Merge branch 'iiab:master' into freepbx-readme

2025-02-13 11:42:08 +00:00 · 2021-08-13 20:08:36 +05:30 · 2021-08-13 20:08:36 +05:30 · a8844dbad5
commit a8844dbad5
parent 62b87dc2cf ed50d7210d
82 changed files with 1843 additions and 867 deletions
--- a/roles/0-DEPRECATED-ROLES/elgg/README.rst
+++ b/roles/0-DEPRECATED-ROLES/elgg/README.rst
--- a/roles/0-DEPRECATED-ROLES/elgg/defaults/main.yml
+++ b/roles/0-DEPRECATED-ROLES/elgg/defaults/main.yml
--- a/roles/0-DEPRECATED-ROLES/elgg/tasks/apache.yml.unused
+++ b/roles/0-DEPRECATED-ROLES/elgg/tasks/apache.yml.unused
--- a/roles/0-DEPRECATED-ROLES/elgg/tasks/install.yml
+++ b/roles/0-DEPRECATED-ROLES/elgg/tasks/install.yml
@ -1,11 +1,12 @@
- name: "Set 'apache_install: True' and 'apache_enabled: True'"
+# - name: "Set 'apache_install: True' and 'apache_enabled: True'"
-  set_fact:
+#   set_fact:
-    apache_install: True
+#     apache_install: True
-    apache_enabled: True
+#     apache_enabled: True
 #
 # - name: APACHE - run 'httpd' role
 #   include_role:
 #     name: httpd
 - name: APACHE - run 'httpd' role
  include_role:
    name: httpd
 # 2020-06-15: roles/httpd/tasks/install.yml now takes care of this.
 # # 2020-05-21: Required now that mysql/tasks/install.yml installs
@ -32,7 +33,7 @@
  #  creates: "{{ downloads_dir }}/elgg-{{ elgg_version }}.zip"
  get_url:
    url: "{{ iiab_download_url }}/elgg-{{ elgg_version }}.zip"
-    dest: "{{ downloads_dir }}"
+    dest: "{{ downloads_dir }}"    # /opt/iiab/downloads
    timeout: "{{ download_timeout }}"
  when: internet_available
@ -41,7 +42,7 @@
    path: "/opt/elgg-{{ elgg_version }}/index.php"
  register: elgg
- name: Unpack (unarchive) .zip to /opt, if above index.php doesn't exist
+- name: Unpack (unarchive) .zip to /opt, if above index.php doesn't exist ({{ apache_user }}:{{ apache_user }})
  #shell: "/usr/bin/unzip -o {{ downloads_dir }}/elgg-{{ elgg_version }}.zip -d /opt"
  unarchive:
    #remote_src: yes
@ -52,7 +53,7 @@
    group: "{{ apache_user }}"
  when: elgg.stat.exists is defined and not elgg.stat.exists
- name: Create softlink from /opt/elgg to /opt/elgg-{{ elgg_version }}
+- name: Symlink /opt/elgg -> /opt/elgg-{{ elgg_version }}
  file:
    src: "./elgg-{{ elgg_version }}"
    path: /opt/elgg
@ -69,13 +70,13 @@
    group: "{{ apache_user }}"
 # The name of this file changed from 1.9 to 1.10.
- name: Copy default .htaccess into /opt/{{ elgg_xx }}, root of Elgg tree
+- name: Copy default .htaccess into /opt/{{ elgg_xx }}, root of Elgg tree (0644)
  copy:
    src: "/opt/{{ elgg_xx }}/vendor/elgg/elgg/install/config/htaccess.dist"
    dest: "/opt/{{ elgg_xx }}/.htaccess"
    owner: "{{ apache_user }}"
    group: "{{ apache_user }}"
-    mode: '0644'
+    mode: 0644
 #regexp='^#RewriteBase'
 - name: Change .htaccess to include RewriteBase for http://box{{ elgg_url }}    # http://box/elgg
@ -86,12 +87,12 @@
    insertafter: '^#RewriteBase'
    line: "RewriteBase {{ elgg_url }}/"
- name: Set /opt/elgg/engine directory permissions to 0755 so Apache can write there
+- name: Set /opt/elgg/engine directory permissions to 0755 (owner {{ apache_user }}) so Apache can write there
  file:
    state: directory
    path: /opt/elgg/engine/
    owner: "{{ apache_user }}"
-    mode: '0755'
+    mode: 0755
 - name: Change /opt/elgg-{{ elgg_version }} ownership to {{ apache_user }}:{{ apache_user }} (likely not nec, as unarchive & all do this above)
  file:
@ -103,14 +104,14 @@
 - name: Create upload directory {{ elgg_upload_path }} that Apache (and Elgg) can write to
  file:
-    path: "{{ elgg_upload_path }}"
+    path: "{{ elgg_upload_path }}"    # /library/elgg
    state: directory
    owner: "{{ apache_user }}"
- name: Install /etc/{{ apache_conf_dir }}/elgg.conf from template, for http://box{{ elgg_url }}    # http://box/elgg
+# - name: Install /etc/{{ apache_conf_dir }}/elgg.conf from template, for http://box{{ elgg_url }}    # http://box/elgg
-  template:
+#   template:
-    src: elgg.conf
+#     src: elgg.conf
-    dest: "/etc/{{ apache_conf_dir }}/elgg.conf"
+#     dest: "/etc/{{ apache_conf_dir }}/elgg.conf"
 - name: Set up Elgg's MySQL database
--- a/roles/0-DEPRECATED-ROLES/elgg/tasks/main.yml
+++ b/roles/0-DEPRECATED-ROLES/elgg/tasks/main.yml
@ -24,14 +24,13 @@
  when: elgg_installed is undefined
-#- name: Enable/Disable/Restart Apache if primary
+# #- name: Enable/Disable/Restart Apache if primary
- name: SHIM FOR NOW SO ALWAYS DO THE...Enable/Disable/Restart Apache
+# - name: SHIM FOR NOW SO ALWAYS DO THE...Enable/Disable/Restart Apache
-  include_tasks: apache.yml
+#   include_tasks: apache.yml
-  #when: not nginx_enabled
+#   #when: not nginx_enabled
 - name: Enable/Disable/Restart NGINX if primary
  include_tasks: nginx.yml
  when: nginx_enabled
 - name: Add 'elgg' variable values to {{ iiab_ini_file }}
--- a/roles/0-DEPRECATED-ROLES/elgg/tasks/nginx.yml
+++ b/roles/0-DEPRECATED-ROLES/elgg/tasks/nginx.yml
--- a/roles/0-DEPRECATED-ROLES/elgg/tasks/setup.yml
+++ b/roles/0-DEPRECATED-ROLES/elgg/tasks/setup.yml
--- a/roles/0-DEPRECATED-ROLES/elgg/templates/elgg-nginx.conf.j2
+++ b/roles/0-DEPRECATED-ROLES/elgg/templates/elgg-nginx.conf.j2
--- a/roles/0-DEPRECATED-ROLES/elgg/templates/elgg.conf.unused
+++ b/roles/0-DEPRECATED-ROLES/elgg/templates/elgg.conf.unused
--- a/roles/0-DEPRECATED-ROLES/elgg/templates/elggdb.sql.j2
+++ b/roles/0-DEPRECATED-ROLES/elgg/templates/elggdb.sql.j2
--- a/roles/0-DEPRECATED-ROLES/elgg/templates/settings.php.j2
+++ b/roles/0-DEPRECATED-ROLES/elgg/templates/settings.php.j2
--- a/roles/0-DEPRECATED-ROLES/httpd/README.md
+++ b/roles/0-DEPRECATED-ROLES/httpd/README.md
--- a/roles/0-DEPRECATED-ROLES/httpd/defaults/main.yml
+++ b/roles/0-DEPRECATED-ROLES/httpd/defaults/main.yml
--- a/roles/0-DEPRECATED-ROLES/httpd/tasks/homepage.yml
+++ b/roles/0-DEPRECATED-ROLES/httpd/tasks/homepage.yml
--- a/roles/0-DEPRECATED-ROLES/httpd/tasks/install.yml
+++ b/roles/0-DEPRECATED-ROLES/httpd/tasks/install.yml
@ -4,7 +4,7 @@
    #name: ['apache2', 'php{{ php_version }}', 'php{{ php_version }}-curl']       # WORKS?
