Merge pull request #2189 from holta/scaff2

Scaffolding 2.0 for supermodel playbooks e.g. wordpress, munin, captiveportal
2025-03-09 15:40:17 +00:00 · 2020-01-23 23:50:14 -05:00 · 2020-01-23 23:50:14 -05:00 · 9d4dd4c4fd
commit 9d4dd4c4fd
parent 016b914037 ee4f51d36a
23 changed files with 289 additions and 206 deletions
--- a/roles/0-init/tasks/main.yml
+++ b/roles/0-init/tasks/main.yml
@ -33,10 +33,28 @@
  setup:
    filter: ansible_local

-# 2020-01-21: checks 46+46 vars...for now...expect validate_vars.yml to change!
- name: Pre-check that IIAB's "XYZ_install" + "XYZ_enabled" vars (1) are defined, (2) are boolean-not-string variables, and (3) contain plausible values
+- name: Pre-check that IIAB's "XYZ_install" + "XYZ_enabled" vars (1) are defined, (2) are boolean-not-string variables, and (3) contain plausible values.  Also checks that "XYZ_install" is True when "XYZ_installed" is defined.
  include_tasks: validate_vars.yml

+# SEE: https://github.com/iiab/iiab/blob/master/roles/nginx/README.md
+- name: "apache_install is currently '{{ apache_install }}' and apache_enabled is currently '{{ apache_enabled }}'.  Now let's set 'apache_install: True' and 'apache_enabled: True' if NGINX is set not to be enabled OR if any of {DokuWiki, Elgg, Lokole, Moodle, Nextcloud, Node-RED} are set to install."
+  set_fact:
+    apache_install: True
+    apache_enabled: True
+  when: not nginx_enabled or dokuwiki_install or elgg_install or lokole_install or moodle_install or nextcloud_install or nodered_install
+#
+#- name: "Verify 'apache_install: True' and 'apache_enabled: True' if any of {DokuWiki, Elgg, Lokole, Moodle, Nextcloud, Node-RED} are set to install"
+#  assert:
+#    that: apache_install and apache_enabled or not (dokuwiki_install or elgg_install or lokole_install or moodle_install or nextcloud_install or nodered_install)
+#    fail_msg: "PLEASE CONFIRM 'apache_install: True' AND 'apache_enable: True' IF YOU'RE TRYING TO INSTALL ANY OF {dokuwiki, elgg, lokole, moodle, nextcloud, nodered} e.g. IN: /etc/iiab/local_vars.yml"
+#    quiet: yes
+#
+#- name: "Verify 'apache_install: True' and 'apache_enabled: True' if 'nginx_enabled: False' -- e.g. for Apache testing of older playbooks lacking full NGINX support"
+#  assert:
+#    that: apache_install and apache_enabled or nginx_enabled
+#    fail_msg: "PLEASE CONFIRM 'apache_install: True' AND 'apache_enable: True' IF 'nginx_enabled: False' e.g. IN: /etc/iiab/local_vars.yml"
+#    quiet: yes
+
 - name: Set top-level variables from local_facts for convenience
  set_fact:
    xo_model: "{{ ansible_local.local_facts.xo_model }}"
@ -47,8 +65,8 @@
  set_fact:
    rpi_model: "rpi"
    is_rpi: True
-#      no_net_restart: True
-#      nobridge: True
+    #no_net_restart: True
+    #nobridge: True
  when: ansible_local.local_facts.os == "raspbian"

 - name: Set exFAT_enabled if xo_model != "none"
@ -78,11 +96,11 @@
  get_url:
    url: "{{ iiab_download_url }}/heart-beat.txt"
    dest: /tmp/heart-beat.txt
-    # timeout: "{{ download_timeout }}"
+    #timeout: "{{ download_timeout }}"
    # @jvonau recommends: 100sec is too much (keep 10sec default)
  ignore_errors: True
-# async: 10
-# poll: 2
+  #async: 10
+  #poll: 2
  register: internet_access_test

 - name: Set internet_available if download succeeded and not disregard_network
@ -109,12 +127,6 @@
    gui_port: 443
  when: adm_cons_force_ssl | bool

-# SEE: https://github.com/iiab/iiab/blob/master/roles/nginx/README.md
- name: "Set 'apache_enabled: True' if any of {DokuWiki, Elgg, Lokole, Moodle, Nextcloud, Node-RED} are set to install"
-  set_fact:
-    apache_enabled: True
-  when: dokuwiki_install or elgg_install or lokole_install or moodle_install or nextcloud_install or nodered_install
-
 - name: Turn on both vars for MySQL (mandatory in Stage 3!)
  set_fact:
    mysql_install: True
--- a/roles/9-local-addons/tasks/main.yml
+++ b/roles/9-local-addons/tasks/main.yml
@ -7,7 +7,6 @@
  include_role:
    name: internetarchive
  when: internetarchive_install | bool
-  #tags: internetarchive

 # Is porting to Python 3 complete, and if so does this belong elsewhere?
 - name: CAPTIVE PORTAL
@ -15,43 +14,41 @@
    name: captiveportal
  #include_tasks: roles/captiveportal/tasks/main.yml
  when: captiveportal_install | bool
-  #tags: base, captiveportal, network, domain

 - name: MINETEST
  include_role:
    name: minetest
  when: minetest_install | bool
-  #tags: minetest

 # KEEP AT THE END as this installs dependencies from Debian's 'testing' branch!
 - name: CALIBRE
  include_role:
    name: calibre
  when: calibre_install | bool
-  #tags: calibre

