'make' - CAN TAKE 30 MIN OR LONGER!
-  command: make 
+  command: make
  args:
    chdir: "{{ asterisk_src_dir }}"
-    creates: "defaults.h"
+    creates: defaults.h
 - name: Asterisk - Run 'make install' - CAN TAKE 2 MIN OR LONGER!
  command: make install
  args:
    chdir: "{{ asterisk_src_dir }}"
-    creates: "/usr/sbin/asterisk"
+    creates: /usr/sbin/asterisk
 - name: Asterisk - Run 'make config'
  command: make config
@ -100,19 +106,19 @@
    name: asterisk
    state: present
- name: Asterisk - Ensure user 'asterisk' exists, and belongs to the required groups
+- name: "Asterisk - Ensure user 'asterisk' exists, and belongs to groups: audio,dialout"
  user:
    name: asterisk
    group: asterisk
    groups: audio,dialout
-    home: "/var/lib/asterisk"
+    home: /var/lib/asterisk
    system: yes
    append: yes
- name: 'Asterisk - Set ownership of 5 directories: /etc/asterisk, /var/lib/asterisk, /var/log/asterisk, /var/spool/asterisk, /usr/lib/asterisk'
+- name: "Asterisk - Set ownership (asterisk:asterisk) for 5 directories: /etc/asterisk, /var/lib/asterisk, /var/log/asterisk, /var/spool/asterisk, /usr/lib/asterisk"
-  file: 
+  file:
-    dest: "{{ item }}" 
+    dest: "{{ item }}"
-    owner: asterisk 
+    owner: asterisk
    group: asterisk
    recurse: yes
  with_items:
--- a/roles/pbx/tasks/asterisk_dependencies.yml.unused
+++ b/roles/pbx/tasks/asterisk_dependencies.yml.unused
--- a/roles/pbx/tasks/enable-or-disable.yml
+++ b/roles/pbx/tasks/enable-or-disable.yml
@ -0,0 +1,44 @@
 - name: Enable & (Re)start 'asterisk' systemd service (if pbx_enabled)
  systemd:
    daemon_reload: yes
    name: asterisk
    enabled: yes
    state: restarted
  when: pbx_enabled
 - name: Disable & Stop 'asterisk' systemd service (if not pbx_enabled)
  systemd:
    daemon_reload: yes
    name: asterisk
    enabled: no
    state: stopped
  when: not pbx_enabled
 - name: Enable & (Re)start 'freepbx' systemd service (if pbx_enabled)
  systemd:
    name: freepbx
    enabled: yes
    state: restarted
  when: pbx_enabled
 - name: Disable & Stop 'freepbx' systemd service (if not pbx_enabled)
  systemd:
    name: freepbx
    enabled: no
    state: stopped
  when: not pbx_enabled
 - name: Enable http://box:{{ pbx_http_port }}/freepbx via Apache, if pbx_enabled    # http://box:83/freepbx
  command: a2ensite freepbx.conf
  when: pbx_enabled
 - name: Disable http://box:{{ pbx_http_port }}/freepbx via Apache, if not pbx_enabled
  command: a2dissite freepbx.conf
  when: not pbx_enabled
 - name: Restart Apache service ({{ apache_service }})
  systemd:
    name: "{{ apache_service }}"    # httpd or apache2
    state: restarted
--- a/roles/pbx/tasks/freepbx.yml
+++ b/roles/pbx/tasks/freepbx.yml
@ -1,10 +1,10 @@
 - name: FreePBX - Install dependencies
  include: freepbx_dependencies.yml
- name: FreePBX - Download software to /opt/iiab/downloads
+- name: FreePBX - Download software to {{ downloads_dir }}/{{ freepbx_src_file }}
  get_url:
    url: "{{ freepbx_url }}/{{ freepbx_src_file }}"
-    dest: "{{ downloads_dir }}/{{ freepbx_src_file }}"
+    dest: "{{ downloads_dir }}/{{ freepbx_src_file }}"    # e.g. /opt/iiab/downloads/freepbx-16.0-latest.tgz
    timeout: "{{ download_timeout }}"
  when: internet_available
@ -18,13 +18,13 @@
    msg: "{ downloads_dir }}/{{ freepbx_src_file }} is REQUIRED in order to install."