    name:
      - "{{ apache_service }}"    # apache2 on Debuntu
-      - libapache2-mod-php{{ php_version }}    # 2020-06-15: Required (e.g. for Elgg, Moodle & possibly others) now that mysql/tasks/install.yml installs "php{{ php_version }}-common" rather than the full "php{{ php_version }}" -- 2021-06-28 FYI: this also drags in libsodium23 (likewise installed via nginx/tasks/install.yml AND moodle/tasks/install.yml)
+      - libapache2-mod-php{{ php_version }}    # 2020-06-15: Required (e.g. for Elgg, Moodle, roles/pbx's FreePBX & possibly others) now that mysql/tasks/install.yml installs "php{{ php_version }}-common" rather than the full "php{{ php_version }}" -- 2021-06-28 FYI: this also drags in libsodium23 (likewise installed via nginx/tasks/install.yml AND moodle/tasks/install.yml)
      #- "php{{ php_version }}"
      #- "php{{ php_version }}-curl"
    state: present
--- a/roles/0-DEPRECATED-ROLES/httpd/tasks/main.yml
+++ b/roles/0-DEPRECATED-ROLES/httpd/tasks/main.yml
--- a/roles/0-DEPRECATED-ROLES/httpd/templates/010-iiab.conf.j2
+++ b/roles/0-DEPRECATED-ROLES/httpd/templates/010-iiab.conf.j2
--- a/roles/0-DEPRECATED-ROLES/httpd/templates/iiab-homepage.conf
+++ b/roles/0-DEPRECATED-ROLES/httpd/templates/iiab-homepage.conf
--- a/roles/0-DEPRECATED-ROLES/httpd/templates/proxy_ajp.conf.j2
+++ b/roles/0-DEPRECATED-ROLES/httpd/templates/proxy_ajp.conf.j2
--- a/roles/0-init/tasks/main.yml
+++ b/roles/0-init/tasks/main.yml
@ -56,8 +56,8 @@
 - name: "Time Zone / TZ: Set symlink /etc/localtime to UTC if it doesn't exist?"
  include_tasks: tz.yml
- name: Test Gateway + Test Internet + Set new hostname/domain if nec + Set 'gui_port' to 80 or 443 for Admin Console
+- name: Test Gateway + Test Internet + Set new hostname/domain (hostname.yml) if nec + Set 'gui_port' to 80 or 443 for Admin Console
-  include_tasks: network.yml    # Can run hostname.yml
+  include_tasks: network.yml
 - name: Add 'runtime' variable values to {{ iiab_ini_file }}
--- a/roles/0-init/tasks/validate_vars.yml
+++ b/roles/0-init/tasks/validate_vars.yml
@ -61,9 +61,9 @@
 # https://github.com/iiab/iiab/blob/master/tests/test.yml
 # https://github.com/iiab/iiab/blob/master/roles/0-init/tasks/validate_vars.yml
 #
-# 2020-11-04: Fix validation of 5 core dependencies, for ./runrole etc
+# 2020-11-04: Fix validation of 5 [now 4] core dependencies, for ./runrole etc
- name: Set vars_checklist for 46 + 46 + 41 vars ("XYZ_install" + "XYZ_enabled" + "XYZ_installed") to be checked
+- name: Set vars_checklist for 44 + 44 + 40 vars ("XYZ_install" + "XYZ_enabled" + "XYZ_installed") to be checked
  set_fact:
    vars_checklist:
      - hostapd
@ -76,7 +76,7 @@
      - openvpn
      - admin_console
      #- nginx              # MANDATORY
-      - apache              # Dependency - excluded from _installed check below
+      #- apache             # Unmaintained - former dependency
      #- mysql              # MANDATORY
      - squid
      - dansguardian
@ -90,7 +90,7 @@
      - azuracast
      #- dokuwiki           # Unmaintained
      #- ejabberd           # Unmaintained
-      - elgg
+      #- elgg               # Unmaintained
      - gitea
      - jupyterhub
      - lokole
@ -99,7 +99,6 @@
      - nodejs              # Dependency - excluded from _installed check below
      - nodered
      - nextcloud
      - pbx
      - wordpress
      - kalite
      - kolibri
@ -116,11 +115,12 @@
      - phpmyadmin
      - vnstat
      - yarn                # Dependency - excluded from _installed check below
      - internetarchive
      - captiveportal
      - internetarchive
      - minetest
      - calibre
      - calibreweb
      - calibre
      - pbx
 - name: Assert that {{ vars_checklist | length }} "XYZ_install" vars are all... defined
  assert:
@ -162,5 +162,5 @@
    that: "{{ item }}_install or {{ item }}_installed is undefined"
    fail_msg: "DISALLOWED: '{{ item }}_install: False' (e.g. in /etc/iiab/local_vars.yml) WHEN '{{ item }}_installed' is defined (e.g. in /etc/iiab/iiab_state.yml) -- IIAB DOES NOT SUPPORT UNINSTALLS -- please verify those 2 files especially, and other places variables are defined?"