 - name: CALIBRE-WEB
  include_role:
    name: calibre-web
  when: calibreweb_install | bool
-  #tags: calibre-web

 # Could split these two below to Stage 10?

- name: Configure NGINX (already installed in Stage 3-BASE-SERVER)
-  # If just CONFIGURING, should we use one of the following instead ??
-  # include_tasks: roles/nginx/tasks/setup.yml
-  # include_tasks: roles/nginx/tasks/enable.yml
+- name: Fully Enable / Configure NGINX (already installed in Stage 3-BASE-SERVER) if 'nginx_enabled' is True
  include_role:
    name: nginx
-  when: nginx_install | bool
-  #tags: base, nginx
+  when: nginx_enabled | bool    # WAS: nginx_install
+# If just CONFIGURING (etc) shouldn't we use one of the following instead ??
+# include_tasks: roles/nginx/tasks/setup.yml
+# include_tasks: roles/nginx/tasks/enable.yml

- name: Configure Apache systemd service ({{ apache_service }})
+- name: Fully Enable / Configure Apache systemd service ({{ apache_service }}) if 'apache_enabled' is True
  include_role:
    name: httpd-enable
-  when: apache_install | bool
-  #tags: base, httpd
+  when: apache_enabled | bool    # WAS: apache_install
+# WARNING THAT APACHE IS AUTO-ENABLED BY THESE ~6 APPS ALONE!
+# https://github.com/holta/iiab/blob/scaff2/roles/0-init/tasks/main.yml#L40-L44
+# Summarized @ https://github.com/iiab/iiab/blob/master/roles/nginx/README.md
+# 2020-01-23: APACHE FUTURE SUMMARY QUESTIONS @ roles/httpd/tasks/main.yml

 - name: Recording STAGE 9 HAS COMPLETED ====================
  lineinfile:
--- a/roles/captiveportal/tasks/main.yml
+++ b/roles/captiveportal/tasks/main.yml
@ -2,7 +2,7 @@
 # I want to perform input validation for Ansible playbooks"
 # https://stackoverflow.com/questions/46664127/how-do-i-fail-a-task-in-ansible-if-the-variable-contains-a-boolean-value-i-want/46667499#46667499

-# If 0-init/tasks/validate_vars.yml has DEFINITELY been run (?) perhaps no need
+# We assume 0-init/tasks/validate_vars.yml has DEFINITELY been run, so no need
 # to re-check whether vars are defined here.  As Ansible vars cannot be unset:
 # https://serverfault.com/questions/856729/how-to-destroy-delete-unset-a-variable-value-in-ansible

@ -11,24 +11,23 @@
    that: captiveportal_install is sameas true
    fail_msg: "PLEASE SET 'captiveportal_install: True' e.g. IN: /etc/iiab/local_vars.yml"
    quiet: yes
-    #that: captiveportal_install is defined and captiveportal_install is sameas true
-    #success_msg: captiveportal_install is defined and captiveportal_install is sameas true

 - name: Assert that "captiveportal_enabled | type_debug == 'bool'" (boolean not string etc)
  assert:
    that: captiveportal_enabled | type_debug == 'bool'
    fail_msg: "PLEASE GIVE VARIABLE 'captiveportal_enabled' A PROPER (UNQUOTED) BOOLEAN VALUE e.g. IN: /etc/iiab/local_vars.yml"
    quiet: yes
-    #that: captiveportal_enabled is defined and captiveportal_enabled | type_debug == 'bool'
-    #success_msg: captiveportal_enabled is defined and captiveportal_enabled | type_debug == 'bool'
+

 - name: Install Captive Portal if 'captiveportal_installed' is not defined in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
  include_tasks: install.yml
  when: captiveportal_installed is undefined

+
 - name: Enable or Disable Captive Portal	
  include_tasks: enable-or-disable.yml

+
 - name: Add 'captiveportal' variable values to {{ iiab_ini_file }}
  ini_file:
    path: "{{ iiab_ini_file }}"
--- a/roles/captiveportal/templates/capture-wsgi.py.j2
+++ b/roles/captiveportal/templates/capture-wsgi.py.j2
@ -39,8 +39,10 @@ doc_root = get_iiab_env("WWWROOT")
 fully_qualified_domain_name = get_iiab_env("FQDN")


-loggingLevel = "ERROR"
-#loggingLevel = "DEBUG"
+# 2020-01-23: @georgejhunt explained that "ERROR" does not log enough details.
+# So we're changing IIAB's default to "DEBUG", til Captive Portal proves solid.
+#loggingLevel = "ERROR"
+loggingLevel = "DEBUG"
 if len(sys.argv) > 1:
   if sys.argv[1] == '-l':
      loggingLevel = "DEBUG"
--- a/roles/httpd/tasks/main.yml
+++ b/roles/httpd/tasks/main.yml
@ -1,12 +1,22 @@
+# 2020-01-23 TO DO / Questions:
+# - Validate input vars apache_install & apache_enabled here.
+#   - Use as nec, with 'when: apache_installed is undefined'
+# - Encapsulate all 3 tasks below into httpd/roles/install.yml ?
+# - Similarly sanity-check httpd/roles/enable.yml...
+#   - Verify that 9-local-addons/tasks/main.yml's invocation of
+#     roles/httpd/tasks/enable.yml (via roles/httpd-enable/tasks/main.yml, if
+#     apache_enabled is True) does the right thing!
+#   - And that we really don't want to invoke it hereunder?
+# - Save relevant apache_* vars to /etc/iiab/iiab.ini
+
 - include_tasks: install.yml
-  #tags: base
-
 - include_tasks: html.yml
-  #tags: base

