Merge pull request #357 from iiab/master

sync from iiab:master
2025-03-09 15:40:17 +00:00 · 2020-01-24 01:05:07 -05:00 · 2020-01-24 01:05:07 -05:00 · a435388996
commit a435388996
parent 395ff1b3a5 9d4dd4c4fd
40 changed files with 407 additions and 326 deletions
--- a/roles/0-init/tasks/main.yml
+++ b/roles/0-init/tasks/main.yml
@ -33,10 +33,28 @@
  setup:
    filter: ansible_local
-# 2020-01-21: checks 46+46 vars...for now...expect validate_vars.yml to change!
+- name: Pre-check that IIAB's "XYZ_install" + "XYZ_enabled" vars (1) are defined, (2) are boolean-not-string variables, and (3) contain plausible values.  Also checks that "XYZ_install" is True when "XYZ_installed" is defined.
 - name: Pre-check that IIAB's "XYZ_install" + "XYZ_enabled" vars (1) are defined, (2) are boolean-not-string variables, and (3) contain plausible values
  include_tasks: validate_vars.yml
 # SEE: https://github.com/iiab/iiab/blob/master/roles/nginx/README.md
 - name: "apache_install is currently '{{ apache_install }}' and apache_enabled is currently '{{ apache_enabled }}'.  Now let's set 'apache_install: True' and 'apache_enabled: True' if NGINX is set not to be enabled OR if any of {DokuWiki, Elgg, Lokole, Moodle, Nextcloud, Node-RED} are set to install."
  set_fact:
    apache_install: True
    apache_enabled: True
  when: not nginx_enabled or dokuwiki_install or elgg_install or lokole_install or moodle_install or nextcloud_install or nodered_install
 #
 #- name: "Verify 'apache_install: True' and 'apache_enabled: True' if any of {DokuWiki, Elgg, Lokole, Moodle, Nextcloud, Node-RED} are set to install"
 #  assert:
 #    that: apache_install and apache_enabled or not (dokuwiki_install or elgg_install or lokole_install or moodle_install or nextcloud_install or nodered_install)
 #    fail_msg: "PLEASE CONFIRM 'apache_install: True' AND 'apache_enable: True' IF YOU'RE TRYING TO INSTALL ANY OF {dokuwiki, elgg, lokole, moodle, nextcloud, nodered} e.g. IN: /etc/iiab/local_vars.yml"
 #    quiet: yes
 #
 #- name: "Verify 'apache_install: True' and 'apache_enabled: True' if 'nginx_enabled: False' -- e.g. for Apache testing of older playbooks lacking full NGINX support"
 #  assert:
 #    that: apache_install and apache_enabled or nginx_enabled
 #    fail_msg: "PLEASE CONFIRM 'apache_install: True' AND 'apache_enable: True' IF 'nginx_enabled: False' e.g. IN: /etc/iiab/local_vars.yml"
 #    quiet: yes
 - name: Set top-level variables from local_facts for convenience
  set_fact:
    xo_model: "{{ ansible_local.local_facts.xo_model }}"
@ -47,8 +65,8 @@
  set_fact:
    rpi_model: "rpi"
    is_rpi: True
-#      no_net_restart: True
+    #no_net_restart: True
-#      nobridge: True
+    #nobridge: True
  when: ansible_local.local_facts.os == "raspbian"
 - name: Set exFAT_enabled if xo_model != "none"
@ -78,11 +96,11 @@
  get_url:
    url: "{{ iiab_download_url }}/heart-beat.txt"
    dest: /tmp/heart-beat.txt
-    # timeout: "{{ download_timeout }}"
+    #timeout: "{{ download_timeout }}"
    # @jvonau recommends: 100sec is too much (keep 10sec default)
  ignore_errors: True
-# async: 10
+  #async: 10
-# poll: 2
+  #poll: 2
  register: internet_access_test
 - name: Set internet_available if download succeeded and not disregard_network
@ -109,12 +127,6 @@
    gui_port: 443
  when: adm_cons_force_ssl | bool
 # SEE: https://github.com/iiab/iiab/blob/master/roles/nginx/README.md
 - name: "Set 'apache_enabled: True' if any of {DokuWiki, Elgg, Lokole, Moodle, Nextcloud, Node-RED} are set to install"
  set_fact:
    apache_enabled: True
  when: dokuwiki_install or elgg_install or lokole_install or moodle_install or nextcloud_install or nodered_install
 - name: Turn on both vars for MySQL (mandatory in Stage 3!)
  set_fact:
    mysql_install: True
@ -123,19 +135,6 @@
 # We decided to enable mysql unconditionally.
 #  when: elgg_enabled or rachel_enabled or owncloud_enabled or phpmyadmin_enabled or wordpress_enabled or iiab_menu_install
 # There might be other db's
 - name: Turn on both vars for PostgreSQL if moodle_enabled or pathagar_enabled
  set_fact:
    postgresql_install: True
    postgresql_enabled: True
  when: moodle_enabled or (pathagar_enabled is defined and pathagar_enabled)
 #- name: Turn on vars for Docker if SchoolTool is to be installed
 #  set_fact:
 #    docker_install: True
 #    docker_enabled: True
 #  when: schooltool_enabled or schooltool_install
 - name: "Set python_path: /lib/python2.7/site-packages/ (redhat)"
  set_fact:
    python_path: /lib/python2.7/site-packages/
--- a/roles/1-prep/tasks/main.yml
+++ b/roles/1-prep/tasks/main.yml
@ -66,26 +66,22 @@
  include_role:
    name: sshd
  # has no "when: XXXXX_install" flag
  #tags: base, sshd
 - name: IIAB-ADMIN
  include_role:
    name: iiab-admin
  # has no "when: XXXXX_install" flag
  #tags: base, iiab-admin
 - name: OPENVPN
  include_role:
    name: openvpn
  when: openvpn_install | bool
  #tags: openvpn
 # for rpi, without rtc, we need time as soon as possible
 - name: Install chrony (an NTP package) especially for RPi's lacking RTC
  package:
    name: chrony
    state: present
  #tags: download
 #TODO: Use regexp filter instead of hard-code ip
 - name: Install /etc/chrony.conf from template
--- a/roles/3-base-server/tasks/main.yml
+++ b/roles/3-base-server/tasks/main.yml
@ -7,13 +7,11 @@
  include_role:
    name: httpd
  when: apache_install | bool
  #tags: base, httpd
 - name: MYSQL
  include_role:
    name: mysql
  when: mysql_install | bool
  #tags: base, mysql
 - name: Install NGINX (configured LATER, in Stage 9-LOCAL-ADDONS)
  include_tasks: roles/nginx/tasks/install.yml
@ -22,7 +20,6 @@
 - name: Install dnsmasq
  include_tasks: roles/network/tasks/dnsmasq.yml
  when: dnsmasq_install | bool
  #tags: base, domain, dnsmasq, network
 - name: Recording STAGE 3 HAS COMPLETED =====================
  lineinfile:
--- a/roles/4-server-options/tasks/main.yml
+++ b/roles/4-server-options/tasks/main.yml
@ -8,63 +8,41 @@
 - name: Install named / BIND
  include_tasks: roles/network/tasks/named.yml
  when: named_install | bool
  #tags: base, named, network, domain
 - name: Installing dhcpd
  include_tasks: roles/network/tasks/dhcpd.yml
  when: dhcpd_install | bool
  #tags: base, dhcpd, network, domain
 - name: Install Squid (and DansGuardian if dansguardian_install)
  include_tasks: roles/network/tasks/squid.yml
  when: squid_install | bool
  #tags: base, squid, network, domain
 - name: Install Bluetooth - only on Raspberry Pi
  include_role:
    name: bluetooth
-  when: (is_rpi and bluetooth_install) or bluetooth_installed is defined
+  when: is_rpi and bluetooth_install    # or bluetooth_installed is defined
  #tags: bluetooth
 - name: USB-LIB
  include_role:
    name: usb-lib
  when: usb_lib_install | bool
  #tags: usb-lib
-# NETWORK moved to the very end, after Stage 9 (9-LOCAL-ADDONS)
+# This is in Stage 4-SERVER-OPTIONS (rather than 3-BASE-SERVER) because var
-# It can also be run manually using: cd /opt/iiab/iiab; ./iiab-network
+# iiab_home_url changes, and may need to be re-run in the field/offline/etc.