    quiet: yes
-  when: item != 'apache' and item != 'nodejs' and item != 'postgresql' and item != 'mongodb' and item != 'yarn'    # Exclude auto-installed dependencies
+  when: item != 'nodejs' and item != 'postgresql' and item != 'mongodb' and item != 'yarn'    # Exclude auto-installed dependencies
  loop: "{{ vars_checklist }}"
--- a/roles/2-common/tasks/packages.yml
+++ b/roles/2-common/tasks/packages.yml
@ -30,6 +30,8 @@
      #- openssh-server    # ssh (Raspbian) or openssh-server (other OS's) already installed by 1-prep's roles/sshd/tasks/main.yml
      - pandoc             # For /usr/bin/iiab-refresh-wiki-docs
      - pastebinit         # For /usr/bin/iiab-diagnostics
      #- python3-pip       # 2021-07-29: Already installed by /opt/iiab/iiab/scripts/ansible -- this auto-installs 'python3-setuptools' and 'python3' etc
      #- python3-venv      # 2021-07-30: For Ansible module 'pip' used in roles like {calibre-web, jupyterhub, lokole} -- whereas roles/kalite uses (virtual) package 'virtualenv' for Python 2 -- all these 3+1 IIAB roles install 'python3-venv' for themselves.  FYI: Debian 11 auto-installs 'python3-venv' when you install 'python3' -- whereas Ubuntu (e.g. 20.04 & 21.10) and RaspiOS 10 do not.
      - rsync
      #- screen            # Installed by 1-prep's roles/iiab-admin/tasks/access.yml
      - sqlite3
--- a/roles/6-generic-apps/tasks/main.yml
+++ b/roles/6-generic-apps/tasks/main.yml
@ -3,7 +3,6 @@
 - name: ...IS BEGINNING ====================================
  meta: noop
 # UNMAINTAINED
 - name: AZURACAST
  include_role:
    name: azuracast
@ -21,10 +20,11 @@
    name: ejabberd
  when: ejabberd_install is defined and ejabberd_install
 # UNMAINTAINED
 - name: ELGG
  include_role:
    name: elgg
-  when: elgg_install
+  when: elgg_install is defined and elgg_install
 - name: GITEA
  include_role:
--- a/roles/calibre-web/tasks/install.yml
+++ b/roles/calibre-web/tasks/install.yml
@ -1,4 +1,4 @@
- name: "Install ImageMagick package: imagemagick"
+- name: "Install packages: imagemagick, python3-venv"
  package:
    name:
      - imagemagick
--- a/roles/calibre/tasks/install.yml
+++ b/roles/calibre/tasks/install.yml
@ -37,13 +37,13 @@
 # 2. SYSTEMD SERVICES
- name: Create /etc/systemd/system/calibre-serve.service and /etc/{{ apache_conf_dir }}/calibre.conf
+- name: 'Install from template: /etc/systemd/system/calibre-serve.service'
  template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
  with_items:
    - { src: 'calibre-serve.service.j2', dest: '/etc/systemd/system/calibre-serve.service' }
-    - { src: 'calibre.conf', dest: '/etc/{{ apache_conf_dir }}' }    # apache2/sites-available (this doesn't work, see #529: let's try to create /etc/nginx/conf.d/calibre-nginx.conf in future!)
+    #- { src: 'calibre.conf', dest: '/etc/{{ apache_conf_dir }}' }    # apache2/sites-available (this doesn't work, see #529: let's try to create /etc/nginx/conf.d/calibre-nginx.conf in future!)
 - name: Stop service 'calibre-serve' (/usr/bin/calibre-server by Kovid Goyal)
  systemd:
--- a/roles/calibre/templates/calibre.conf.unused
+++ b/roles/calibre/templates/calibre.conf.unused
--- a/roles/internetarchive/tasks/apache.yml.unused
+++ b/roles/internetarchive/tasks/apache.yml.unused
--- a/roles/internetarchive/tasks/install.yml
+++ b/roles/internetarchive/tasks/install.yml
@ -62,12 +62,6 @@
    src: internetarchive.service.j2
    dest: /etc/systemd/system/internetarchive.service
 - name: "Install from template: /etc/{{ apache_conf_dir }}/internetarchive.conf"
  template:
    src: internetarchive.conf
    dest: "/etc/{{ apache_conf_dir }}/internetarchive.conf"    # apache2/sites-available
  when: apache_installed is defined
 # 4. RECORD Internet Archive AS INSTALLED
--- a/roles/internetarchive/tasks/main.yml
+++ b/roles/internetarchive/tasks/main.yml
@ -68,13 +68,13 @@
    state: stopped
  when: not internetarchive_enabled
- name: Enable/Disable/Restart Apache if primary
+# - name: Enable/Disable/Restart Apache if primary
-  include_tasks: apache.yml
+#   include_tasks: apache.yml
-  when: apache_installed is defined and not nginx_enabled
+#   when: apache_installed is defined and not nginx_enabled
 - name: Enable/Disable/Restart NGINX if primary
  include_tasks: nginx.yml
-  when: nginx_enabled
+  #when: nginx_enabled
 - name: Add 'internetarchive' variable values to {{ iiab_ini_file }}
--- a/roles/internetarchive/templates/internetarchive.conf.unused
+++ b/roles/internetarchive/templates/internetarchive.conf.unused
--- a/roles/jupyterhub/README.md
+++ b/roles/jupyterhub/README.md
@ -1,10 +1,32 @@
 ## JupyterHub programming environment with student Notebooks
-#### High Schools may want to consider JupyterHub to integrate coding with dynamic interactive graphing — A New Way to Think About Programming — allowing students to integrate science experiment results and program output within their notebook/document/blog:
+#### Secondary schools may want to consider JupyterHub to integrate coding with dynamic interactive graphing — A New Way to Think About Programming — allowing students to integrate science experiment results and program output within their own blog-like "Jupyter Notebooks."
-* Jupyter Notebooks are widely used in the scientific community.
+* Jupyter Notebooks are widely used in the scientific community:
-* This IIAB package permits individual users to start using their own notebook on the server (http://box.lan/jupyterhub) without needing an individual server account.