-# Partially fixes search @ http://box/modules/es-wikihow (on RPi anyway) see https://github.com/iiab/iiab/issues/829
- include_tasks: php-stem.yml
-  #tags: base
+# 2018-07-18: Partially fixes search @ http://box/modules/es-wikihow (on RPi
+# anyway) https://github.com/iiab/iiab/issues/829 & PR #925
+# 2020-01-23: Deprecated as @tim-moody's attempt to revive this for PHP 7.3
+# instead of 7.0 failed: https://github.com/iiab/iiab/issues/2123
+#- include_tasks: php-stem.yml

 - name: Install /usr/bin/iiab-refresh-wiki-docs (scraper script) to create http://box/info offline documentation.  (Script can be run manually and/or at the end of Stage 4 = roles/4-server-options/tasks/main.yml)
  template:
--- a/roles/httpd/tasks/php-stem.yml.deprecated
+++ b/roles/httpd/tasks/php-stem.yml.deprecated
--- a/roles/munin/tasks/apache.yml
+++ b/roles/munin/tasks/apache.yml
@ -0,0 +1,12 @@
+- name: Enable http://box/munin via Apache
+  command: a2ensite munin24.conf
+  when: munin_enabled
+
+- name: Disable http://box/munin via Apache
+  command: a2dissite munin24.conf
+  when: not munin_enabled
+
+- name: Restart '{{ apache_service }}' systemd service
+  systemd:
+    name: "{{ apache_service }}"    # apache2 or httpd, as set in /opt/iiab/iiab/vars/<OS>.yml
+    state: restarted
--- a/roles/munin/tasks/enable-or-disable.yml
+++ b/roles/munin/tasks/enable-or-disable.yml
@ -1,50 +0,0 @@
- name: Enable & Start 'munin-node' systemd service
-  systemd:
-    name: munin-node
-    daemon_reload: yes
-    enabled: yes
-    state: started
-  when: munin_enabled | bool
-
- name: Disable 'munin-node' systemd service
-  systemd:
-    name: munin-node
-    enabled: no
-    state: stopped
-  when: not munin_enabled
-
-# Apache
-
- name: Enable http://box/munin via Apache
-  command: a2ensite munin24.conf
-  when: apache_install and munin_enabled    # and not nginx_enabled
-
- name: Disable http://box/munin via Apache
-  command: a2dissite munin24.conf
-  when: apache_install and not munin_enabled    # or nginx_enabled
-
- name: Restart Apache systemd service ({{ apache_service }})
-  systemd:
-    name: "{{ apache_service }}"    # apache2 or httpd, as set in /opt/iiab/iiab/vars/<OS>.yml
-    state: restarted
-  when: apache_install and apache_enabled
-
-# NGINX
-
- name: Enable http://box/munin via NGINX, by installing {{ nginx_config_dir }}/munin24-nginx.conf from template
-  template:
-    src: munin24-nginx.conf.j2
-    dest: "{{ nginx_config_dir }}/munin24-nginx.conf"    # /etc/nginx/conf.d
-  when: munin_enabled    # and nginx_enabled
-
- name: Disable http://box/munin via NGINX, by installing {{ nginx_config_dir }}/munin24-nginx.conf
-  file:
-    path: "{{ nginx_config_dir }}/munin24-nginx.conf"    # /etc/nginx/conf.d
-    state: absent
-  when: not munin_enabled
-
- name: Restart 'nginx' systemd service
-  systemd:
-    name: nginx
-    state: restarted
-  # when: nginx_enabled | bool
--- a/roles/munin/tasks/main.yml
+++ b/roles/munin/tasks/main.yml
@ -2,7 +2,7 @@
 # I want to perform input validation for Ansible playbooks"
 # https://stackoverflow.com/questions/46664127/how-do-i-fail-a-task-in-ansible-if-the-variable-contains-a-boolean-value-i-want/46667499#46667499

-# If 0-init/tasks/validate_vars.yml has DEFINITELY been run (?) perhaps no need
+# We assume 0-init/tasks/validate_vars.yml has DEFINITELY been run, so no need
 # to re-check whether vars are defined here.  As Ansible vars cannot be unset:
 # https://serverfault.com/questions/856729/how-to-destroy-delete-unset-a-variable-value-in-ansible

@ -11,23 +11,42 @@
    that: munin_install is sameas true
    fail_msg: "PLEASE SET 'munin_install: True' e.g. IN: /etc/iiab/local_vars.yml"
    quiet: yes
-    #that: munin_install is defined and munin_install is sameas true
-    #success_msg: munin_install is defined and munin_install is sameas true

 - name: Assert that "munin_enabled | type_debug == 'bool'" (boolean not string etc)
  assert:
    that: munin_enabled | type_debug == 'bool'
    fail_msg: "PLEASE GIVE VARIABLE 'munin_enabled' A PROPER (UNQUOTED) BOOLEAN VALUE e.g. IN: /etc/iiab/local_vars.yml"
    quiet: yes
-    #that: munin_enabled is defined and munin_enabled | type_debug == 'bool'
-    #success_msg: munin_enabled is defined and munin_enabled | type_debug == 'bool'
+

 - name: Install Munin if 'munin_installed' is not defined in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
  include_tasks: install.yml
  when: munin_installed is undefined