  when: not freepbx_src.stat.exists
- name: FreePBX - Create install source directory
+- name: FreePBX - Create install source dir {{ freepbx_src_dir }}
-  file: 
+  file:
-    path: "{{ freepbx_src_dir }}"
+    path: "{{ freepbx_src_dir }}"    # /opt/iiab/freepbx
    state: directory
 - name: FreePBX - Extract source
-  unarchive: 
+  unarchive:
    src: "{{ downloads_dir }}/{{ freepbx_src_file }}"
    dest: "{{ freepbx_src_dir }}"
    owner: root
@ -34,43 +34,43 @@
 - name: FreePBX - Patch FreePBX source - IIAB Bug 1685
  patch:
-    src: "roles/pbx/templates/71-freepbx-framework.patch"
+    src: roles/pbx/templates/71-freepbx-framework.patch
    dest: "{{ freepbx_src_dir }}/amp_conf/htdocs/admin/libraries/BMO/Framework.class.php"
 - name: FreePBX - Patch FreePBX source - wants [] not {}
  patch:
-    src: "roles/pbx/templates/pbx.patch"
+    src: roles/pbx/templates/pbx.patch
    dest: "{{ freepbx_src_dir }}/amp_conf/htdocs/admin/libraries/Composer/vendor/neitanod/forceutf8/src/ForceUTF8/Encoding.php"
- name: FreePBX - Disable & Stop asterisk service
+- name: FreePBX - Disable & Stop 'asterisk' systemd service
  systemd:
    daemon_reload: yes
    name: asterisk
    enabled: no
    state: stopped
- name: FreePBX - Add mysql user
+- name: FreePBX - Add MySQL user ({{ asterisk_db_user }})
  mysql_user:
    name: "{{ asterisk_db_user }}"
    password: "{{ asterisk_db_password }}"
    priv: "{{ asterisk_db_dbname }}.*:ALL/{{ asterisk_db_cdrdbname }}.*:ALL"
-#    login_host: "{{ asterisk_db_host }}"
+    # login_host: "{{ asterisk_db_host }}"
-#    login_user: "root"
+    # login_user: root
-#    login_password: "{{ mysql_root_password }}"
+    # login_password: "{{ mysql_root_password }}"
    host: "{{ (asterisk_db_host == 'localhost') | ternary('localhost', ansible_default_ipv4.address) }}"
    state: present
- name: FreePBX - Add mysql db
+- name: FreePBX - Add MySQL db ({{ asterisk_db_dbname }})
  mysql_db:
    name: "{{ asterisk_db_dbname }}"
    encoding: utf8
    collation: utf8_general_ci
-#    login_host: "{{ asterisk_db_host }}"
+    # login_host: "{{ asterisk_db_host }}"
-#    login_user: "root"
+    # login_user: root
-#    login_password: "{{ mysql_root_password }}"
+    # login_password: "{{ mysql_root_password }}"
    state: present
- name: FreePBX - Add cdr mysql db
+- name: FreePBX - Add cdr MySQL db ({{ asterisk_db_cdrdbname }})
  mysql_db:
    name: "{{ asterisk_db_cdrdbname }}"
    encoding: utf8
@ -78,7 +78,7 @@
    login_host: "{{ asterisk_db_host }}"
    state: present
- name: FreePBX - Don't let freepbx take over the php sessions dir
+- name: FreePBX - Prevent /etc/asterisk/freepbx_chown.conf take over of /var/lib/php/sessions
  blockinfile:
    content: |
      [blacklist]
@ -89,18 +89,18 @@
    group: asterisk
    create: yes
- name: FreePBX - Create php sessions directory
+- name: FreePBX - Create new php sessions dir /var/lib/php/asterisk_sessions/
-  file: 
+  file:
-    path: "/var/lib/php/asterisk_sessions/"
+    path: /var/lib/php/asterisk_sessions/
    state: directory
- name: FreePBX - Set ownership for php sessions directory
+- name: FreePBX - Set ownership for new php sessions dir (asterisk:asterisk)
-  file: 
+  file:
-    dest: "/var/lib/php/asterisk_sessions/" 
+    dest: /var/lib/php/asterisk_sessions/
-    owner: asterisk 
+    owner: asterisk
    group: asterisk
    recurse: yes
- 
+
 - name: FreePBX - Install (just run once) - CAN TAKE 12 MIN OR LONGER!