 #
 #- name: NETWORK
 #  include_role:
 #    name: network
 #  # has no "when: XXXXX_install" flag
 #  tags: base, network
 # MANDATORY SO PERHAPS THIS BELONGS IN 3-BASE-SERVER ?
 - name: HOMEPAGE
  include_role:
    name: homepage
  # has no "when: XXXXX_install" flag
  #tags: base, homepage
 - name: POSTGRESQL
  include_role:
    name: postgresql
  when: postgresql_install | bool
  #tags: postgresql, pathagar, moodle
 - name: CUPS
  include_role:
    name: cups
-  when: cups_install or cups_installed is defined
+  when: cups_install    # or cups_installed is defined
  #tags: cups
 - name: SAMBA
  include_role:
    name: samba
-  when: samba_install or samba_installed is defined
+  when: samba_install    # or samba_installed is defined
  #tags: samba
 - name: Run /usr/bin/iiab-refresh-wiki-docs (scraper script) to create http://box/info offline documentation.  (This script was installed at the beginning of Stage 3 = roles/3-base-server/tasks/main.yml, which ran Apache playbook = roles/httpd/tasks/main.yml)
  command: /usr/bin/iiab-refresh-wiki-docs
--- a/roles/5-xo-services/tasks/main.yml
+++ b/roles/5-xo-services/tasks/main.yml
@ -3,24 +3,23 @@
 - name: ...IS BEGINNING =====================================
  command: echo
 # UNMAINTAINED
 - name: ACTIVITY-SERVER
  include_role:
    name: activity-server
-  when: activity_server_install | bool
+  when: activity_server_install is defined and activity_server_install
  #tags: olpc, activity-server
 # UNMAINTAINED
 - name: EJABBERD_XS
  include_role:
    name: ejabberd_xs
-  when: ejabberd_xs_install | bool
+  when: ejabberd_xs_install is defined and ejabberd_xs_install
  #tags: olpc, ejabberd-xs
 # UNMAINTAINED
 - name: IDMGR
  include_role:
    name: idmgr
-  when: idmgr_install | bool
+  when: idmgr_install is defined and idmgr_install
  #tags: olpc, idmgr
 - name: Recording STAGE 5 HAS COMPLETED =====================
  lineinfile:
--- a/roles/6-generic-apps/tasks/main.yml
+++ b/roles/6-generic-apps/tasks/main.yml
@ -7,75 +7,63 @@
  include_role:
    name: azuracast
  when: azuracast_install | bool
  #tags: azuracast
 # UNMAINTAINED
 - name: DOKUWIKI
  include_role:
    name: dokuwiki
-  when: dokuwiki_install | bool
+  when: dokuwiki_install is defined and dokuwiki_install
  #tags: dokuwiki
 # UNMAINTAINED
 - name: EJABBERD
  include_role:
    name: ejabberd
-  when: ejabberd_install | bool
+  when: ejabberd_install is defined and ejabberd_install
  #tags: ejabberd
 - name: ELGG
  include_role:
    name: elgg
  when: elgg_install | bool
  #tags: elgg
 - name: GITEA
  include_role:
    name: gitea
  when: gitea_install | bool
  #tags: gitea
 - name: LOKOLE
  include_role:
    name: lokole
  when: lokole_install | bool
  #tags: lokole
 - name: MEDIAWIKI
  include_role:
    name: mediawiki
  when: mediawiki_install | bool
  #tags: mediawiki
 - name: MOSQUITTO
  include_role:
    name: mosquitto
  when: mosquitto_install | bool
  #tags: mosquitto
 - name: NODE-RED
  include_role:
    name: nodered
  when: nodered_install | bool
  #tags: nodered
 - name: NEXTCLOUD
  include_role:
    name: nextcloud
  when: nextcloud_install | bool
  #tags: nextcloud
 - name: PBX
  include_role:
    name: pbx
  when: pbx_install | bool
  #tags: pbx  
 - name: WORDPRESS
  include_role:
    name: wordpress
  when: wordpress_install | bool
  #tags: wordpress
 - name: Recording STAGE 6 HAS COMPLETED ====================
  lineinfile:
--- a/roles/7-edu-apps/tasks/main.yml
+++ b/roles/7-edu-apps/tasks/main.yml
@ -7,51 +7,43 @@
  include_role:
    name: kalite
  when: kalite_install | bool
  #tags: kalite
 - name: KOLIBRI
  include_role:
    name: kolibri
  when: kolibri_install | bool
  #tags: kolibri
 - name: KIWIX
  include_role:
    name: kiwix
  when: kiwix_install | bool
  #tags: kiwix
 - name: MOODLE
  include_role:
    name: moodle
  when: moodle_install | bool
  #tags: olpc, moodle
 - name: OSM-VECTOR-MAPS
  include_role:
    name: osm-vector-maps
  when: osm_vector_maps_install | bool
  #tags: osm, maps
 # UNMAINTAINED
 - name: OSM
  include_role:
    name: osm
  when: osm_install is defined and osm_install
  #tags: osm, maps
 # UNMAINTAINED
 - name: PATHAGAR
  include_role:
    name: pathagar
  when: pathagar_install is defined and pathagar_install
  #tags: pathagar
 - name: SUGARIZER
  include_role:
    name: sugarizer
  when: sugarizer_install | bool
  #tags: sugarizer
 - name: Recording STAGE 7 HAS COMPLETED ========================
  lineinfile:
--- a/roles/8-mgmt-tools/tasks/main.yml
+++ b/roles/8-mgmt-tools/tasks/main.yml
@ -7,37 +7,31 @@
  include_role:
    name: transmission
  when: transmission_install | bool
  #tags: transmission
 - name: AWSTATS
  include_role:
    name: awstats
  when: awstats_install | bool
  #tags: awstats
 - name: MONIT
  include_role:
    name: monit
  when: monit_install | bool
  #tags: monit
 - name: MUNIN
  include_role:
    name: munin
  when: munin_install | bool
  #tags: munin
 - name: PHPMYADMIN
  include_role:
    name: phpmyadmin
  when: phpmyadmin_install | bool
  #tags: phpmyadmin
 - name: VNSTAT
  include_role:
    name: vnstat
  when: vnstat_install | bool
  #tags: vnstat
 - name: Recording STAGE 8 HAS COMPLETED ======================
  lineinfile:
--- a/roles/9-local-addons/tasks/main.yml
+++ b/roles/9-local-addons/tasks/main.yml
@ -7,7 +7,6 @@
  include_role:
    name: internetarchive
  when: internetarchive_install | bool
  #tags: internetarchive
 # Is porting to Python 3 complete, and if so does this belong elsewhere?
 - name: CAPTIVE PORTAL
@ -15,43 +14,41 @@
    name: captiveportal
  #include_tasks: roles/captiveportal/tasks/main.yml
  when: captiveportal_install | bool
  #tags: base, captiveportal, network, domain
 - name: MINETEST
  include_role:
    name: minetest
  when: minetest_install | bool
  #tags: minetest
 # KEEP AT THE END as this installs dependencies from Debian's 'testing' branch!
 - name: CALIBRE
  include_role:
    name: calibre
  when: calibre_install | bool
  #tags: calibre
 - name: CALIBRE-WEB
  include_role:
    name: calibre-web
  when: calibreweb_install | bool
  #tags: calibre-web
 # Could split these two below to Stage 10?
- name: Configure NGINX (already installed in Stage 3-BASE-SERVER)
+- name: Fully Enable / Configure NGINX (already installed in Stage 3-BASE-SERVER) if 'nginx_enabled' is True
  # If just CONFIGURING, should we use one of the following instead ??
  # include_tasks: roles/nginx/tasks/setup.yml
  # include_tasks: roles/nginx/tasks/enable.yml
  include_role:
    name: nginx
-  when: nginx_install | bool
+  when: nginx_enabled | bool    # WAS: nginx_install
-  #tags: base, nginx
+# If just CONFIGURING (etc) shouldn't we use one of the following instead ??