- name: Enable or Disable Munin
-  include_tasks: enable-or-disable.yml
+
+- name: Enable & Start 'munin-node' systemd service
+  systemd:
+    name: munin-node
+    daemon_reload: yes
+    enabled: yes
+    state: started
+  when: munin_enabled | bool
+
+- name: Disable & Stop 'munin-node' systemd service
+  systemd:
+    name: munin-node
+    enabled: no
+    state: stopped
+  when: not munin_enabled
+
+- name: Enable/Disable/Restart Apache if primary
+  include_tasks: apache.yml
+  when: not nginx_enabled
+
+- name: Enable/Disable/Restart NGINX if primary
+  include_tasks: nginx.yml
+  when: nginx_enabled | bool
+

 - name: Add 'munin' variable values to {{ iiab_ini_file }}
  ini_file:
--- a/roles/munin/tasks/nginx.yml
+++ b/roles/munin/tasks/nginx.yml
@ -0,0 +1,16 @@
+- name: Enable http://box/munin via NGINX, by installing {{ nginx_config_dir }}/munin24-nginx.conf from template
+  template:
+    src: munin24-nginx.conf.j2
+    dest: "{{ nginx_config_dir }}/munin24-nginx.conf"    # /etc/nginx/conf.d
+  when: munin_enabled
+
+- name: Disable http://box/munin via NGINX, by installing {{ nginx_config_dir }}/munin24-nginx.conf
+  file:
+    path: "{{ nginx_config_dir }}/munin24-nginx.conf"    # /etc/nginx/conf.d
+    state: absent
+  when: not munin_enabled
+
+- name: Restart 'nginx' systemd service
+  systemd:
+    name: nginx
+    state: restarted
--- a/roles/mysql/tasks/main.yml
+++ b/roles/mysql/tasks/main.yml
@ -1,3 +1,10 @@
+# TO DO:
+# - Validate input vars mysql_install & mysql_enabled
+# - Put ~12 stanzas just below into install.yml
+#   - Triggered by... 'when: mysql_installed is undefined'
+#   - Eliminate stale Fedora/CentOS code & gratuitous when: is_debuntu clauses?
+# - Consider putting ~8 stanzas below that into enable.yml or similar?
+
 - name: 'Install MySQL packages: mariadb-server, mariadb-client, and 8 php packages (debuntu)'
  package:
    name:
@ -15,17 +22,18 @@
    state: present
  when: is_debuntu | bool

- name: Install php{{ php_version }}-xml (ubuntu or debian 9+)
+- name: Install package 'php{{ php_version }}-xml' (debuntu)    # WAS: (ubuntu or debian 9+)
  package:
    name: "php{{ php_version }}-xml"
    state: present
-  when: is_ubuntu or (is_debian and not is_debian_8)
+  when: is_debuntu | bool
+  #when: is_ubuntu or (is_debian and not is_debian_8)

- name: Install php-xml-parser (debian-8)
-  package:
-    name: php-xml-parser
-    state: present
-  when: is_debian_8 | bool
+#- name: Install php-xml-parser (debian-8)
+#  package:
+#    name: php-xml-parser
+#    state: present
+#  when: is_debian_8 | bool

 - name: "Install packages: mysql, MySQL-python and 9 php packages (OS's other than debuntu)"
  package:
@ -106,6 +114,12 @@
    # line: "TimeoutStartSec=180"
  when: mariadb_unit_file.stat.exists

+- name: "Add 'mysql_installed: True' to {{ iiab_state_file }}"
+  lineinfile:
+    dest: "{{ iiab_state_file }}"    # /etc/iiab/iiab_state.yml
+    regexp: '^mysql_installed'
+    line: 'mysql_installed: True'
+

 # Name of MySQL service varies by OS, so hardcoded in /opt/iiab/iiab/vars/<OS>.yml (formerly in roles/0-init/tasks/main.yml)
 - name: Enable & Start MySQL systemd service ({{ mysql_service }}) if mysql_enabled
--- a/roles/nginx/README.md
+++ b/roles/nginx/README.md
@ -1,34 +1,41 @@
 ### Transition to NGINX

-1. Initial testing strategy is to move NGINX to port 80, and proxy everything to Apache on port 8090 -- creating a shim.
+1. Initial testing strategy is to move NGINX to port 80, and proxy everything to Apache on port 8090 &mdash; creating "Shims" for each IIAB App/Service in *Section iii.* below.
+
+   Until "Native" NGINX is later implemented for that IIAB App/Service &mdash; allowing it to move up to *Section ii.* below.
+
+   And potentially later moving it up to *Section i.* if its Apache support is dropped!

 2. Without PHP available via FastCGI, any function at all for PHP-based applications validates NGINX.

-3. Current state (2020-01-12).
+3. Current state IIAB App/Service migrations as of 2020-01-23...