  command: ./start_asterisk start
  args:
@ -113,35 +113,31 @@
    chdir: "{{ freepbx_src_dir }}"
    creates: "{{ freepbx_install_dir }}"
- name: FreePBX - Patch FreePBX source - disable get_magic_quotes_gpc()
+# 2021-08-02: FreePBX 16 seems to no longer need this FreePBX 15 patch?
-  patch:
+# - name: FreePBX - Patch FreePBX source - disable get_magic_quotes_gpc()
-    src: "roles/pbx/templates/pbx2.patch"
+#   patch:
-    dest: "{{ freepbx_install_dir }}/admin/libraries/view.functions.php"
+#     src: roles/pbx/templates/pbx2.patch
 #     dest: "{{ freepbx_install_dir }}/admin/libraries/view.functions.php"
- name: FreePBX - Create /etc/odbc.ini
+- name: FreePBX - Install /etc/odbc.ini from template (root:root, 0644 by default)
  template:
    src: odbc.ini.j2
    dest: /etc/odbc.ini
    # owner: root
    # group: root
    # mode: '0644'
- name: FreePBX - Install Apache's sites-available/freepbx.conf from template
+- name: FreePBX - Install /etc/apache2/sites-available/freepbx.conf from template ({{ apache_user }}:{{ apache_user }}, 0644 by default)
  template:
    src: freepbx.conf.j2
    dest: /etc/apache2/sites-available/freepbx.conf
    owner: "{{ apache_user }}"
    group: "{{ apache_user }}"
    mode: '0644'
- name: FreePBX - Add {{ pbx_http_port }} as a Listen directive to apache ports.conf
+- name: FreePBX - Add directive "Listen {{ pbx_http_port }}" to /etc/apache2/ports.conf
  lineinfile:
    path: /etc/apache2/ports.conf
    line: "Listen {{ pbx_http_port }}"
-    insertafter: Listen 80  
+    # insertafter: Listen 80
- name: FreePBX - Install /etc/systemd/system/freepbx.service systemd unit file from template
+- name: FreePBX - Install /etc/systemd/system/freepbx.service systemd unit file from template (root:root, 0644 by default)
  template:
    src: freepbx.service.j2
    dest: /etc/systemd/system/freepbx.service
    # mode: '0755'    # Let's go with '0644' per unit file norms
--- a/roles/pbx/tasks/freepbx_dependencies.yml
+++ b/roles/pbx/tasks/freepbx_dependencies.yml
@ -8,24 +8,24 @@
      - net-tools    # required by FWConsole (command-line utility, that controls FreePBX)
      - cron         # required by FreePBX UCP package (User Control Panel)
      - sox          # required for CDR web-playback
-      #- php{{ php_version }}           # Basically drags in phpX.Y-cgi (already below!)
+      #- php{{ php_version }}            # Basically drags in phpX.Y-cgi (already below!)