 # include_tasks: roles/nginx/tasks/setup.yml
 # include_tasks: roles/nginx/tasks/enable.yml
- name: Configure Apache systemd service ({{ apache_service }})
+- name: Fully Enable / Configure Apache systemd service ({{ apache_service }}) if 'apache_enabled' is True
  include_role:
    name: httpd-enable
-  when: apache_install | bool
+  when: apache_enabled | bool    # WAS: apache_install
-  #tags: base, httpd
+# WARNING THAT APACHE IS AUTO-ENABLED BY THESE ~6 APPS ALONE!
 # https://github.com/holta/iiab/blob/scaff2/roles/0-init/tasks/main.yml#L40-L44
 # Summarized @ https://github.com/iiab/iiab/blob/master/roles/nginx/README.md
 # 2020-01-23: APACHE FUTURE SUMMARY QUESTIONS @ roles/httpd/tasks/main.yml
 - name: Recording STAGE 9 HAS COMPLETED ====================
  lineinfile:
--- a/roles/captiveportal/tasks/main.yml
+++ b/roles/captiveportal/tasks/main.yml
@ -2,7 +2,7 @@
 # I want to perform input validation for Ansible playbooks"
 # https://stackoverflow.com/questions/46664127/how-do-i-fail-a-task-in-ansible-if-the-variable-contains-a-boolean-value-i-want/46667499#46667499
-# If 0-init/tasks/validate_vars.yml has DEFINITELY been run (?) perhaps no need
+# We assume 0-init/tasks/validate_vars.yml has DEFINITELY been run, so no need
 # to re-check whether vars are defined here.  As Ansible vars cannot be unset:
 # https://serverfault.com/questions/856729/how-to-destroy-delete-unset-a-variable-value-in-ansible
@ -11,24 +11,23 @@
    that: captiveportal_install is sameas true
    fail_msg: "PLEASE SET 'captiveportal_install: True' e.g. IN: /etc/iiab/local_vars.yml"
    quiet: yes
    #that: captiveportal_install is defined and captiveportal_install is sameas true
    #success_msg: captiveportal_install is defined and captiveportal_install is sameas true
 - name: Assert that "captiveportal_enabled | type_debug == 'bool'" (boolean not string etc)
  assert:
    that: captiveportal_enabled | type_debug == 'bool'
    fail_msg: "PLEASE GIVE VARIABLE 'captiveportal_enabled' A PROPER (UNQUOTED) BOOLEAN VALUE e.g. IN: /etc/iiab/local_vars.yml"
    quiet: yes
-    #that: captiveportal_enabled is defined and captiveportal_enabled | type_debug == 'bool'
+
    #success_msg: captiveportal_enabled is defined and captiveportal_enabled | type_debug == 'bool'
 - name: Install Captive Portal if 'captiveportal_installed' is not defined in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
  include_tasks: install.yml
  when: captiveportal_installed is undefined
 - name: Enable or Disable Captive Portal	
  include_tasks: enable-or-disable.yml
 - name: Add 'captiveportal' variable values to {{ iiab_ini_file }}
  ini_file:
    path: "{{ iiab_ini_file }}"
--- a/roles/captiveportal/templates/capture-wsgi.py.j2
+++ b/roles/captiveportal/templates/capture-wsgi.py.j2
@ -39,8 +39,10 @@ doc_root = get_iiab_env("WWWROOT")
 fully_qualified_domain_name = get_iiab_env("FQDN")
-loggingLevel = "ERROR"
+# 2020-01-23: @georgejhunt explained that "ERROR" does not log enough details.
-#loggingLevel = "DEBUG"
+# So we're changing IIAB's default to "DEBUG", til Captive Portal proves solid.
 #loggingLevel = "ERROR"
 loggingLevel = "DEBUG"
 if len(sys.argv) > 1:
   if sys.argv[1] == '-l':
      loggingLevel = "DEBUG"
--- a/roles/httpd/tasks/main.yml
+++ b/roles/httpd/tasks/main.yml
@ -1,12 +1,22 @@
 # 2020-01-23 TO DO / Questions:
 # - Validate input vars apache_install & apache_enabled here.
 #   - Use as nec, with 'when: apache_installed is undefined'
 # - Encapsulate all 3 tasks below into httpd/roles/install.yml ?
 # - Similarly sanity-check httpd/roles/enable.yml...
 #   - Verify that 9-local-addons/tasks/main.yml's invocation of
 #     roles/httpd/tasks/enable.yml (via roles/httpd-enable/tasks/main.yml, if
 #     apache_enabled is True) does the right thing!
 #   - And that we really don't want to invoke it hereunder?
 # - Save relevant apache_* vars to /etc/iiab/iiab.ini
 - include_tasks: install.yml
  #tags: base
 - include_tasks: html.yml
  #tags: base
-# Partially fixes search @ http://box/modules/es-wikihow (on RPi anyway) see https://github.com/iiab/iiab/issues/829
+# 2018-07-18: Partially fixes search @ http://box/modules/es-wikihow (on RPi
- include_tasks: php-stem.yml
+# anyway) https://github.com/iiab/iiab/issues/829 & PR #925
-  #tags: base
+# 2020-01-23: Deprecated as @tim-moody's attempt to revive this for PHP 7.3
 # instead of 7.0 failed: https://github.com/iiab/iiab/issues/2123
 #- include_tasks: php-stem.yml
 - name: Install /usr/bin/iiab-refresh-wiki-docs (scraper script) to create http://box/info offline documentation.  (Script can be run manually and/or at the end of Stage 4 = roles/4-server-options/tasks/main.yml)
  template:
--- a/roles/httpd/tasks/php-stem.yml.deprecated
+++ b/roles/httpd/tasks/php-stem.yml.deprecated
--- a/roles/moodle/tasks/enable.yml
+++ b/roles/moodle/tasks/enable.yml
@ -1,3 +1,18 @@
 - name: Enable 'postgresql-iiab' systemd service, if moodle_enabled
  systemd:
    name: postgresql-iiab
    state: started
    enabled: yes
  when: moodle_enabled
 # if the only service using the backend db disable if not running
 - name: Disable 'postgresql-iiab' systemd service, if not moodle_enabled and not (pathagar_enabled is defined and pathagar_enabled)
  systemd:
    name: postgresql-iiab
    state: stopped
    enabled: no
  when: not moodle_enabled and not (pathagar_enabled is defined and pathagar_enabled)
 # Apache
 - name: Enable http://box/moodle via Apache
@ -8,7 +23,7 @@
  command: a2dissite 022-moodle.conf
  when: apache_install and not moodle_enabled
- name: Restart Apache systemd service ({{ apache_service }})
+- name: Restart '{{ apache_service }}' systemd service
  systemd:
    name: "{{ apache_service }}"    # apache2 or httpd, as set in /opt/iiab/iiab/vars/<OS>.yml
    state: restarted
--- a/roles/moodle/tasks/install.yml
+++ b/roles/moodle/tasks/install.yml
@ -1,3 +1,12 @@
 - name: "Set PostgreSQL vars 'postgresql_install: True' and 'postgresql_enabled: True'"
  set_fact:
    postgresql_install: True
    postgresql_enabled: True
 - name: POSTGRESQL - run the 'postgresql' role
  include_role:
    name: postgresql
 - name: "Install packages: python-psycopg2, php-pgsql (OS's other than debuntu)"
  package:
    name:
--- a/roles/munin/tasks/apache.yml
+++ b/roles/munin/tasks/apache.yml
@ -0,0 +1,12 @@
 - name: Enable http://box/munin via Apache
  command: a2ensite munin24.conf
  when: munin_enabled
 - name: Disable http://box/munin via Apache
  command: a2dissite munin24.conf
  when: not munin_enabled
 - name: Restart '{{ apache_service }}' systemd service
  systemd:
    name: "{{ apache_service }}"    # apache2 or httpd, as set in /opt/iiab/iiab/vars/<OS>.yml
    state: restarted
--- a/roles/munin/tasks/enable-or-disable.yml
+++ b/roles/munin/tasks/enable-or-disable.yml
@ -1,50 +0,0 @@
 - name: Enable & Start 'munin-node' systemd service
  systemd:
    name: munin-node
    daemon_reload: yes
    enabled: yes
    state: started
  when: munin_enabled | bool
 - name: Disable 'munin-node' systemd service
  systemd:
    name: munin-node
    enabled: no
    state: stopped
  when: not munin_enabled
 # Apache
 - name: Enable http://box/munin via Apache