-   1. Principal functions migrated to NGINX
+   1. These support "Native" NGINX but ***NOT*** Apache
      * Admin Console
-      * kalite -- goes directly to ports 8006-8008
-      * mediawiki
+      * captiveportal
      * osm-vector-maps
+      * RACHEL-like modules
      * usb-lib
-      * wordpress

-   2. Dual support, see [roles/nginx/tasks/only_nginx.yml](tasks/only_nginx.yml)
-      * awstats ([#2124](https://github.com/iiab/iiab/issues/2124))
+   2. These support "Native" NGINX ***AND*** Apache, a.k.a. "dual support" for legacy testing (if suitable "Shims" from *Section iii.* below are preserved!)  Both "Native" NGINX and "Shim" proxying from NGINX to Apache port 8090 *cannot be enabled simultaneously* for these IIAB Apps/Service.  But if you want to attempt their "Shim" proxying legacy testing mode, [auto-enable Apache](../0-init/tasks/main.yml#L40-L44) by setting `nginx_enabled: False` in [/etc/iiab/local_vars.yml](http://wiki.laptop.org/go/IIAB/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F)
+      * awstats
      * calibre-web
      * gitea
-      * kiwix -- goes directly to port 3000
+      * kiwix
      * kolibri
+      * mediawiki
+      * munin
      * sugarizer
+      * wordpress

-   3. Still proxied to Apache, see [roles/0-init/tasks/main.yml#L108-L112](../0-init/tasks/main.yml#L108-L112) & [roles/nginx/tasks/uses_apache.yml](tasks/uses_apache.yml)
+   3. These support Apache but ***NOT*** "Native" NGINX.  These use a "Shim" to [proxy_pass](https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/) from NGINX to Apache on port 8090.  See [roles/0-init/tasks/main.yml#L40-L44](../0-init/tasks/main.yml#L40-L44) for a list of these IIAB Apps/Services, that auto-enable Apache.
      * dokuwiki ([#2056](https://github.com/iiab/iiab/issues/2056))
      * elgg
      * lokole
      * moodle
-      * nodered
      * nextcloud ([PR #2119](https://github.com/iiab/iiab/pull/2119))
+      * nodered

-   4. Not yet dealt with
-      * internetarchive ([PR #2120](https://github.com/iiab/iiab/pull/2120))
+   4. Not Yet Dealt With!
+      * internetarchive (menu goes directly to port 4244, [PR #2120](https://github.com/iiab/iiab/pull/2120))
+      * kalite (menu goes directly to ports 8006-8008)
--- a/roles/nodejs/tasks/main.yml
+++ b/roles/nodejs/tasks/main.yml
@ -148,3 +148,10 @@

 # 2019-03-29: Debian 10 Buster & Ubuntu 19.04 pre-releases made the jump
 # thankfully; currently both offer Node.js 10.15.2
+
+
+- name: "Add 'nodejs_installed: True' to {{ iiab_state_file }}"
+  lineinfile:
+    dest: "{{ iiab_state_file }}"    # /etc/iiab/iiab_state.yml
+    regexp: '^nodejs_installed'
+    line: 'nodejs_installed: True'
--- a/roles/openvpn/tasks/main.yml
+++ b/roles/openvpn/tasks/main.yml
@ -1,9 +1,8 @@
-# TO DO: WRAP 10 OR 11 STANZAS BELOW (and saving vars to iiab_ini_file at
-# bottom) INTO install.yml, somehow conditioned by...
-# when: openvpn_install | bool
+# TO DO: WRAP 11 OR 12 STANZAS BELOW INTO install.yml, conditioned by...
+# 'when: openvpn_installed is undefined'
 #
-# BEWARE: 11th stanza (ssh pubkey deletions) is already conditioned by...
-# when: not openvpn_install
+# BEWARE: 4th stanza (ssh pubkey deletions) is already conditioned by...
+# 'when: not openvpn_install' (revise?)

 - name: Install OpenVPN and Nmap packages
  package:
@ -84,30 +83,37 @@
    dest: /usr/bin/
    mode: '0755'

- name: Create iiab-support-on (symlink to iiab-support for now)
+- name: Symlink /usr/bin/iiab-support-on -> /usr/bin/iiab-support
  file:
    src: /usr/bin/iiab-support
    path: /usr/bin/iiab-support-on
    state: link

- name: Create iiab-support-off (symlink to iiab-remote-off for now)
+- name: Symlink /usr/bin/iiab-support-off -> /usr/bin/iiab-remote-off
  file:
    src: /usr/bin/iiab-remote-off
    path: /usr/bin/iiab-support-off
    state: link

- name: Create iiab-vpn-on (symlink to iiab-remote-on for now)
+- name: Symlink /usr/bin/iiab-vpn-on -> /usr/bin/iiab-remote-on
  file:
    src: /usr/bin/iiab-remote-on
    path: /usr/bin/iiab-vpn-on
    state: link

- name: Create iiab-vpn-off (symlink to iiab-remote-off for now)
+- name: Symlink /usr/bin/iiab-vpn-off -> /usr/bin/iiab-remote-off
  file:
    src: /usr/bin/iiab-remote-off
    path: /usr/bin/iiab-vpn-off
    state: link

+- name: "Add 'openvpn_installed: True' to {{ iiab_state_file }}"
+  lineinfile:
+    dest: "{{ iiab_state_file }}"    # /etc/iiab/iiab_state.yml
+    regexp: '^openvpn_installed'
+    line: 'openvpn_installed: True'
+
+
 # TO DO: WRAP COMMENTS + 4 ACTIVE STANZAS BELOW INTO enable.yml...