-      - php{{ php_version }}-bcmath     # Likewise installed in nextcloud/tasks/install.yml, wordpress/tasks/install.yml
+      - php{{ php_version }}-bcmath      # Likewise installed in nextcloud/tasks/install.yml, wordpress/tasks/install.yml
      - php{{ php_version }}-cgi
-      #- php{{ php_version }}-common    # Auto-installed as an apt dependency.  REGARDLESS: php{{ php_version }}-common superset php{{ php_version }}-cli is auto-installed by php{{ php_version }}-fpm in nginx/tasks/install.yml
+      #- php{{ php_version }}-common     # Auto-installed as an apt dependency.  REGARDLESS: php{{ php_version }}-common superset php{{ php_version }}-cli is auto-installed by php{{ php_version }}-fpm in nginx/tasks/install.yml
-      - php{{ php_version }}-curl       # Likewise installed in moodle/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml
+      - php{{ php_version }}-curl        # Likewise installed in moodle/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml
-      - php{{ php_version }}-fpm        # Likewise installed in nginx/tasks/install.yml
+      - php{{ php_version }}-fpm         # Likewise installed in nginx/tasks/install.yml
      #- php{{ php_version }}-gettext
-      - php{{ php_version }}-gd         # Likewise installed in moodle/tasks/install.yml, nextcloud/tasks/install.yml
+      - php{{ php_version }}-gd          # Likewise installed in moodle/tasks/install.yml, nextcloud/tasks/install.yml
      - php{{ php_version }}-imap
-      #- php{{ php_version }}-json      # See stanza just below
+      #- php{{ php_version }}-json       # See stanza just below
-      - php{{ php_version }}-mbstring   # Likewise installed in mediawiki/tasks/install.yml, moodle/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml
+      - php{{ php_version }}-mbstring    # Likewise installed in mediawiki/tasks/install.yml, moodle/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml
-      - php{{ php_version }}-mysql      # Likewise installed in mysql/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml
+      - php{{ php_version }}-mysql       # Likewise installed in mysql/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml
-      - php-pear                        # Likewise installed for ADMIN CONSOLE https://github.com/iiab/iiab-admin-console/blob/master/roles/cmdsrv/tasks/main.yml#L19
+      - php-pear                         # Likewise installed for ADMIN CONSOLE https://github.com/iiab/iiab-admin-console/blob/master/roles/cmdsrv/tasks/main.yml#L19
      - php{{ php_version }}-snmp
-      - php{{ php_version }}-xml        # Likewise installed in mediawiki/tasks/install.yml, moodle/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml -- AND REGARDLESS dragged in later by Admin Console's use of php-pear for roles/cmdsrv/tasks/main.yml -- run 'php -m | grep -i xml' which in the end shows {libxml, SimpleXML, xml, xmlreader, xmlwriter}
+      - php{{ php_version }}-xml         # Likewise installed in mediawiki/tasks/install.yml, moodle/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml -- AND REGARDLESS dragged in later by Admin Console's use of php-pear for roles/cmdsrv/tasks/main.yml -- run 'php -m | grep -i xml' which in the end shows {libxml, SimpleXML, xml, xmlreader, xmlwriter}
-      - php{{ php_version }}-zip        # Likewise installed in moodle/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml
+      - php{{ php_version }}-zip         # Likewise installed in moodle/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml
      - libapache2-mod-php
-      #- python-mysqldb        # https://github.com/Yannik/ansible-role-freepbx/blob/master/tasks/freepbx.yml#L33
+      #- python-mysqldb       # https://github.com/Yannik/ansible-role-freepbx/blob/master/tasks/freepbx.yml#L33
      - libapache2-mpm-itk    # To serve FreePBX through a VirtualHost as asterisk user
    state: latest
--- a/roles/pbx/tasks/freepbx_enable.yml