  command: a2ensite munin24.conf
  when: apache_install and munin_enabled    # and not nginx_enabled
 - name: Disable http://box/munin via Apache
  command: a2dissite munin24.conf
  when: apache_install and not munin_enabled    # or nginx_enabled
 - name: Restart Apache systemd service ({{ apache_service }})
  systemd:
    name: "{{ apache_service }}"    # apache2 or httpd, as set in /opt/iiab/iiab/vars/<OS>.yml
    state: restarted
  when: apache_install and apache_enabled
 # NGINX
 - name: Enable http://box/munin via NGINX, by installing {{ nginx_config_dir }}/munin24-nginx.conf from template
  template:
    src: munin24-nginx.conf.j2
    dest: "{{ nginx_config_dir }}/munin24-nginx.conf"    # /etc/nginx/conf.d
  when: munin_enabled    # and nginx_enabled
 - name: Disable http://box/munin via NGINX, by installing {{ nginx_config_dir }}/munin24-nginx.conf
  file:
    path: "{{ nginx_config_dir }}/munin24-nginx.conf"    # /etc/nginx/conf.d
    state: absent
  when: not munin_enabled
 - name: Restart 'nginx' systemd service
  systemd:
    name: nginx
    state: restarted
  # when: nginx_enabled | bool
--- a/roles/munin/tasks/main.yml
+++ b/roles/munin/tasks/main.yml
@ -2,7 +2,7 @@
 # I want to perform input validation for Ansible playbooks"
 # https://stackoverflow.com/questions/46664127/how-do-i-fail-a-task-in-ansible-if-the-variable-contains-a-boolean-value-i-want/46667499#46667499
-# If 0-init/tasks/validate_vars.yml has DEFINITELY been run (?) perhaps no need
+# We assume 0-init/tasks/validate_vars.yml has DEFINITELY been run, so no need
 # to re-check whether vars are defined here.  As Ansible vars cannot be unset:
 # https://serverfault.com/questions/856729/how-to-destroy-delete-unset-a-variable-value-in-ansible
@ -11,23 +11,42 @@
    that: munin_install is sameas true
    fail_msg: "PLEASE SET 'munin_install: True' e.g. IN: /etc/iiab/local_vars.yml"
    quiet: yes
    #that: munin_install is defined and munin_install is sameas true
    #success_msg: munin_install is defined and munin_install is sameas true
 - name: Assert that "munin_enabled | type_debug == 'bool'" (boolean not string etc)
  assert:
    that: munin_enabled | type_debug == 'bool'
    fail_msg: "PLEASE GIVE VARIABLE 'munin_enabled' A PROPER (UNQUOTED) BOOLEAN VALUE e.g. IN: /etc/iiab/local_vars.yml"
    quiet: yes
-    #that: munin_enabled is defined and munin_enabled | type_debug == 'bool'
+
    #success_msg: munin_enabled is defined and munin_enabled | type_debug == 'bool'
 - name: Install Munin if 'munin_installed' is not defined in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
  include_tasks: install.yml
  when: munin_installed is undefined
- name: Enable or Disable Munin
+
-  include_tasks: enable-or-disable.yml
+- name: Enable & Start 'munin-node' systemd service
  systemd:
    name: munin-node
    daemon_reload: yes
    enabled: yes
    state: started
  when: munin_enabled | bool
 - name: Disable & Stop 'munin-node' systemd service
  systemd:
    name: munin-node
    enabled: no
    state: stopped
  when: not munin_enabled
 - name: Enable/Disable/Restart Apache if primary
  include_tasks: apache.yml
  when: not nginx_enabled
 - name: Enable/Disable/Restart NGINX if primary
  include_tasks: nginx.yml
  when: nginx_enabled | bool
 - name: Add 'munin' variable values to {{ iiab_ini_file }}
  ini_file:
--- a/roles/munin/tasks/nginx.yml
+++ b/roles/munin/tasks/nginx.yml
@ -0,0 +1,16 @@
 - name: Enable http://box/munin via NGINX, by installing {{ nginx_config_dir }}/munin24-nginx.conf from template
  template:
    src: munin24-nginx.conf.j2
    dest: "{{ nginx_config_dir }}/munin24-nginx.conf"    # /etc/nginx/conf.d
  when: munin_enabled
 - name: Disable http://box/munin via NGINX, by installing {{ nginx_config_dir }}/munin24-nginx.conf
  file:
    path: "{{ nginx_config_dir }}/munin24-nginx.conf"    # /etc/nginx/conf.d
    state: absent
  when: not munin_enabled
 - name: Restart 'nginx' systemd service
  systemd:
    name: nginx
    state: restarted
--- a/roles/mysql/tasks/main.yml
+++ b/roles/mysql/tasks/main.yml
@ -1,3 +1,10 @@
 # TO DO:
 # - Validate input vars mysql_install & mysql_enabled
 # - Put ~12 stanzas just below into install.yml
 #   - Triggered by... 'when: mysql_installed is undefined'
 #   - Eliminate stale Fedora/CentOS code & gratuitous when: is_debuntu clauses?
 # - Consider putting ~8 stanzas below that into enable.yml or similar?
 - name: 'Install MySQL packages: mariadb-server, mariadb-client, and 8 php packages (debuntu)'
  package:
    name:
@ -14,19 +21,19 @@
      - php{{ php_version }}-xmlrpc
    state: present
  when: is_debuntu | bool
  #tags: download
- name: Install php{{ php_version }}-xml (ubuntu or debian 9+)
+- name: Install package 'php{{ php_version }}-xml' (debuntu)    # WAS: (ubuntu or debian 9+)
  package:
    name: "php{{ php_version }}-xml"
    state: present
-  when: is_ubuntu or (is_debian and not is_debian_8)
+  when: is_debuntu | bool
  #when: is_ubuntu or (is_debian and not is_debian_8)
- name: Install php-xml-parser (debian-8)
+#- name: Install php-xml-parser (debian-8)
-  package:
+#  package:
-    name: php-xml-parser
+#    name: php-xml-parser
-    state: present
+#    state: present
-  when: is_debian_8 | bool
+#  when: is_debian_8 | bool
 - name: "Install packages: mysql, MySQL-python and 9 php packages (OS's other than debuntu)"
  package:
@ -44,15 +51,12 @@
      - php-xmlrpc
    state: present
  when: not is_debuntu
  #tags: download
 - include_tasks: centos.yml
  when: ansible_distribution == "CentOS"
  #tags: download
 - include_tasks: fedora.yml
  when: ansible_distribution == "Fedora"
  #tags: download
 # 2019-07-03 @jvonau @holta: the next 50 lines (6 stanzas) double MariaDB's
@ -110,6 +114,12 @@
    # line: "TimeoutStartSec=180"
  when: mariadb_unit_file.stat.exists
 - name: "Add 'mysql_installed: True' to {{ iiab_state_file }}"
  lineinfile:
    dest: "{{ iiab_state_file }}"    # /etc/iiab/iiab_state.yml
    regexp: '^mysql_installed'
    line: 'mysql_installed: True'
 # Name of MySQL service varies by OS, so hardcoded in /opt/iiab/iiab/vars/<OS>.yml (formerly in roles/0-init/tasks/main.yml)
 - name: Enable & Start MySQL systemd service ({{ mysql_service }}) if mysql_enabled
@ -178,6 +188,7 @@
    state: stopped
  when: not mysql_enabled
 - name: Add 'mysql' variable values to {{ iiab_ini_file }}
  ini_file:
    path: "{{ iiab_ini_file }}"
--- a/roles/nginx/README.md
+++ b/roles/nginx/README.md
@ -1,34 +1,41 @@
 ### Transition to NGINX
-1. Initial testing strategy is to move NGINX to port 80, and proxy everything to Apache on port 8090 -- creating a shim.
+1. Initial testing strategy is to move NGINX to port 80, and proxy everything to Apache on port 8090 &mdash; creating "Shims" for each IIAB App/Service in *Section iii.* below.
   Until "Native" NGINX is later implemented for that IIAB App/Service &mdash; allowing it to move up to *Section ii.* below.
   And potentially later moving it up to *Section i.* if its Apache support is dropped!
 2. Without PHP available via FastCGI, any function at all for PHP-based applications validates NGINX.
-3. Current state (2020-01-12).