+  * [Intitutional FAQ](https://jupyterhub.readthedocs.io/en/stable/getting-started/institutional-faq.html)
-* Once a user signs in with a username and password, these credentials are stored, and are used thereafter to gain access to the user's files.
+  * [Getting Started](https://jupyterhub.readthedocs.io/en/stable/getting-started/)
-* Individual folders are created for all student work in the path `/var/lib/protected/` &mdash; individual students will only be able to see their own work in that directory.
+* Students create their own accounts on first use — e.g. at http://box.lan/jupyterhub — just as if they're logging in regularly (unfortunately the login screen doesn't make that clear, but the teacher _does not_ need to be involved!)
-* Students will not have any privileges outside of their own folder.
+  * A student can then sign in with their username and password, to gain access to their files (Jupyter Notebooks).
-* They may upload Jupyter Notebooks from a local machine, and download the current state of their work via a normal browser download.
+  * The teacher should set and protect JupyterHub's overall ``Admin`` password, just in case.  As with student accounts, the login screen doesn't make that clear — so just log in with username `Admin` using any password that you want to become permanent.
 * Individual student folders are created in ``/var/lib/private/`` on the Internet-in-a-Box (IIAB) server:
  * A student will only be able to see their own work — they do not have privileges outside of their own folder.
  * Students may upload Jupyter Notebooks to the IIAB server, and download the current state of their work via a normal browser.
 ### Settings
 Linux administrators please see `/opt/iiab/jupyterhub/etc/jupyterhub/jupyterhub_config.py` which originates from:
 https://github.com/iiab/iiab/blob/master/roles/jupyterhub/templates/jupyterhub_config.py
 Note that `/opt/iiab/jupyterhub` is a Python 3 virtual environment, that can be activated with the usual formula:
 ```
 source /opt/iiab/jupyterhub/bin/activate
 ```
 ### Known Issues
 * 2021-08-07: The page that allows you to reset/change your own password is not accessible.  Likewise Admin users cannot reset/change the password of any _individual_ user at this time.  <sub><sub>[#2918](https://github.com/iiab/iiab/pull/2918)</sub></sub>
  * If necessary, a Linux administrator can delete the `/passwords.dbm.db` file at the very top of your Linux filesystem, allowing all JupyterHub users to (re)create new passwords.  This does work, but is very heavy-handed.  <sub><sub>[PR #2892](https://github.com/iiab/iiab/pull/2892#issuecomment-890551682)</sub></sub>
 * 2021-08-07: Teachers (i.e. Admin users) cannot currently access the very helpful "administrator's page" discussed at [JupyterHub FAQ >> "How do I manage users?"](https://jupyterhub.readthedocs.io/en/stable/getting-started/institutional-faq.html#how-do-i-manage-users) and [roles/jupyterhub/templates/jupyterhub_config.py#L1049-L1054 >> "Admin users have extra privileges"](https://github.com/iiab/iiab/blob/d0e8e048347bf46c02a2cdb0da9c5cd0c489fe40/roles/jupyterhub/templates/jupyterhub_config.py#L1049-L1054).  <sub><sub>[#2919](https://github.com/iiab/iiab/pull/2919)</sub></sub>
 * 2021-08-08: Password [dbm file](https://github.com/jupyterhub/firstuseauthenticator#firstuseauthenticatordbm_path) `/passwords.dbm.db` should be moved from the top of the filesystem to a better place — e.g. to `/opt/iiab/jupyterhub/etc/` ?  <sub><sub>[PR #2892](https://github.com/iiab/iiab/pull/2892#issuecomment-890579789)</sub></sub>
--- a/roles/jupyterhub/tasks/install.yml
+++ b/roles/jupyterhub/tasks/install.yml
@ -13,6 +13,11 @@
  when: nodejs_installed is undefined
 - name: "Install package: python3-venv"
  package:
    name: python3-venv
    state: present
 - name: Make 3 directories to hold JupyterHub config
  file:
    state: directory
@ -40,8 +45,8 @@
      - jupyterhub-systemdspawner
    virtualenv: "{{ jupyterhub_venv }}"    # /opt/iiab/jupyterhub
    virtualenv_site_packages: no
-    virtualenv_command: /usr/bin/virtualenv
+    virtualenv_command: python3 -m venv "{{ jupyterhub_venv }}"    # 2021-07-29: This works on RaspiOS 10, Debian 11, Ubuntu 20.04 and Mint 20 -- however if you absolutely must use the older Debian 10 -- you can work around errors "can't find Rust compiler" and "This package requires Rust >=1.41.0" if you (1) revert this line to 'virtualenv_command: virtualenv' AND (2) uncomment the line just below
-    virtualenv_python: python3
+    #virtualenv_python: python3    # 2021-07-29: Was needed when above line was 'virtualenv_command: virtualenv' (generally for Python 2)
    extra_args: "--no-cache-dir"
  when: internet_available
--- a/roles/jupyterhub/templates/jupyterhub_config.py
+++ b/roles/jupyterhub/templates/jupyterhub_config.py
@ -64,7 +64,7 @@
 #  
 #  Users should be properly informed if this is enabled.
 #  Default: False
-# c.JupyterHub.admin_access = False
+c.JupyterHub.admin_access = True
 ## DEPRECATED since version 0.7.2, use Authenticator.admin_users instead.
 #  Default: set()
@ -1057,7 +1057,7 @@ c.JupyterHub.spawner_class = 'systemdspawner.SystemdSpawner'
 #  
 #  Defaults to an empty set, in which case no user has admin access.
 #  Default: set()
-c.Authenticator.admin_users = set('iiab-admin')
+c.Authenticator.admin_users = set('Admin')
 ## Set of usernames that are allowed to log in.
 #  
--- a/roles/kalite/tasks/install.yml
+++ b/roles/kalite/tasks/install.yml
@ -11,13 +11,14 @@
 #  ignore_errors: yes
 #  when: is_raspbian
- name: Install python2, if Raspbian/Debian > 10 or Ubuntu > 19
+- name: 'Install packages: python2, python-setuptools, virtualenv (for Python 2)'
  package:
    name:
      - python2
-      - python-setuptools # provides setuptools-44 last version compatible with python2
+      - python-setuptools    # Provides setuptools-44 on recent OS's (last version compatible with python2)
      - virtualenv           # For Ansible module 'pip' when used with 'virtualenv_command: /usr/bin/virtualenv' and 'virtualenv_python: python2.7' -- compare package 'python3-venv' used by roles {calibre-web, jupyterhub, lokole}
    state: present
-  when: not (is_debian_9 or is_debian_10 or is_ubuntu_16 or is_ubuntu_17 or is_ubuntu_18 or is_ubuntu_19)
+  #when: not (is_debian_9 or is_debian_10 or is_ubuntu_16 or is_ubuntu_17 or is_ubuntu_18 or is_ubuntu_19)
  # 2020-03-31: Testing for {is_raspbian_9, is_raspbian_10} is not currently nec, as testing for {is_debian_9, is_debian_10} covers that already.