+++ b/roles/pbx/tasks/freepbx_enable.yml
@ -1,28 +0,0 @@
 - name: FreePBX - Enable & (Re)start 'freepbx' systemd service (if pbx_enabled)
  systemd:
    daemon_reload: yes
    name: freepbx
    enabled: yes
    state: restarted
  when: pbx_enabled
 - name: FreePBX - Disable & Stop 'freepbx' systemd service (if not pbx_enabled)
  systemd:
    daemon_reload: yes
    name: freepbx
    enabled: no
    state: stopped
  when: not pbx_enabled
 - name: FreePBX - Enable http://box:{{ pbx_http_port }} via Apache, if pbx_enabled    # http://box:83
  command: a2ensite freepbx.conf
  when: pbx_enabled
 - name: FreePBX - Disable http://box:{{ pbx_http_port }} via Apache, if not pbx_enabled    # http://box:83
  command: a2dissite freepbx.conf
  when: not pbx_enabled
 - name: FreePBX - Restart Apache service ({{ apache_service }})
  systemd:
    name: "{{ apache_service }}"    # httpd or apache2
    state: restarted
--- a/roles/pbx/tasks/install.yml
+++ b/roles/pbx/tasks/install.yml
@ -1,10 +1,5 @@
- debug:    # Crazy spacing below is tuned for 80-column screens
+- name: "ONLY PHP 7.4 IS SUPPORTED AS OF AUG 2021 -- PLEASE READ: https://github.com/iiab/iiab/tree/master/roles/pbx/#pbx-readme"
-    msg: >-
+  meta: noop
      ####################################################################WARNING:
      ONLY UBUNTU 18.04, DEBIAN 9 & RASPBIAN ARE SUPPORTED AS OF FEB 2019.   Please
      assist Internet-in-a-Box communities worldwide if you can make
      Asterisk  and FreePBX work on other OS's / distros, Thank
      You!  http://FAQ.IIAB.IO        ###############################################################################
 - name: "Set 'nodejs_install: True' and 'nodejs_enabled: True'"
@ -37,7 +32,7 @@
    name: httpd
-# 2021-07-27: taken care of by main.yml
+# 2021-07-27: Taken care of by main.yml
 #- name: TODO: Check if asterisk and freepbx are already installed
 #
 #- name: Check if /etc/systemd/system/freepbx.service is already installed
@ -50,10 +45,11 @@
 #      FreePBX already installed. Reinstall shall be skipped
 #  when: freepbx_installed.stat.exists
- name: Install 'make' package
+# 2021-08-03: Taken care of by asterisk.yml's scripts/install_prereq
-  package:
+#- name: Install 'make' package
-    name: make
+#  package:
-    state: present
+#    name: make
 #    state: present
 - name: Install Asterisk
  include_tasks: asterisk.yml
--- a/roles/pbx/tasks/main.yml
+++ b/roles/pbx/tasks/main.yml
@ -23,14 +23,14 @@
  include_tasks: install.yml
  when: pbx_installed is undefined
- name: Enable FreePBX (debuntu)
+
-  include_tasks: freepbx_enable.yml
+- include_tasks: enable-or-disable.yml
  when: pbx_installed is defined
 - name: Asterisk - Install chan_dongle
  include: chan_dongle.yml
  when: asterisk_chan_dongle
 - name: Add 'pbx' variable values to {{ iiab_ini_file }}
  ini_file:
    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
--- a/roles/pbx/templates/pbx2.patch.unused
+++ b/roles/pbx/templates/pbx2.patch.unused
--- a/roles/www_options/tasks/main.yml
+++ b/roles/www_options/tasks/main.yml
@ -85,18 +85,18 @@
      - { regexp: '^max_input_vars', line: 'max_input_vars = 1000    ; default is 1000 / Moodle 3.11+ requires 5000+ with PHP 8+' }
    when: not nginx_high_php_limits and not moodle_install    # REMINDER: THIS ENTIRE 5-STANZA BLOCK IS ONLY INVOKED... when: moodle_install or nextcloud_install or pbx_install or wordpress_install
  # WARNING: This might cause excess use of RAM/disk or other resources!
  # The first 5 values below were chosen by @ericnitschke and @kananigit on
  # 2018-09-19: https://github.com/iiab/iiab/issues/1147
  # 2020-03-08: IIAB DOES NOT SUPPORT UNINSTALLING APPS, so additional
  # clauses (to reset/restore PHP's defaults) are not necessary at this time.
  # 2021-06-28: WITH PHP 8, MOODLE'S CLI INSTALLER UNFORTUNATELY *REQUIRES*
-  # editing /etc/php/{{ php_version }}/cli/php.ini (below) -- even though during