 # FIXED SOMETIME PRIOR TO AUGUST 2018: earlier versions of Ansible had not
@ -147,7 +153,7 @@
 #    /lib/systemd/systemd-sysv-install  sets /etc/rc*.d/S|K01openvpn
 #                                       e.g. when "systemctl enable openvpn"

- name: Enable & (Re)Start PARENT service openvpn, which (re)starts CHILD service openvpn@xscenet (& actual tunnel)
+- name: Enable & (Re)Start PARENT 'openvpn' system service, which (re)starts CHILD service 'openvpn@xscenet' (& actual tunnel)
  systemd:
    name: openvpn
    daemon_reload: yes
@ -171,7 +177,7 @@
    state: absent
  when: not openvpn_enabled or not openvpn_cron_enabled

- name: Disable & Stop PARENT service openvpn, which stops CHILD service openvpn@xscenet (& actual tunnel)
+- name: Disable & Stop PARENT 'openvpn' system service, which stops CHILD service 'openvpn@xscenet' (& actual tunnel)
  systemd:
    name: openvpn
    enabled: no
@ -191,6 +197,7 @@
 #  ignore_errors: True
 #  when: not openvpn_enabled and not installing

+
 - name: Add 'openvpn' variable values to {{ iiab_ini_file }}
  ini_file:
    path: "{{ iiab_ini_file }}"
--- a/roles/phpmyadmin/tasks/main.yml
+++ b/roles/phpmyadmin/tasks/main.yml
@ -3,7 +3,6 @@
    url: "{{ iiab_download_url }}/{{ phpmyadmin_name_zip }}"
    dest: "{{ downloads_dir }}"
    timeout: "{{ download_timeout }}"
-  #register: phpmyadmin_dl_output
  when: internet_available | bool

 - name: Does {{ downloads_dir }}/{{ phpmyadmin_name_zip }} exist?    # e.g. /opt/iiab/downloads/phpMyAdmin-4.8.3-all-languages.zip
@ -16,20 +15,20 @@
    msg: "{{ downloads_dir }}/{{ phpmyadmin_name_zip }} is REQUIRED in order to install phpMyAdmin."
  when: not phpmyadmin_dl.stat.exists

- name: Unzip to permanent location /opt/{{ phpmyadmin_name }}
+- name: Unzip to permanent location /opt/{{ phpmyadmin_name }}, owned by {{ apache_user }}
  unarchive:
    src: "{{ downloads_dir }}/{{ phpmyadmin_name_zip }}"
    dest: /opt
    owner: "{{ apache_user }}"

- name: Create symlink from /opt/phpmyadmin to {{ phpmyadmin_name }}
+- name: Symlink /opt/phpmyadmin -> {{ phpmyadmin_name }}
  file:
    src: "{{ phpmyadmin_name }}"
    path: /opt/phpmyadmin
-    owner: "{{ apache_user }}"
+    owner: "{{ apache_user }}"    # Some Linux's ignore symlink owners?
    state: link

- name: Install /opt/phpmyadmin/config.inc.php from template
+- name: Install /opt/phpmyadmin/config.inc.php owned by {{ apache_user }}, from template
  template:
    src: config.inc.php
    dest: /opt/phpmyadmin/config.inc.php
@ -46,6 +45,13 @@
 #   #  recurse: yes
 #   #  state: directory

+- name: "Add 'phpmyadmin_installed: True' to {{ iiab_state_file }}"
+  lineinfile:
+    dest: "{{ iiab_state_file }}"    # /etc/iiab/iiab_state.yml
+    regexp: '^phpmyadmin_installed'
+    line: 'phpmyadmin_installed: True'
+
+
 - name: Install /etc/{{ apache_config_dir }}/phpmyadmin.conf from template, if phpmyadmin_enabled
  template:
    src: phpmyadmin.j2
@ -65,6 +71,7 @@
    state: absent
  when: not phpmyadmin_enabled and is_debuntu

+
 - name: Add 'phpmyadmin' variable values to {{ iiab_ini_file }}
  ini_file:
    path: "{{ iiab_ini_file }}"
--- a/roles/postgresql/tasks/main.yml
+++ b/roles/postgresql/tasks/main.yml
@ -1,30 +1,32 @@
- name: Install postgresql package
+# TO DO:
+# - Validate input vars postgresql_install & postgresql_enabled
+# - Put ~12 stanzas just below into install.yml
+#   - Triggered by... 'when: postgresql_installed is undefined'
+
+- name: Install 'postgresql' package
  package:
    name: postgresql
    state: present
-  #tags: download

- name: Install postgresql-client (debuntu)
+- name: Install 'postgresql-client' package (debuntu)
  package:
    name: postgresql-client
    state: present
  when: is_debuntu | bool
-  #tags: download

- name: Install postgresql-server (OS's other than debuntu)
+- name: Install 'postgresql-server' package (OS's other than debuntu)
  package:
    name: postgresql-server
    state: present
  when: not is_debuntu
-  #tags: download

 - name: Install /etc/systemd/system/postgresql-iiab.service from template
  template:
    src: postgresql-iiab.service
    dest: /etc/systemd/system/postgresql-iiab.service
-    owner: root
-    group: root
-    mode: '0644'
+    # owner: root
+    # group: root
+    # mode: '0644'

 - name: Create PostgreSQL data dir /library/pgsql-iiab, owned by postgres:postgres
  file:
@ -71,26 +73,32 @@
    group: postgres
    mode: '0640'

-# Probably Not Nec!  Given stanza below does the same.
- name: 'Stop postgresql service: /etc/init.d/postgresql stop (debuntu)'
-  command: "/etc/init.d/postgresql stop"
-  ignore_errors: True
-  when: postgresql_install and is_debuntu
+# Likely No Longer Nec!  Given stanza below does the same...
+#- name: 'Stop postgresql service: /etc/init.d/postgresql stop (debuntu)'
+#  command: "/etc/init.d/postgresql stop"
+#  ignore_errors: True
+#  when: postgresql_install and is_debuntu