 - name: Use pip to pin setuptools to 44 in {{ kalite_venv }} if Raspbian/Debian > 10 or Ubuntu > 19
@ -53,11 +54,11 @@
 # Useless stanza, for 2 reasons: (1) http://box/kalite was never made to work
 # (2) /etc/apache2/sites-available does not exist on many IIAB's w/o Apache
- name: "Install from template: /etc/{{ apache_conf_dir }}/kalite.conf (useless, as http://box/kalite was never made to work)"
+# - name: "Install from template: /etc/{{ apache_conf_dir }}/kalite.conf (useless, as http://box/kalite was never made to work)"
-  template:
+#   template:
-    src: kalite.conf
+#     src: kalite.conf
-    dest: "/etc/{{ apache_conf_dir }}"    # apache2/sites-available on debuntu
+#     dest: "/etc/{{ apache_conf_dir }}"    # apache2/sites-available on debuntu
-  when: apache_installed is defined
+#   when: apache_installed is defined
 - name: Fix KA Lite bug in regex parsing ifconfig output (ifcfg/parser.py) for @m-anish's network names that contain dashes, if Raspbian/Debian > 10 or Ubuntu > 19
  replace:
--- a/roles/munin/tasks/install.yml
+++ b/roles/munin/tasks/install.yml
@ -1,11 +1,12 @@
- name: "Install 4 packages: munin, munin-node, munin-plugins-extra, libcgi-fast-perl"
+- name: "Install 5 packages: libcgi-fast-perl, munin, munin-node, munin-plugins-extra, python3-passlib"
  package:
    name:
      #- libapache2-mod-fcgid
      - libcgi-fast-perl
      - munin
      - munin-node
      - munin-plugins-extra
-      - libcgi-fast-perl
+      - python3-passlib    # For Ansible module 'htpasswd' in Ansible collection community.general -- used just below
      #- libapache2-mod-fcgid
    state: present
 - name: Establish username/password Admin/changeme in /etc/munin/munin-htpasswd
--- a/roles/mysql/tasks/install.yml
+++ b/roles/mysql/tasks/install.yml
@ -1,110 +1,28 @@
-# Stanzas as of 2021-08-02:
+- name: 'Install MySQL packages: mariadb-server, mariadb-client, php{{ php_version }}-mysql, python3-pymysql'
 #
 # - 1 base install
 # - 6 double timeout for slow CPUs
 # - 2 DB config
 # - 2 record as installed
 - name: 'Install MySQL packages: mariadb-server, mariadb-client, php{{ php_version }}-mysql'
  package:
    name:
      - mariadb-server
      - mariadb-client
      #- php{{ php_version }}-common    # Auto-installed as an apt dependency.  REGARDLESS: php{{ php_version }}-common superset php{{ php_version }}-cli is auto-installed by php{{ php_version }}-fpm in nginx/tasks/install.yml
-      - php{{ php_version }}-mysql      # Likewise installed in nextcloud/tasks/install.yml, pbx/tasks/freepbx_dependencies.yml, wordpress/tasks/install.yml
+      - php{{ php_version }}-mysql      # Likewise installed in nextcloud/tasks/install.yml, pbx/tasks/freepbx.yml, wordpress/tasks/install.yml
      - python3-pymysql                 # For Ansible modules {mysql_db, mysql_user} in Ansible collection community.mysql -- used in MySQL roles {mediawiki, nextcloud, wordpress} and possibly {elgg, pbx}
    state: present
-# 2020-07-11:
+# 2020-07-11: 10 PHP package installs moved to roles/www_base/tasks/main.yml
 # 10 PHP package installs moved to roles/www_base/tasks/main.yml
 # php{{ php_version }}-sqlite3 install moved to roles/osm-vector-maps/tasks/install.yml
-# - name: "Install packages: mysql, MySQL-python and 9 php packages (OS's other than debuntu)"
+# 2021-08-11: 50 lines (6 stanzas) removed, that had been doubling MariaDB's
-#   package:
+# default boot timeout (90s to 180s) since 2019-07-03, for slow CPUs like this
-#     name:
+# Ubuntu 18.04.2 VM: https://github.com/iiab/iiab/issues/1802 -> PR #1813
 #       - MySQL-python
 #       - mysql
 #       - php
 #       - php-mysql
 #       - php-pear
 #       - php-gd
 #       - php-imap
 #       - php-ldap
 #       - php-odbc
 #       - php-xml
 #       - php-xmlrpc
 #     state: present
 #   when: not is_debuntu
 #
 # - include_tasks: centos.yml
 #   when: ansible_distribution == "CentOS"
 #
 # - include_tasks: fedora.yml
 #   when: ansible_distribution == "Fedora"
 # 2019-07-03 @jvonau @holta: the next 50 lines (6 stanzas) double MariaDB's
 # default boot timeout (90s to 180s) for slow CPUs like this Ubuntu 18.04.2 VM:
 # https://github.com/iiab/iiab/issues/1802
 # https://mariadb.com/kb/en/library/what-to-do-if-mariadb-doesnt-start/#systemd
-
+# OS's have finally caught up - default timeout is now 900 seconds:
- name: Check if /lib/systemd/system/mariadb.service exists
+# https://github.com/iiab/iiab/pull/2936
  stat:
    path: /lib/systemd/system/mariadb.service
  register: mariadb_unit_file
 - name: Copy pkg's /lib/systemd/system/mariadb.service to /etc/systemd/system/ to be customized (CREATES TIMESTAMPED BACKUPS OF /etc/systemd/system/mariadb.service e.g. IF OPERATOR CUSTOMIZED IT, EVEN DESPITE WARNING BELOW!)