+3. Current state IIAB App/Service migrations as of 2020-01-23...
-   1. Principal functions migrated to NGINX
+   1. These support "Native" NGINX but ***NOT*** Apache
      * Admin Console
-      * kalite -- goes directly to ports 8006-8008
+      * captiveportal
      * mediawiki
      * osm-vector-maps
      * RACHEL-like modules
      * usb-lib
      * wordpress
-   2. Dual support, see [roles/nginx/tasks/only_nginx.yml](tasks/only_nginx.yml)
+   2. These support "Native" NGINX ***AND*** Apache, a.k.a. "dual support" for legacy testing (if suitable "Shims" from *Section iii.* below are preserved!)  Both "Native" NGINX and "Shim" proxying from NGINX to Apache port 8090 *cannot be enabled simultaneously* for these IIAB Apps/Service.  But if you want to attempt their "Shim" proxying legacy testing mode, [auto-enable Apache](../0-init/tasks/main.yml#L40-L44) by setting `nginx_enabled: False` in [/etc/iiab/local_vars.yml](http://wiki.laptop.org/go/IIAB/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F)
-      * awstats ([#2124](https://github.com/iiab/iiab/issues/2124))
+      * awstats
      * calibre-web
      * gitea
-      * kiwix -- goes directly to port 3000
+      * kiwix
      * kolibri
      * mediawiki
      * munin
      * sugarizer
      * wordpress
-   3. Still proxied to Apache, see [roles/0-init/tasks/main.yml#L108-L112](../0-init/tasks/main.yml#L108-L112) & [roles/nginx/tasks/uses_apache.yml](tasks/uses_apache.yml)
+   3. These support Apache but ***NOT*** "Native" NGINX.  These use a "Shim" to [proxy_pass](https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/) from NGINX to Apache on port 8090.  See [roles/0-init/tasks/main.yml#L40-L44](../0-init/tasks/main.yml#L40-L44) for a list of these IIAB Apps/Services, that auto-enable Apache.
      * dokuwiki ([#2056](https://github.com/iiab/iiab/issues/2056))
      * elgg
      * lokole
      * moodle
      * nodered
      * nextcloud ([PR #2119](https://github.com/iiab/iiab/pull/2119))
      * nodered
-   4. Not yet dealt with
+   4. Not Yet Dealt With!
-      * internetarchive ([PR #2120](https://github.com/iiab/iiab/pull/2120))
+      * internetarchive (menu goes directly to port 4244, [PR #2120](https://github.com/iiab/iiab/pull/2120))
      * kalite (menu goes directly to ports 8006-8008)
--- a/roles/nodejs/tasks/main.yml
+++ b/roles/nodejs/tasks/main.yml
@ -41,13 +41,22 @@
 #      /etc/iiab/local_vars.yml -- then re-run this IIAB installer.
 #  when: nodejs_version_installed is defined and nodejs_version_installed.stdout != nodejs_version and nodejs_version_installed.stderr == ""
 # Forces < 12 or > 12 to be removed, ignored if file is absent
 - name: Remove /etc/apt/sources.list.d/nodesource.list if nodejs_version_installed.stdout is not {{ nodejs_version }}
  file:
    state: absent
    path: /etc/apt/sources.list.d/nodesource.list
  when: nodejs_version_installed is defined and nodejs_version_installed.stdout != nodejs_version and nodejs_version_installed.stdout != ""
 # BRUTAL but ensures consistency across OS's / distros like Raspbian Desktop & Ubermix that often include an older version of Node.js
 # Forces < 12 or > 12 to be uninstalled
 - name: ASK apt/yum/dnf TO REMOVE PRE-EXISTING Node.js {{ nodejs_version_installed.stdout }} (IF IT'S NOT {{ nodejs_version }})
  package:
    name: nodejs
    state: absent
  when: nodejs_version_installed is defined and nodejs_version_installed.stdout != nodejs_version and nodejs_version_installed.stdout != ""
 # Forces == 12
 - name: Warn if Node.js {{ nodejs_version}} already installed & might be updated
  debug:
    msg: "WARN: YOUR Node.js {{ nodejs_version }} MIGHT NOW BE UPDATED USING nodesource.com"
@ -79,6 +88,7 @@
 # 19.04 Beta.  Comment it out for now, and manually run: "apt install npm" then
 # "npm install -g npm@latest" (all *SHOULD* be magically fixed by 2019-04-18 ?)
 # Forces update
 - name: Install latest Node.js {{ nodejs_version }} which includes /usr/bin/npm (debuntu)
  package:
    #name: nodejs={{ nodejs_version }}
@ -138,3 +148,10 @@
 # 2019-03-29: Debian 10 Buster & Ubuntu 19.04 pre-releases made the jump
 # thankfully; currently both offer Node.js 10.15.2
 - name: "Add 'nodejs_installed: True' to {{ iiab_state_file }}"
  lineinfile:
    dest: "{{ iiab_state_file }}"    # /etc/iiab/iiab_state.yml
    regexp: '^nodejs_installed'
    line: 'nodejs_installed: True'
--- a/roles/nodered/meta/main.yml
+++ b/roles/nodered/meta/main.yml
@ -1,2 +0,0 @@
 dependencies:
     - { role: nodejs, tags: ['nodejs'], when: nodered_install | bool }
--- a/roles/nodered/tasks/install.yml
+++ b/roles/nodered/tasks/install.yml
@ -1,5 +1,10 @@
 # 2019-01-16: @jvonau's PR #1403 moved installation of Node.js (8.x for now) &
-# npm to roles/nodejs/tasks/main.yml, triggered by roles/nodered/meta/main.yml
+# npm to roles/nodejs/tasks/main.yml
 - name: NODEJS - run the 'nodejs' role
  include_role:
    name: nodejs
 # 2020-01-04 no longer triggered by roles/nodered/meta/main.yml
 # BRUTAL but ensures consistency across OS's / distros like Raspbian Desktop &
 # Ubermix that often include an older version of Node-RED.  Brutal, as this
@ -75,7 +80,7 @@
 - name: Install /etc/systemd/system/nodered.service systemd unit file from template
  template:
-    backup: yes
+    backup: no
    src: nodered.service.j2
    dest: /etc/systemd/system/nodered.service
    # mode: '0666'
--- a/roles/openvpn/tasks/main.yml
+++ b/roles/openvpn/tasks/main.yml
@ -1,9 +1,8 @@
-# TO DO: WRAP 10 OR 11 STANZAS BELOW (and saving vars to iiab_ini_file at
+# TO DO: WRAP 11 OR 12 STANZAS BELOW INTO install.yml, conditioned by...
-# bottom) INTO install.yml, somehow conditioned by...
+# 'when: openvpn_installed is undefined'
 # when: openvpn_install | bool
 #
-# BEWARE: 11th stanza (ssh pubkey deletions) is already conditioned by...
+# BEWARE: 4th stanza (ssh pubkey deletions) is already conditioned by...
-# when: not openvpn_install
+# 'when: not openvpn_install' (revise?)
 - name: Install OpenVPN and Nmap packages
  package:
@ -84,30 +83,37 @@
    dest: /usr/bin/
    mode: '0755'
- name: Create iiab-support-on (symlink to iiab-support for now)
+- name: Symlink /usr/bin/iiab-support-on -> /usr/bin/iiab-support
  file:
    src: /usr/bin/iiab-support
    path: /usr/bin/iiab-support-on
    state: link
- name: Create iiab-support-off (symlink to iiab-remote-off for now)
+- name: Symlink /usr/bin/iiab-support-off -> /usr/bin/iiab-remote-off
  file:
    src: /usr/bin/iiab-remote-off
    path: /usr/bin/iiab-support-off
    state: link
- name: Create iiab-vpn-on (symlink to iiab-remote-on for now)
+- name: Symlink /usr/bin/iiab-vpn-on -> /usr/bin/iiab-remote-on
  file:
    src: /usr/bin/iiab-remote-on
    path: /usr/bin/iiab-vpn-on
    state: link
- name: Create iiab-vpn-off (symlink to iiab-remote-off for now)
+- name: Symlink /usr/bin/iiab-vpn-off -> /usr/bin/iiab-remote-off
  file:
    src: /usr/bin/iiab-remote-off
    path: /usr/bin/iiab-vpn-off
    state: link
 - name: "Add 'openvpn_installed: True' to {{ iiab_state_file }}"
  lineinfile:
    dest: "{{ iiab_state_file }}"    # /etc/iiab/iiab_state.yml
    regexp: '^openvpn_installed'
    line: 'openvpn_installed: True'