+  # editing /etc/php/{{ php_version }}/cli/php.ini (below) -- though during
-  # regular operation it instead uses .../apache2/php.ini or .../fpm/php.ini
+  # regular operation it uses:     .../fpm/php.ini
-  #
+  # And in the past it used:       .../apache2/php.ini
  # SEE ALSO roles/moodle/tasks/install.yml WHERE SIMILAR SURGERY'S DONE TO
  # /etc/php/{{ php_version }}/apache2/php.ini UNTIL MOODLE'S PORTED TO NGINX!
  # WARNING: This might cause excess use of RAM/disk or other resources!
  # The 5 first values below were chosen by @ericnitschke and @kananigit in ~2018.
  - name: "Enact 'nginx_high_php_limits: True' in /etc/php/{{ php_version }}/fpm/php.ini for schools that use WordPress/Moodle/Nextcloud/PBX intensively (allow photos/docs up to 500MB, 300s timeouts, memory_limit = 512M for Nextcloud, max_input_vars = 5000 for Moodle)"
    lineinfile:
      path: /etc/php/{{ php_version }}/fpm/php.ini    # COMPARE /etc/php/{{ php_version }}/cli/php.ini AND /etc/php/{{ php_version }}/apache2/php.ini
--- a/scripts/local_facts.fact
+++ b/scripts/local_facts.fact
@ -3,7 +3,7 @@
 # Higher-level purpose explained at the bottom of:
 # https://github.com/iiab/iiab/blob/master/vars/default_vars.yml
-# 2020-10-27: Most of the 11 variables require a command[*] to be run to
+# 2020-10-27: Most of the 10 variables require a command[*] to be run to
 # establish the var's value.  WE DISPLAY ALL ERRORS / DIAGNOSTICS AND CONTINUE.
 #
 # [*] DOESN'T MATTER WHAT COMMAND: so long as it fails with Return Code != 0
@ -14,7 +14,7 @@ OS="none"
 VERSION_ID="none"    # This var's combined with the above, before being output
 IIAB_BRANCH="none"
 IIAB_COMMIT="none"
-XO_MODEL="none"
+#XO_MODEL="none"
 RPI_MODEL="none"
 ANSIBLE_VERSION="none"
 DHCPCD="none"    # The last 3 conditioned on string output not RC.  SEE BELOW.
@ -52,6 +52,7 @@ OS_VER=$OS-$VERSION_ID
    #"fedora-22"    | \
    #"debian-8"     | \
    #"debian-9"     | \
    #"debian-10"    | \
    #"ubuntu-16"    | \
    #"ubuntu-17"    | \
    #"ubuntu-18"    | \
@ -60,23 +61,23 @@ OS_VER=$OS-$VERSION_ID
    #"raspbian-8"   | \
    #"raspbian-9"   | \
 # 2020-10-21: Debian 11 (Bullseye) not yet supported but adding this line to
 # its /etc/os-release can help testing this unreleased OS: VERSION_ID="11"
 # 2021-06-19: Ubuntu 21.10 (Impish Indri) not yet supported but this
 # unreleased OS can help testing.  For now this means MANUALLY changing
 # php_version: 7.4 to 8.0 in /opt/iiab/iiab/vars/ubuntu-21.yml
 # 2020-07-31: Debian 12 (Bookworm) not yet supported but adding this line
 # to its /etc/os-release can help testing this upcoming OS: VERSION_ID="12"
 case $OS_VER in
    "debian-10"    | \
    "debian-11"    | \
    "debian-12"    | \
    "ubuntu-20"    | \
    "ubuntu-21"    | \
    "linuxmint-20" | \
    "raspbian-10"  | \
    "raspbian-11")
       ;;
-    *) OS_VER="OS_not_supported"
+    *) OS_VER="OS Not Supported -- Plz Read: https://github.com/iiab/iiab/wiki/IIAB-Platforms"
       ;;
 esac
@ -87,8 +88,8 @@ tmp=$(git rev-parse --abbrev-ref HEAD) &&
 tmp=$(git rev-parse --verify HEAD) &&
    IIAB_COMMIT=$tmp
-tmp=$(cat /proc/device-tree/mfg-data/MN) &&
+#tmp=$(cat /proc/device-tree/mfg-data/MN) &&
-    XO_MODEL=$tmp
+#    XO_MODEL=$tmp
 tmp=$(cat /proc/device-tree/model) &&
    RPI_MODEL=$tmp
@ -128,9 +129,10 @@ cat <<EOF
 "systemd_networkd"        : "$SYSTEMD_NETWORKD",
 "iiab_branch"             : "$IIAB_BRANCH",
 "iiab_commit"             : "$IIAB_COMMIT",
 "xo_model"                : "$XO_MODEL",
 "rpi_model"               : "$RPI_MODEL",
 "ansible_version"         : "$ANSIBLE_VERSION",
 "os"                      : "$OS",