  copy:
    force: yes
    backup: yes
    src: /lib/systemd/system/mariadb.service
    dest: /etc/systemd/system/
  when: mariadb_unit_file.stat.exists
 - name: Symlink /etc/systemd/system/mysql.service -> /etc/systemd/system/mariadb.service
  file:
    state: link
    force: yes
    src: /etc/systemd/system/mariadb.service
    path: /etc/systemd/system/mysql.service
  when: mariadb_unit_file.stat.exists
 - name: Symlink /etc/systemd/system/mysqld.service -> /etc/systemd/system/mariadb.service
  file:
    state: link
    force: yes
    src: /etc/systemd/system/mariadb.service
    path: /etc/systemd/system/mysqld.service
  when: mariadb_unit_file.stat.exists
 - name: "WARN OPERATOR: Changes made to /etc/systemd/system/mariadb.service WILL BE LOST whenever 'mysql' playbook is run"
  lineinfile:
    path: /etc/systemd/system/mariadb.service
    insertbefore: BOF    # Beginning of file
    line: "# WARNING: CHANGES TO THIS FILE WILL BE REGULARLY *OVERWRITTEN* BY:\n# /opt/iiab/iiab/roles/mysql/tasks/main.yml\n"
  when: mariadb_unit_file.stat.exists
 - name: Set systemd boot timeout to 180 seconds for slow machines, in /etc/systemd/system/mariadb.service
  lineinfile:
    path: /etc/systemd/system/mariadb.service
    insertafter: '^\[Service\]$'
    regexp: "^TimeoutStartSec="
    line: "\n# 2019-07-03: @jvonau @holta doubled MariaDB's default boot timeout, from\n# 90 seconds to 180 seconds, for slow machines like this Ubuntu 18.04.2 VM:\n# https://github.com/iiab/iiab/issues/1802\n# https://mariadb.com/kb/en/library/what-to-do-if-mariadb-doesnt-start/#systemd\nTimeoutStartSec=180\n"
    # If the line above were to be run repeatedly (never happens here!) Ansible
    # would pollute MariaDB's systemd unit file.  As multi-line regexp's are
    # not allowed (both regexp's should match, for idempotency).  If nec, use
    # the 1-liner below, or Ansible's 'blockinfile' which pollutes config files
    # in its own way...surrounding blocks with marker lines.
    # line: "TimeoutStartSec=180"
  when: mariadb_unit_file.stat.exists
 # 2 STANZAS BELOW...could later be put into setup.yml or config.yml or or provision.yml ?
 # Name of MySQL service varies by OS, so hardcoded in /opt/iiab/iiab/vars/<OS>.yml (formerly in roles/0-init/tasks/main.yml)
- name: Start MySQL systemd service ({{ mysql_service }}) to permit configuration
+- name: Restart MySQL systemd service ({{ mysql_service }}) to permit configuration
  systemd:
    name: "{{ mysql_service }}"
    daemon_reload: yes
    name: "{{ mysql_service }}"
    state: restarted
 - name: "Install /root/.my.cnf file from template -- used to contain root password credential, prior to 2020-08-24: https://github.com/iiab/iiab/pull/2488"
--- a/roles/nginx/README.md
+++ b/roles/nginx/README.md
@ -2,15 +2,15 @@
 1. Initial testing strategy (December 2019 - February 2020) was to move NGINX to [port 80](https://github.com/iiab/iiab/wiki/IIAB-Networking#list-of-ports--services), and proxy everything to Apache on [port 8090](https://github.com/iiab/iiab/wiki/IIAB-Networking#list-of-ports--services) &mdash; creating "Shims" for each IIAB App/Service in *Section iii.* below.
-   Until "Native" NGINX is later implemented for each such IIAB App/Service &mdash; allowing each to move up to *Section ii.* below.
+   Until "Native" NGINX was later implemented for each such IIAB App/Service &mdash; allowing each to move up to *Section ii.* below.
-   And potentially later moving each up to *Section i.* if its Apache support is dropped!
+   And progressively later moving each up to *Section i.* when its Apache support was dropped.
   (Background: IIAB Apps/Services are generally [Ansible roles](https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide#ansible) that live in [/opt/iiab/iiab/roles](https://github.com/iiab/iiab/tree/master/roles))
-2. Without PHP available via FastCGI, any function at all for PHP-based applications validates NGINX.
+2. Without PHP available via FastCGI, any function at all for PHP-based applications validated NGINX.
-3. Current state of IIAB App/Service migrations as of 2021-07-24: *(SEE ALSO [#2762](https://github.com/iiab/iiab/issues/2762))*
+3. Current state of IIAB App/Service migrations as of 2021-08-08: *(SEE ALSO [#2762](https://github.com/iiab/iiab/issues/2762))*
   1. These support "Native" NGINX but ***NOT*** Apache
@ -37,11 +37,11 @@
   2. These support "Native" NGINX ***AND*** Apache, a.k.a. "dual support" for legacy testing (if suitable "Shims" from *Section iii.* below are preserved!)  Both "Native" NGINX and "Shim" proxying from NGINX to Apache port 8090 *cannot be enabled simultaneously* for these IIAB Apps/Service:<!--But if you want to attempt their "Shim" proxying legacy testing mode, try setting your *primary web server* to Apache using `apache_install: True` and `apache_enabled: True` (and `nginx_enabled: False` to disable NGINX) in [/etc/iiab/local_vars.yml](http://wiki.laptop.org/go/IIAB/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F) before you install IIAB.  You may also need to run `cd /opt/iiab/iiab; ./runrole httpd` since this has been removed from [roles/3-base-server/tasks/main.yml](https://github.com/iiab/iiab/blob/master/roles/3-base-server/tasks/main.yml)-->
-      * NONE: Apache support is being fully removed starting 2021-07-06 ([PR #2850](https://github.com/iiab/iiab/pull/2850))
+      * **NONE: Apache support is now fully REMOVED as of 2021-08-08** ([PR #2850](https://github.com/iiab/iiab/pull/2850))
   3. These support Apache but ***NOT*** "Native" NGINX.  They use a "Shim" to [proxy_pass](https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/) from NGINX to Apache on port 8090.  See [roles/3-base-server/tasks/main.yml#L11](../3-base-server/tasks/main.yml#L11) for a list of ~6 IIAB Apps/Services that auto-enable Apache.
-      * elgg [*, should be deprecated, or considered for a complete overhaul from ancient Elgg 2.x to 4.x?]
+      * elgg [deprecated -- consider assisting with a complete overhaul from Elgg 2.x to 4.x ?]