- name: Disable stock postgresql service
+- name: Disable & Stop stock 'postgresql' systemd service
  systemd:
    name: postgresql
    state: stopped
    enabled: no

- name: Enable & Start postgresql-iiab systemd service, if postgresql_enabled
+- name: "Add 'postgresql_installed: True' to {{ iiab_state_file }}"
+  lineinfile:
+    dest: "{{ iiab_state_file }}"    # /etc/iiab/iiab_state.yml
+    regexp: '^postgresql_installed'
+    line: 'postgresql_installed: True'
+
+- name: Enable & Start 'postgresql-iiab' systemd service, if 'postgresql_enabled'
  systemd:
    name: postgresql-iiab
    state: started
    enabled: yes
  when: postgresql_enabled | bool

- name: Disable postgresql-iiab service, if not postgresql_enabled
+- name: Disable 'postgresql-iiab' systemd service, if not 'postgresql_enabled'
  systemd:
    name: postgresql-iiab
    state: stopped
--- a/roles/transmission/tasks/main.yml
+++ b/roles/transmission/tasks/main.yml
@ -5,15 +5,15 @@
      - transmission-cli
    state: present

- name: Create download dir {{ transmission_download_dir }}, owned by {{ transmission_user }}:{{ transmission_group }}    # /library/transmission
+- name: Create download dir {{ transmission_download_dir }}, owned by {{ transmission_user }}:{{ transmission_group }}
  file:
-    path: "{{ transmission_download_dir }}"
-    owner: "{{ transmission_user }}"
-    group: "{{ transmission_group }}"
-    mode: 0755
+    path: "{{ transmission_download_dir }}"    # /library/transmission
+    owner: "{{ transmission_user }}"    # debian-transmission
+    group: "{{ transmission_group }}"    # root
+    # mode: '0755'
    state: directory

- name: Stop transmission-daemon before modifying its settings
+- name: Stop 'transmission-daemon' systemd service, before modifying its settings
  systemd:
    name: transmission-daemon
    state: stopped
@ -23,11 +23,18 @@
  template:
    src: settings.json.j2
    dest: /etc/transmission-daemon/settings.json
-    mode: 0644
-    owner: "{{ transmission_user }}"
-    group: "{{ transmission_group }}"
+    # mode: '0644'
+    owner: "{{ transmission_user }}"    # debian-transmission
+    group: "{{ transmission_group }}"    # root

- name: Enable & Restart transmission-daemon systemd service, incl daemon-reload
+- name: "Add 'transmission_installed: True' to {{ iiab_state_file }}"
+  lineinfile:
+    dest: "{{ iiab_state_file }}"    # /etc/iiab/iiab_state.yml
+    regexp: '^transmission_installed'
+    line: 'transmission_installed: True'
+
+
+- name: Enable & Restart 'transmission-daemon' systemd service, incl daemon-reload
  systemd:
    name: transmission-daemon
    daemon_reload: yes
@ -45,7 +52,7 @@
  when: transmission_enabled and transmission_provision and transmission_kalite_languages is defined and transmission_kalite_languages is not none
  ignore_errors: yes

- name: Disable transmission-daemon service, if not transmission_enabled
+- name: Disable & Stop 'transmission-daemon' service, if not transmission_enabled
  systemd:
    name: transmission-daemon
    daemon_reload: yes
@ -53,6 +60,7 @@
    state: stopped
  when: not transmission_enabled

+
 - name: Add 'transmission' variable values to {{ iiab_ini_file }}
  ini_file:
    path: "{{ iiab_ini_file }}"
--- a/roles/vnstat/tasks/main.yml
+++ b/roles/vnstat/tasks/main.yml
@ -19,12 +19,21 @@
  shell: /usr/bin/vnstat -i {{ iiab_lan_iface }}
  when: iiab_lan_iface is defined

- name: Enable & Start vnStat's systemd service
+- name: "Add 'vnstat_installed: True' to {{ iiab_state_file }}"
+  lineinfile:
+    dest: "{{ iiab_state_file }}"    # /etc/iiab/iiab_state.yml
+    regexp: '^vnstat_installed'
+    line: 'vnstat_installed: True'
+
+
+- name: Enable & Start vnStat's systemd service (vnstat)
  systemd:
    name: vnstat
    daemon_reload: yes
    enabled: yes
-    state: started
+    state: restarted
+  when: vnstat_enabled | bool
+