 # TO DO: WRAP COMMENTS + 4 ACTIVE STANZAS BELOW INTO enable.yml...
 # FIXED SOMETIME PRIOR TO AUGUST 2018: earlier versions of Ansible had not
@ -147,7 +153,7 @@
 #    /lib/systemd/systemd-sysv-install  sets /etc/rc*.d/S|K01openvpn
 #                                       e.g. when "systemctl enable openvpn"
- name: Enable & (Re)Start PARENT service openvpn, which (re)starts CHILD service openvpn@xscenet (& actual tunnel)
+- name: Enable & (Re)Start PARENT 'openvpn' system service, which (re)starts CHILD service 'openvpn@xscenet' (& actual tunnel)
  systemd:
    name: openvpn
    daemon_reload: yes
@ -171,7 +177,7 @@
    state: absent
  when: not openvpn_enabled or not openvpn_cron_enabled
- name: Disable & Stop PARENT service openvpn, which stops CHILD service openvpn@xscenet (& actual tunnel)
+- name: Disable & Stop PARENT 'openvpn' system service, which stops CHILD service 'openvpn@xscenet' (& actual tunnel)
  systemd:
    name: openvpn
    enabled: no
@ -191,6 +197,7 @@
 #  ignore_errors: True
 #  when: not openvpn_enabled and not installing
 - name: Add 'openvpn' variable values to {{ iiab_ini_file }}
  ini_file:
    path: "{{ iiab_ini_file }}"
--- a/roles/pathagar/tasks/main.yml
+++ b/roles/pathagar/tasks/main.yml
@ -1,9 +1,18 @@
 - name: "Set PostgreSQL vars 'postgresql_install: True' and 'postgresql_enabled: True'"
  set_fact:
    postgresql_install: True
    postgresql_enabled: True
 - name: POSTGRESQL - run the 'postgresql' role
  include_role:
    name: postgresql
 - name: Remove package Pathagar (in case rpm?)
  package:
    name: pathagar
    state: absent
- name: Install Pathagar prerequisites (all OSs)
+- name: "Install Pathagar prerequisites: python-virtualenv, python-pip, python-psycopg2"
  package:
    name: "{{ item }}"
    state: present
@ -12,7 +21,7 @@
    - python-pip
    - python-psycopg2
- name: Install Pathagar prerequisites (debuntu)
+- name: "Install Pathagar prerequisites: libapache2-mod-wsgi, libxml2-dev, libxslt-dev (debuntu)"
  package:
    name: "{{ item }}"
    state: present
@ -22,7 +31,7 @@
    - libxslt-dev
  when: is_debuntu | bool
- name: Install Pathagar prerequisites (not debuntu)
+- name: "Install Pathagar prerequisites: mod_wsgi, libxml2-devel, libxslt-devel (not debuntu)"
  package:
    name: "{{ item }}"
    state: present
@ -32,21 +41,21 @@
    - libxslt-devel
  when: not is_debuntu
- name: Create destination folder
+- name: "Create destination folder: {{ pathagar_src }}"
  file:
    path: "{{ pathagar_src }}"
    state: directory
-    owner: root
+    # owner: root
-    group: root
+    # group: root
-    mode: 0755
+    # mode: '0755'
- name: Create books destination folder
+- name: "Create books destination folder: {{ pathagar_media }}"
  file:
    path: "{{ pathagar_media }}"
    state: directory
    owner: "{{ apache_user }}"
    group: "{{ apache_user }}"
-    mode: 0755
+    mode: '0755'
 - name: Determine if Pathagar has already been downloaded from git
  stat:
@ -89,10 +98,12 @@
  become: yes
  become_user: postgres
- name: Start postgresql-iiab
+- name: Start 'postgresql-iiab' systemd service
-  service:
+  systemd:
    name: postgresql-iiab
    state: started
    enabled: yes
 when: pathagar_enabled
 - name: Enable Pathagar postgresql user access by md5 method
  lineinfile:
@ -106,8 +117,8 @@
    group: postgres
  register: enable_pathagar_md5_access
- name: Reload postgresql service
+- name: Reload 'postgresql-iiab' systemd service
-  service:
+  systemd:
    name: postgresql-iiab
    state: reloaded
  when: enable_pathagar_md5_access.changed
@ -126,9 +137,9 @@
  template:
    src: prod_settings.py
    dest: "{{ pathagar_src }}/prod_settings.py"
-    owner: root
+    # owner: root
-    group: root
+    # group: root
-    mode: 0644
+    # mode: '0644'
 - name: Create Pathagar initial db
  django_manage:
@ -143,7 +154,7 @@
    dest: "{{ pathagar_dir }}/auth.User.json"
    owner: root
    group: root
-    mode: 0600
+    mode: '0600'
 - name: Load Pathagar admin user
  django_manage:
@ -164,35 +175,44 @@
  template:
    src: wsgi.py
    dest: "{{ pathagar_dir }}/wsgi.py"
-    owner: root
+    # owner: root
-    group: root
+    # group: root
-    mode: 0644
+    # mode: '0644'
- name: Install httpd conf for Pathagar
+- name: Install /etc/{{ apache_config_dir }}/pathagar.conf from template
  template:
    src: pathagar.conf
    backup: yes
    dest: "/etc/{{ apache_config_dir }}/pathagar.conf"
    mode: 0644
- name: Enable Pathagar (debuntu)
+- name: Enable Pathagar via Apache (debuntu)
  file:
    path: /etc/apache2/sites-enabled/pathagar.conf
    src: /etc/apache2/sites-available/pathagar.conf
    state: link
  when: pathagar_enabled and is_debuntu
- name: Disable Pathagar (debuntu)
+- name: Disable Pathagar via Apache (debuntu)
  file:
    path: /etc/apache2/sites-enabled/pathagar.conf
    state: absent
  when: not pathagar_enabled and is_debuntu
- name: Reload Apache ({{ apache_service }})
+- name: Reload '{{ apache_service }}' systemd service
  systemd:
    name: "{{ apache_service }}"
    state: reloaded
 # if the only service using the backend db disable if not running
 - name: Disable 'postgresql-iiab' systemd service, if not moodle_enabled and not pathagar_enabled
  systemd:
    name: postgresql-iiab
    state: stopped
    enabled: no
  when: not moodle_enabled and not pathagar_enabled
 - name: Add 'pathagar' variable values to {{ iiab_ini_file }}
  ini_file:
    path: "{{ iiab_ini_file }}"
--- a/roles/pbx/meta/main.yml
+++ b/roles/pbx/meta/main.yml
@ -1,3 +0,0 @@
 dependencies:
     - { role: nodejs, tags: ['nodejs'], when: pbx_install and (nodejs_version == "10.x")}
--- a/roles/pbx/tasks/main.yml
+++ b/roles/pbx/tasks/main.yml
@ -1,3 +1,7 @@
 - name: NODEJS - run the 'nodejs' role
  include_role:
    name: nodejs
 - name: Fail if nodejs_version is incorrect
  fail:
    msg: >-
--- a/roles/phpmyadmin/tasks/main.yml
+++ b/roles/phpmyadmin/tasks/main.yml
@ -3,7 +3,6 @@
    url: "{{ iiab_download_url }}/{{ phpmyadmin_name_zip }}"
    dest: "{{ downloads_dir }}"
    timeout: "{{ download_timeout }}"
  #register: phpmyadmin_dl_output
  when: internet_available | bool
 - name: Does {{ downloads_dir }}/{{ phpmyadmin_name_zip }} exist?    # e.g. /opt/iiab/downloads/phpMyAdmin-4.8.3-all-languages.zip
@ -16,20 +15,20 @@
    msg: "{{ downloads_dir }}/{{ phpmyadmin_name_zip }} is REQUIRED in order to install phpMyAdmin."