   4. These each run their own web server or non-web / backend services, e.g. off of their own [unique port(s)](https://github.com/iiab/iiab/wiki/IIAB-Networking#list-of-ports--services) (IIAB home pages link directly to these destinations).  In future we'd like mnemonic URL's for all of these: (e.g. http://box/calibre, http://box/archive, http://box/kalite)
@ -53,11 +53,11 @@
      * minetest
      * mosquitto
      * openvpn
-      * pbx [*, requires Apache for now, as in Section iii., [PR #2862](https://github.com/iiab/iiab/pull/2862)]
+      * pbx [*, recommends Apache for now, as in Section iii., [#2914](https://github.com/iiab/iiab/issues/2914)]
      * phpmyadmin [*, requires Apache for now, as in Section iii.]
-      * samba
+      * samba [*, [PR #2923](https://github.com/iiab/iiab/pull/2923)]
      * sshd
      * transmission
      * vnstat
-[*] The 4 above starred roles could use improvement, as of 2021-07-24.
+[*] The 4 above starred roles could use improvement, as of 2021-08-08.
--- a/roles/nginx/tasks/enable-or-disable.yml
+++ b/roles/nginx/tasks/enable-or-disable.yml
@ -1,29 +1,29 @@
- name: Ensure that Apache ({{ apache_service }}) is not running -- we may need port swap
+# - name: Ensure that Apache ({{ apache_service }}) is not running -- we may need port swap
-  systemd:
+#   systemd:
-    name: "{{ apache_service }}"    # apache2 or httpd, per /opt/iiab/iiab/vars/<OS>.yml
+#     name: "{{ apache_service }}"    # apache2 or httpd, per /opt/iiab/iiab/vars/<OS>.yml
-    state: stopped
+#     state: stopped
-  ignore_errors: yes
+#   ignore_errors: yes
-  # 'when: apache_installed is defined' might also work, as mysql's php no longer installs apache2 (but 'ignore_errors: yes' remains safer!)
+#   # 'when: apache_installed is defined' might also work, as mysql's php no longer installs apache2 (but 'ignore_errors: yes' remains safer!)
- name: Install /etc/{{ apache_service }}/ports.conf from template 1 of 2 (ports.conf.j2) if nginx_enabled, to enable Apache port {{ apache_port }} localhost only
+# - name: Install /etc/{{ apache_service }}/ports.conf from template 1 of 2 (ports.conf.j2) if nginx_enabled, to enable Apache port {{ apache_port }} localhost only
-  template:
+#   template:
-    src: ports.conf.j2
+#     src: ports.conf.j2
-    dest: "/etc/{{ apache_service }}/ports.conf"
+#     dest: "/etc/{{ apache_service }}/ports.conf"
-  when: nginx_enabled
+#   when: nginx_enabled
- name: Install /etc/{{ apache_service }}/ports.conf from template 2 of 2 (stock-apache-ports.conf) if not nginx_enabled, to disable Apache port {{ apache_port }} localhost only
+# - name: Install /etc/{{ apache_service }}/ports.conf from template 2 of 2 (stock-apache-ports.conf) if not nginx_enabled, to disable Apache port {{ apache_port }} localhost only
-  template:
+#   template:
-    src: stock-apache-ports.conf
+#     src: stock-apache-ports.conf
-    dest: "/etc/{{ apache_service }}/ports.conf"
+#     dest: "/etc/{{ apache_service }}/ports.conf"
-  when: not nginx_enabled
+#   when: not nginx_enabled
- name: Enable & Restart '{{ apache_service }}' if Apache is installed and enabled, since we stopped it
+# - name: Enable & Restart '{{ apache_service }}' if Apache is installed and enabled, since we stopped it
-  systemd:
+#   systemd:
-    name: "{{ apache_service }}"    # apache2 or httpd, per /opt/iiab/iiab/vars/<OS>.yml
+#     name: "{{ apache_service }}"    # apache2 or httpd, per /opt/iiab/iiab/vars/<OS>.yml
-    daemon_reload: yes
+#     daemon_reload: yes
-    state: restarted
+#     state: restarted
-    enabled: true
+#     enabled: true
-  when: apache_installed is defined and apache_enabled    # or not nginx_enabled
+#   when: apache_installed is defined and apache_enabled    # or not nginx_enabled
 - name: Enable & (Re)Start 'nginx' systemd service, if nginx_enabled
--- a/roles/nginx/tasks/install.yml
+++ b/roles/nginx/tasks/install.yml
@ -1,26 +1,43 @@
- name: Stop '{{ apache_service }}' systemd service
+- name: Stop & Disable '{{ apache_service }}' systemd service, in case it exists
  systemd:
    name: "{{ apache_service }}"    # apache2 or httpd, per /opt/iiab/iiab/vars/<OS>.yml
    state: stopped
    enabled: no
  ignore_errors: yes
-  # 'when: apache_installed is defined' insuff b/c mysql's php installs apache2
+  # 'when: apache_installed is defined' insuff b/c mysql's php (etc) can install apache2
 - name: 'Install 5 packages for NGINX: libnginx-mod-http-subs-filter, nginx-extras, php{{ php_version }}-fpm, uwsgi, uwsgi-plugin-python3'
  package:
    name:
      - libnginx-mod-http-subs-filter
      - nginx-extras
-      - php{{ php_version }}-fpm    # Drags in [1] php{{ php_version }}-cli (superset of php{{ php_version }}-common) [2] libsodium23 (likewise installed in moodle/tasks/install.yml AND wordpress/tasks/install.yml) [3] php{{ php_version }}-json if PHP < 8.0 (NEEDED FOR nextcloud/tasks/install.yml AND pbx/tasks/freepbx_dependencies.yml AND wordpress/tasks/install.yml)
+      - php{{ php_version }}-fpm    # INSTALLS [0] /etc/apache2/conf-available/php{{ php_version }}-fpm.conf AND DRAGS IN [1] php{{ php_version }}-cli (superset of php{{ php_version }}-common) [2] libsodium23 (likewise installed in moodle/tasks/install.yml AND wordpress/tasks/install.yml) [3] php{{ php_version }}-json if PHP < 8.0 (NEEDED FOR nextcloud/tasks/install.yml AND pbx/tasks/freepbx_dependencies.yml AND wordpress/tasks/install.yml)
      - uwsgi                   # Admin Console & roles/captiveportal should really install
      - uwsgi-plugin-python3    # these 2 packages on demand (not every IIAB needs these).