 "os_ver"                  : "$OS_VER"}
 EOF
 #"xo_model"                : "$XO_MODEL",
--- a/vars/debian-12.yml
+++ b/vars/debian-12.yml
@ -0,0 +1,29 @@
 # Every is_<OS> var is initially set to 'False' at the bottom of
 # /opt/iiab/iiab/vars/default_vars.yml -- these 'True' lines override that:
 is_debuntu: True
 is_debian: True    # Opposite of is_ubuntu for now
 is_debian_12: True
 # 2019-01-31: These apply if-only-if named_install and/or dhcpd_install are True
 # (This is quite rare now that vars/default_vars.yml sets dnsmasq_install: True)
 dns_service: bind9
 dhcp_service: isc-dhcp-server
 dns_user: bind
 proxy: squid
 proxy_user: proxy
 apache_service: apache2
 apache_conf_dir: apache2/sites-available
 apache_user: www-data
 apache_log_dir: /var/log/apache2
 smb_service: smbd
 nmb_service: nmbd
 systemctl_program: /bin/systemctl
 mysql_service: mariadb
 apache_log: /var/log/apache2/access.log
 sshd_package: openssh-server
 sshd_service: ssh
 php_version: 8.0
 postgresql_version: 13
 systemd_location: /lib/systemd/system
 python_ver: 3.9
--- a/vars/default_vars.yml
+++ b/vars/default_vars.yml
@ -43,8 +43,8 @@ py3_dist_path: /usr/lib/python3/dist-packages
 # Ansible's default timeout for "get_url:" downloads (10 seconds) often fails
 download_timeout: 200
-# Real-time clock: set RTC chip family here.  Future auto-detection plausible?
+# Real-time clock: RTC chip family.  Future auto-detection plausible?
-# rtc_id: ds3231
+rtc_id: none    # Or ds3231 ?  Used in 1-prep/tasks/raspberry_pi.yml
 # Please read more about the 'iiab-admin' Linux user, for login to IIAB's
 # Admin Console (http://box.lan/admin) AND to help you at the command-line:
@ -706,6 +706,7 @@ is_linuxmint: False    # Subset of is_ubuntu
 is_linuxmint_20: False
 is_debian: False    # Covers both: Debian, Raspberry Pi OS (Raspbian)
 is_debian_12: False
 is_debian_11: False
 is_debian_10: False
 is_debian_9: False
--- a/vars/local_vars_big.yml
+++ b/vars/local_vars_big.yml
@ -16,7 +16,7 @@
 download_timeout: 200
 # Real-time clock: set RTC chip family here.  Future auto-detection plausible?
-# rtc_id: ds3231
+rtc_id: none    # Or ds3231 ?
 # Please read more about the 'iiab-admin' Linux user, for login to IIAB's
 # Admin Console (http://box.lan/admin) AND to help you at the command-line:
--- a/vars/local_vars_medium.yml
+++ b/vars/local_vars_medium.yml
@ -16,7 +16,7 @@
 download_timeout: 200
 # Real-time clock: set RTC chip family here.  Future auto-detection plausible?
-# rtc_id: ds3231
+rtc_id: none    # Or ds3231 ?
 # Please read more about the 'iiab-admin' Linux user, for login to IIAB's
 # Admin Console (http://box.lan/admin) AND to help you at the command-line:
--- a/vars/local_vars_min.yml
+++ b/vars/local_vars_min.yml
@ -16,7 +16,7 @@
 download_timeout: 200
 # Real-time clock: set RTC chip family here.  Future auto-detection plausible?
-# rtc_id: ds3231
+rtc_id: none    # Or ds3231 ?
 # Please read more about the 'iiab-admin' Linux user, for login to IIAB's
 # Admin Console (http://box.lan/admin) AND to help you at the command-line:
`@ -1,4 +1,4 @@`
	`# Nextcloud`	`# Nextcloud README`

	`Students and teachers can store their documents, calendars, contacts and photos locally within [Nextcloud](https://nextcloud.com), which is much like having a (local) version of Dropbox or Google Drive on your very own [Internet-in-a-Box](http://internet-in-a-box.org).`	`Students and teachers can store their documents, calendars, contacts and photos locally within [Nextcloud](https://nextcloud.com), which is much like having a (local) version of Dropbox or Google Drive on your very own [Internet-in-a-Box](http://internet-in-a-box.org).`