  when: not phpmyadmin_dl.stat.exists
- name: Unzip to permanent location /opt/{{ phpmyadmin_name }}
+- name: Unzip to permanent location /opt/{{ phpmyadmin_name }}, owned by {{ apache_user }}
  unarchive:
    src: "{{ downloads_dir }}/{{ phpmyadmin_name_zip }}"
    dest: /opt
    owner: "{{ apache_user }}"
- name: Create symlink from /opt/phpmyadmin to {{ phpmyadmin_name }}
+- name: Symlink /opt/phpmyadmin -> {{ phpmyadmin_name }}
  file:
    src: "{{ phpmyadmin_name }}"
    path: /opt/phpmyadmin
-    owner: "{{ apache_user }}"
+    owner: "{{ apache_user }}"    # Some Linux's ignore symlink owners?
    state: link
- name: Install /opt/phpmyadmin/config.inc.php from template
+- name: Install /opt/phpmyadmin/config.inc.php owned by {{ apache_user }}, from template
  template:
    src: config.inc.php
    dest: /opt/phpmyadmin/config.inc.php
@ -46,6 +45,13 @@
 #   #  recurse: yes
 #   #  state: directory
 - name: "Add 'phpmyadmin_installed: True' to {{ iiab_state_file }}"
  lineinfile:
    dest: "{{ iiab_state_file }}"    # /etc/iiab/iiab_state.yml
    regexp: '^phpmyadmin_installed'
    line: 'phpmyadmin_installed: True'
 - name: Install /etc/{{ apache_config_dir }}/phpmyadmin.conf from template, if phpmyadmin_enabled
  template:
    src: phpmyadmin.j2
@ -65,6 +71,7 @@
    state: absent
  when: not phpmyadmin_enabled and is_debuntu
 - name: Add 'phpmyadmin' variable values to {{ iiab_ini_file }}
  ini_file:
    path: "{{ iiab_ini_file }}"
--- a/roles/postgresql/tasks/main.yml
+++ b/roles/postgresql/tasks/main.yml
@ -1,30 +1,32 @@
- name: Install postgresql package
+# TO DO:
 # - Validate input vars postgresql_install & postgresql_enabled
 # - Put ~12 stanzas just below into install.yml
 #   - Triggered by... 'when: postgresql_installed is undefined'
 - name: Install 'postgresql' package
  package:
    name: postgresql
    state: present
  #tags: download
- name: Install postgresql-client (debuntu)
+- name: Install 'postgresql-client' package (debuntu)
  package:
    name: postgresql-client
    state: present
  when: is_debuntu | bool
  #tags: download
- name: Install postgresql-server (OS's other than debuntu)
+- name: Install 'postgresql-server' package (OS's other than debuntu)
  package:
    name: postgresql-server
    state: present
  when: not is_debuntu
  #tags: download
 - name: Install /etc/systemd/system/postgresql-iiab.service from template
  template:
    src: postgresql-iiab.service
    dest: /etc/systemd/system/postgresql-iiab.service
-    owner: root
+    # owner: root
-    group: root
+    # group: root
-    mode: '0644'
+    # mode: '0644'
 - name: Create PostgreSQL data dir /library/pgsql-iiab, owned by postgres:postgres
  file:
@ -71,26 +73,32 @@
    group: postgres
    mode: '0640'
-# Probably Not Nec!  Given stanza below does the same.
+# Likely No Longer Nec!  Given stanza below does the same...
- name: 'Stop postgresql service: /etc/init.d/postgresql stop (debuntu)'
+#- name: 'Stop postgresql service: /etc/init.d/postgresql stop (debuntu)'
-  command: "/etc/init.d/postgresql stop"
+#  command: "/etc/init.d/postgresql stop"
-  ignore_errors: True
+#  ignore_errors: True
-  when: postgresql_install and is_debuntu
+#  when: postgresql_install and is_debuntu
- name: Disable stock postgresql service
+- name: Disable & Stop stock 'postgresql' systemd service
  systemd:
    name: postgresql
    state: stopped
    enabled: no
- name: Enable & Start postgresql-iiab systemd service, if postgresql_enabled
+- name: "Add 'postgresql_installed: True' to {{ iiab_state_file }}"
  lineinfile:
    dest: "{{ iiab_state_file }}"    # /etc/iiab/iiab_state.yml
    regexp: '^postgresql_installed'
    line: 'postgresql_installed: True'
 - name: Enable & Start 'postgresql-iiab' systemd service, if 'postgresql_enabled'
  systemd:
    name: postgresql-iiab
    state: started
    enabled: yes
  when: postgresql_enabled | bool
- name: Disable postgresql-iiab service, if not postgresql_enabled
+- name: Disable 'postgresql-iiab' systemd service, if not 'postgresql_enabled'
  systemd:
    name: postgresql-iiab
    state: stopped
--- a/roles/sugarizer/meta/main.yml
+++ b/roles/sugarizer/meta/main.yml
@ -1,3 +0,0 @@
 dependencies:
    - { role: mongodb, tags: ['generic','mongodb'], when: sugarizer_install | bool }
    - { role: nodejs, tags: ['nodejs'], when: sugarizer_install | bool }
--- a/roles/sugarizer/tasks/enable.yml
+++ b/roles/sugarizer/tasks/enable.yml
@ -1,3 +1,4 @@
 # auto starts mongodb via the requires= line in unit file
 - name: Enable & Restart 'sugarizer' systemd service
  systemd:
    name: sugarizer
@ -6,6 +7,7 @@
    state: restarted
  when: sugarizer_enabled | bool
 # stops sugarizer but not mongodb
 - name: Disable & Stop 'sugarizer' systemd service
  systemd:
    name: sugarizer
@ -13,6 +15,11 @@
    state: stopped
  when: not sugarizer_enabled
 # stops mongodb would of been called via meta/main.yml prior
 - name: Run mongodb/tasks/enable.yml to stop MongoDB, if not sugarizer_enabled
  include_tasks: roles/mongodb/tasks/enable.yml
  when: not sugarizer_enabled
 # Apache
 - name: Enable http://box/sugarizer & http://box/sugar via Apache
--- a/roles/sugarizer/tasks/install.yml
+++ b/roles/sugarizer/tasks/install.yml
@ -1,3 +1,11 @@
 - name: MONGODB - run the 'mongodb' role
  include_role:
    name: mongodb
 - name: NODEJS - run the 'nodejs' role
  include_role:
    name: nodejs
 - name: FAIL (STOP INSTALLING) IF nodejs_version is not set to 12.x
  fail:
    msg: "Sugarizer install cannot proceed, as it currently requires Node.js 12.x, and your nodejs_version is set to {{ nodejs_version }}.  Please check the value of nodejs_version in /opt/iiab/iiab/vars/default_vars.yml and possibly also /etc/iiab/local_vars.yml"
--- a/roles/transmission/tasks/main.yml
+++ b/roles/transmission/tasks/main.yml
@ -5,15 +5,15 @@
      - transmission-cli
    state: present
- name: Create download dir {{ transmission_download_dir }}, owned by {{ transmission_user }}:{{ transmission_group }}    # /library/transmission
+- name: Create download dir {{ transmission_download_dir }}, owned by {{ transmission_user }}:{{ transmission_group }}
  file:
-    path: "{{ transmission_download_dir }}"
+    path: "{{ transmission_download_dir }}"    # /library/transmission
-    owner: "{{ transmission_user }}"
+    owner: "{{ transmission_user }}"    # debian-transmission
-    group: "{{ transmission_group }}"
+    group: "{{ transmission_group }}"    # root
-    mode: 0755
+    # mode: '0755'
    state: directory
- name: Stop transmission-daemon before modifying its settings
+- name: Stop 'transmission-daemon' systemd service, before modifying its settings
  systemd:
    name: transmission-daemon
    state: stopped
@ -23,11 +23,18 @@
  template:
    src: settings.json.j2
    dest: /etc/transmission-daemon/settings.json
-    mode: 0644
+    # mode: '0644'
-    owner: "{{ transmission_user }}"
+    owner: "{{ transmission_user }}"    # debian-transmission
-    group: "{{ transmission_group }}"
+    group: "{{ transmission_group }}"    # root
- name: Enable & Restart transmission-daemon systemd service, incl daemon-reload