 - name: Add 'vnstat' variable values to {{ iiab_ini_file }}
  ini_file:
--- a/roles/wordpress/tasks/apache.yml
+++ b/roles/wordpress/tasks/apache.yml
@ -0,0 +1,12 @@
+- name: Enable http://box{{ wp_url }} via Apache    # http://box/wordpress
+  command: a2ensite wordpress.conf
+  when: wordpress_enabled
+
+- name: Disable http://box{{ wp_url }} via Apache    # http://box/wordpress
+  command: a2dissite wordpress.conf
+  when: not wordpress_enabled
+
+- name: Restart '{{ apache_service }}' systemd service
+  systemd:
+    name: "{{ apache_service }}"    # apache2 or httpd, as set in /opt/iiab/iiab/vars/<OS>.yml
+    state: restarted
--- a/roles/wordpress/tasks/enable-or-disable.yml
+++ b/roles/wordpress/tasks/enable-or-disable.yml
@ -1,35 +0,0 @@
-# Apache
-
- name: Enable http://box{{ wp_url }} via Apache
-  command: a2ensite wordpress.conf
-  when: apache_install and wordpress_enabled
-
- name: Disable http://box{{ wp_url }} via Apache
-  command: a2dissite wordpress.conf
-  when: apache_install and not wordpress_enabled
-
- name: Restart Apache systemd service ({{ apache_service }})
-  systemd:
-    name: "{{ apache_service }}"    # apache2 or httpd, as set in /opt/iiab/iiab/vars/<OS>.yml
-    state: restarted
-  when: apache_install and apache_enabled
-
-# NGINX
-
- name: Enable http://box{{ wp_url }} via NGINX, by installing {{ nginx_config_dir }}/wordpress-nginx.conf from template
-  template:
-    src: wordpress-nginx.conf.j2
-    dest: "{{ nginx_config_dir }}/wordpress-nginx.conf"    # /etc/nginx/conf.d
-  when: wordpress_enabled    # and nginx_enabled
-
- name: Disable http://box{{ wp_url }} via NGINX, by removing {{ nginx_config_dir }}/wordpress-nginx.conf
-  file:
-    path: "{{ nginx_config_dir }}/wordpress-nginx.conf"    # /etc/nginx/conf.d
-    state: absent
-  when: not wordpress_enabled
-
- name: Restart 'nginx' systemd service
-  systemd:
-    name: nginx
-    state: restarted
-  #when: nginx_enabled | bool
--- a/roles/wordpress/tasks/main.yml
+++ b/roles/wordpress/tasks/main.yml
@ -4,7 +4,7 @@
 # I want to perform input validation for Ansible playbooks"
 # https://stackoverflow.com/questions/46664127/how-do-i-fail-a-task-in-ansible-if-the-variable-contains-a-boolean-value-i-want/46667499#46667499

-# If 0-init/tasks/validate_vars.yml has DEFINITELY been run (?) perhaps no need
+# We assume 0-init/tasks/validate_vars.yml has DEFINITELY been run, so no need
 # to re-check whether vars are defined here.  As Ansible vars cannot be unset:
 # https://serverfault.com/questions/856729/how-to-destroy-delete-unset-a-variable-value-in-ansible

@ -13,16 +13,13 @@
    that: wordpress_install is sameas true
    fail_msg: "PLEASE SET 'wordpress_install: True' e.g. IN: /etc/iiab/local_vars.yml"
    quiet: yes
-    #that: wordpress_install is defined and wordpress_install is sameas true
-    #success_msg: wordpress_install is defined and wordpress_install is sameas true

 - name: Assert that "wordpress_enabled | type_debug == 'bool'" (boolean not string etc)
  assert:
    that: wordpress_enabled | type_debug == 'bool'
    fail_msg: "PLEASE GIVE VARIABLE 'wordpress_enabled' A PROPER (UNQUOTED) BOOLEAN VALUE e.g. IN: /etc/iiab/local_vars.yml"
    quiet: yes
-    #that: wordpress_enabled is defined and wordpress_enabled | type_debug == 'bool'
-    #success_msg: wordpress_enabled is defined and wordpress_enabled | type_debug == 'bool'
+

 - name: Provision MySQL DB for WordPress, if 'wordpress_installed' is not defined in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
  include_tasks: setup.yml
@ -32,8 +29,15 @@
  include_tasks: install.yml
  when: wordpress_installed is undefined

- name: Enable or Disable WordPress
-  include_tasks: enable-or-disable.yml
+
+- name: Enable/Disable/Restart Apache if primary
+  include_tasks: apache.yml
+  when: not nginx_enabled
+
+- name: Enable/Disable/Restart NGINX if primary
+  include_tasks: nginx.yml
+  when: nginx_enabled | bool
+

 - name: Add 'wordpress' variable values to {{ iiab_ini_file }}
  ini_file:
--- a/roles/wordpress/tasks/nginx.yml
+++ b/roles/wordpress/tasks/nginx.yml
@ -0,0 +1,16 @@
+- name: Enable http://box{{ wp_url }} via NGINX, by installing {{ nginx_config_dir }}/wordpress-nginx.conf from template
+  template:
+    src: wordpress-nginx.conf.j2
+    dest: "{{ nginx_config_dir }}/wordpress-nginx.conf"    # /etc/nginx/conf.d
+  when: wordpress_enabled
+
+- name: Disable http://box{{ wp_url }} via NGINX, by removing {{ nginx_config_dir }}/wordpress-nginx.conf
+  file:
+    path: "{{ nginx_config_dir }}/wordpress-nginx.conf"    # /etc/nginx/conf.d
+    state: absent
+  when: not wordpress_enabled
+
+- name: Restart 'nginx' systemd service
+  systemd:
+    name: nginx
+    state: restarted
--- a/2
+++ b/2
@ -64,6 +64,8 @@ if [ "$REINSTALL" == "1" ]; then
    if [ ! $1 == "internetarchive" ]; then # special handling
        if [ $1 == "calibre-web" ]; then # role directory & installed marker differ
            sed -i -e '/^calibreweb/d' $IIAB_STATE_FILE
+        elif [ $1 == "httpd" ]; then # role directory & installed marker differ
+            sed -i -e '/^apache/d' $IIAB_STATE_FILE
        elif [ $1 == "osm-vector-maps" ]; then # role directory & installed marker differ
            sed -i -e '/^osm_vector_maps/d' $IIAB_STATE_FILE
        #elif [ $1 == "bluetooth" ]; then # role directory & installed marker differ