+- name: "Add 'transmission_installed: True' to {{ iiab_state_file }}"
  lineinfile:
    dest: "{{ iiab_state_file }}"    # /etc/iiab/iiab_state.yml
    regexp: '^transmission_installed'
    line: 'transmission_installed: True'
 - name: Enable & Restart 'transmission-daemon' systemd service, incl daemon-reload
  systemd:
    name: transmission-daemon
    daemon_reload: yes
@ -45,7 +52,7 @@
  when: transmission_enabled and transmission_provision and transmission_kalite_languages is defined and transmission_kalite_languages is not none
  ignore_errors: yes
- name: Disable transmission-daemon service, if not transmission_enabled
+- name: Disable & Stop 'transmission-daemon' service, if not transmission_enabled
  systemd:
    name: transmission-daemon
    daemon_reload: yes
@ -53,6 +60,7 @@
    state: stopped
  when: not transmission_enabled
 - name: Add 'transmission' variable values to {{ iiab_ini_file }}
  ini_file:
    path: "{{ iiab_ini_file }}"
--- a/roles/vnstat/tasks/main.yml
+++ b/roles/vnstat/tasks/main.yml
@ -19,12 +19,21 @@
  shell: /usr/bin/vnstat -i {{ iiab_lan_iface }}
  when: iiab_lan_iface is defined
- name: Enable & Start vnStat's systemd service
+- name: "Add 'vnstat_installed: True' to {{ iiab_state_file }}"
  lineinfile:
    dest: "{{ iiab_state_file }}"    # /etc/iiab/iiab_state.yml
    regexp: '^vnstat_installed'
    line: 'vnstat_installed: True'
 - name: Enable & Start vnStat's systemd service (vnstat)
  systemd:
    name: vnstat
    daemon_reload: yes
    enabled: yes
-    state: started
+    state: restarted
  when: vnstat_enabled | bool
 - name: Add 'vnstat' variable values to {{ iiab_ini_file }}
  ini_file:
--- a/roles/wordpress/tasks/apache.yml
+++ b/roles/wordpress/tasks/apache.yml
@ -0,0 +1,12 @@
 - name: Enable http://box{{ wp_url }} via Apache    # http://box/wordpress
  command: a2ensite wordpress.conf
  when: wordpress_enabled
 - name: Disable http://box{{ wp_url }} via Apache    # http://box/wordpress
  command: a2dissite wordpress.conf
  when: not wordpress_enabled
 - name: Restart '{{ apache_service }}' systemd service
  systemd:
    name: "{{ apache_service }}"    # apache2 or httpd, as set in /opt/iiab/iiab/vars/<OS>.yml
    state: restarted
--- a/roles/wordpress/tasks/enable-or-disable.yml
+++ b/roles/wordpress/tasks/enable-or-disable.yml
@ -1,35 +0,0 @@
 # Apache
 - name: Enable http://box{{ wp_url }} via Apache
  command: a2ensite wordpress.conf
  when: apache_install and wordpress_enabled
 - name: Disable http://box{{ wp_url }} via Apache
  command: a2dissite wordpress.conf
  when: apache_install and not wordpress_enabled
 - name: Restart Apache systemd service ({{ apache_service }})
  systemd:
    name: "{{ apache_service }}"    # apache2 or httpd, as set in /opt/iiab/iiab/vars/<OS>.yml
    state: restarted
  when: apache_install and apache_enabled
 # NGINX
 - name: Enable http://box{{ wp_url }} via NGINX, by installing {{ nginx_config_dir }}/wordpress-nginx.conf from template
  template:
    src: wordpress-nginx.conf.j2
    dest: "{{ nginx_config_dir }}/wordpress-nginx.conf"    # /etc/nginx/conf.d
  when: wordpress_enabled    # and nginx_enabled
 - name: Disable http://box{{ wp_url }} via NGINX, by removing {{ nginx_config_dir }}/wordpress-nginx.conf
  file:
    path: "{{ nginx_config_dir }}/wordpress-nginx.conf"    # /etc/nginx/conf.d
    state: absent
  when: not wordpress_enabled
 - name: Restart 'nginx' systemd service
  systemd:
    name: nginx
    state: restarted
  #when: nginx_enabled | bool
--- a/roles/wordpress/tasks/main.yml
+++ b/roles/wordpress/tasks/main.yml
@ -4,7 +4,7 @@
 # I want to perform input validation for Ansible playbooks"
 # https://stackoverflow.com/questions/46664127/how-do-i-fail-a-task-in-ansible-if-the-variable-contains-a-boolean-value-i-want/46667499#46667499
-# If 0-init/tasks/validate_vars.yml has DEFINITELY been run (?) perhaps no need
+# We assume 0-init/tasks/validate_vars.yml has DEFINITELY been run, so no need
 # to re-check whether vars are defined here.  As Ansible vars cannot be unset:
 # https://serverfault.com/questions/856729/how-to-destroy-delete-unset-a-variable-value-in-ansible
@ -13,16 +13,13 @@
    that: wordpress_install is sameas true
    fail_msg: "PLEASE SET 'wordpress_install: True' e.g. IN: /etc/iiab/local_vars.yml"
    quiet: yes
    #that: wordpress_install is defined and wordpress_install is sameas true
    #success_msg: wordpress_install is defined and wordpress_install is sameas true
 - name: Assert that "wordpress_enabled | type_debug == 'bool'" (boolean not string etc)
  assert:
    that: wordpress_enabled | type_debug == 'bool'
    fail_msg: "PLEASE GIVE VARIABLE 'wordpress_enabled' A PROPER (UNQUOTED) BOOLEAN VALUE e.g. IN: /etc/iiab/local_vars.yml"
    quiet: yes
-    #that: wordpress_enabled is defined and wordpress_enabled | type_debug == 'bool'
+
    #success_msg: wordpress_enabled is defined and wordpress_enabled | type_debug == 'bool'
 - name: Provision MySQL DB for WordPress, if 'wordpress_installed' is not defined in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
  include_tasks: setup.yml
@ -32,8 +29,15 @@
  include_tasks: install.yml
  when: wordpress_installed is undefined
- name: Enable or Disable WordPress
+
-  include_tasks: enable-or-disable.yml
+- name: Enable/Disable/Restart Apache if primary
  include_tasks: apache.yml
  when: not nginx_enabled
 - name: Enable/Disable/Restart NGINX if primary
  include_tasks: nginx.yml
  when: nginx_enabled | bool
 - name: Add 'wordpress' variable values to {{ iiab_ini_file }}
  ini_file:
--- a/roles/wordpress/tasks/nginx.yml
+++ b/roles/wordpress/tasks/nginx.yml
@ -0,0 +1,16 @@
 - name: Enable http://box{{ wp_url }} via NGINX, by installing {{ nginx_config_dir }}/wordpress-nginx.conf from template
  template:
    src: wordpress-nginx.conf.j2
    dest: "{{ nginx_config_dir }}/wordpress-nginx.conf"    # /etc/nginx/conf.d
  when: wordpress_enabled
 - name: Disable http://box{{ wp_url }} via NGINX, by removing {{ nginx_config_dir }}/wordpress-nginx.conf
  file:
    path: "{{ nginx_config_dir }}/wordpress-nginx.conf"    # /etc/nginx/conf.d
    state: absent
  when: not wordpress_enabled
 - name: Restart 'nginx' systemd service
  systemd:
    name: nginx
    state: restarted
--- a/2
+++ b/2
@ -64,6 +64,8 @@ if [ "$REINSTALL" == "1" ]; then
    if [ ! $1 == "internetarchive" ]; then # special handling
        if [ $1 == "calibre-web" ]; then # role directory & installed marker differ
            sed -i -e '/^calibreweb/d' $IIAB_STATE_FILE
        elif [ $1 == "httpd" ]; then # role directory & installed marker differ
            sed -i -e '/^apache/d' $IIAB_STATE_FILE
        elif [ $1 == "osm-vector-maps" ]; then # role directory & installed marker differ
            sed -i -e '/^osm_vector_maps/d' $IIAB_STATE_FILE
        #elif [ $1 == "bluetooth" ]; then # role directory & installed marker differ
		`@ -1,2 +0,0 @@`
			`dependencies:`
			`- { role: nodejs, tags: ['nodejs'], when: nodered_install \| bool }`
		`@ -1,3 +0,0 @@`
			`dependencies:`
			`- { role: nodejs, tags: ['nodejs'], when: pbx_install and (nodejs_version == "10.x")}`