    state: present
 # 2021-08-07: Legacy from roles/httpd/tasks/install.yml
 # - name: 'Create group: admin'
 #   group:
 #     name: admin
 # 2020-10-16: Removed per #2560
 # - name: Add user '{{ apache_user }}' to shadow group, so it can authenticate Admin Console
 #   user:
 #     name: "{{ apache_user }}"    # www-data or apache, per /opt/iiab/iiab/vars/<OS>.yml
 #     groups: shadow
 # - name: Add user {{ apache_user }} (from variable apache_user) to groups admin, shadow
 #   user:
 #     name: "{{ apache_user }}"    # www-data on Debuntu
 #     #groups: admin,shadow
 #     groups: shadow    # 2020-06-04: shadow nec for Admin Console login (this line had been clobbering user www-data's membership in group shadow, as set earlier by nginx/tasks/install.yml, SEE #2431)
 #     createhome: no
 #     append: yes
 - name: Remove NGINX default config /etc/nginx/sites-enabled/default
  file:
    path: /etc/nginx/sites-enabled/default
@ -34,8 +51,8 @@
    - { src: 'server.conf.j2', dest: '/etc/nginx/server.conf' }
    - { src: 'nginx.conf.j2', dest: '/etc/nginx/nginx.conf' }
    - { src: 'mime.types.j2', dest: '/etc/nginx/mime.types' }
-    #- { src: 'ports.conf.j2', dest: '/etc/{{ apache_service }}/ports.conf' }    # Moved to enable-or-disable.yml
+    # - { src: 'ports.conf', dest: '/etc/{{ apache_service }}/ports.conf' }    # 2021-08-09: Restored from enable-or-disable.yml then moved to roles/pbx/tasks/apache.yml
-    #- { src: 'iiab.conf.j2', dest: "{{ nginx_conf_dir }}/iiab.conf" }    # Moved into homepage.yml below
+    # - { src: 'iiab.conf.j2', dest: "{{ nginx_conf_dir }}/iiab.conf" }    # Moved into homepage.yml, invoked later by roles/www_options/tasks/main.yml (see below!)
 - debug:
    msg: roles/nginx/tasks/homepage.yml will run LATER (invoked by roles/www_options/tasks/main.yml) SO THAT NGINX CAN REDIRECT http://box TO http://box{{ iiab_home_url }} (based on var iiab_home_url)
@ -45,7 +62,6 @@
  systemd:
    name: "php{{ php_version }}-fpm"
    state: restarted
  #when: nginx_enabled
 # RECORD NGINX AS INSTALLED
--- a/roles/nginx/templates/server.conf.j2
+++ b/roles/nginx/templates/server.conf.j2
@ -1,6 +1,8 @@
 server {
    root {{ doc_root }};
-    server_name {{ iiab_hostname }};
+    server_name $hostname;    # e.g. box.lan, set dynamically when NGINX starts
    #server_name {{ iiab_hostname }}.{{ iiab_domain }};
    #server_name {{ iiab_hostname }};
    listen 80;
    index index.php index.html index.htm;
--- a/roles/nginx/templates/stock-apache-ports.conf.unused
+++ b/roles/nginx/templates/stock-apache-ports.conf.unused
--- a/roles/nodejs/tasks/install.yml
+++ b/roles/nodejs/tasks/install.yml
@ -7,11 +7,12 @@
 # 2019-07-04: FOR A SOMEWHAT MORE MODERN "VERSION DETECTOR" SEE:
 # github.com/iiab/iiab/blob/master/roles/nextcloud/tasks/install.yml#L1-L40
- name: Try to run 'nodejs -v' to get Node.js version
+- name: Try to run 'node -v' to get Node.js version
-  # 'node -v' doesn't work with older versions e.g. Ubuntu 16.04's nodejs 4.2.6
+  # 'node -v' doesn't work with older versions e.g. Ubuntu 16.04's Node.js 4.2.6
  # 'nodejs -v' doesn't work with newer versions e.g. Node.js 16.x
  # Both below convert v10.15.1 to 10.x, but this is safer: (removes non-digits)
-  shell: nodejs -v | sed 's/[^0-9]*//' | sed 's/[^0-9].*/.x/'
+  shell: node -v | sed 's/[^0-9]*//' | sed 's/[^0-9].*/.x/'
-  #shell: nodejs -v | sed 's/^[vV]//' | sed 's/\..*/.x/'
+  #shell: node -v | sed 's/^[vV]//' | sed 's/\..*/.x/'
  register: nodejs_version_installed
 #- debug:
@ -32,12 +33,13 @@
 #      /etc/iiab/local_vars.yml -- then re-run this IIAB installer.
 #  when: nodejs_version_installed is defined and nodejs_version_installed.stdout != nodejs_version and nodejs_version_installed.stderr == ""
 # 2021-08-04: Regardless, nodesource.com (below) overwrites /etc/apt/sources.list.d/nodesource.list
 # Forces < 16.x or > 16.x to be removed, ignored if file is absent
- name: Remove /etc/apt/sources.list.d/nodesource.list if nodejs_version_installed.stdout is not {{ nodejs_version }}
+#- name: Remove /etc/apt/sources.list.d/nodesource.list if nodejs_version_installed.stdout is not {{ nodejs_version }}
-  file:
+#  file:
-    state: absent
+#    state: absent
-    path: /etc/apt/sources.list.d/nodesource.list
+#    path: /etc/apt/sources.list.d/nodesource.list
-  when: nodejs_version_installed is defined and nodejs_version_installed.stdout != nodejs_version and nodejs_version_installed.stdout != ""
+#  when: nodejs_version_installed is defined and nodejs_version_installed.stdout != nodejs_version and nodejs_version_installed.stdout != ""
 # BRUTAL but ensures consistency across OS's / distros like Raspbian Desktop & Ubermix that often include an older version of Node.js
 # Forces < 16.x or > 16.x to be uninstalled
@ -45,9 +47,9 @@
  package:
    name: nodejs
    state: absent
-  when: nodejs_version_installed is defined and nodejs_version_installed.stdout != nodejs_version and nodejs_version_installed.stdout != ""
+  when: nodejs_version_installed is defined and nodejs_version_installed.stdout != nodejs_version
  #when: nodejs_version_installed is defined and nodejs_version_installed.stdout != nodejs_version and nodejs_version_installed.stdout != ""
 # Forces == 16.x
 - name: Warn if Node.js {{ nodejs_version}} already installed & might be updated
  debug:
    msg: "WARN: YOUR Node.js {{ nodejs_version }} MIGHT NOW BE UPDATED USING nodesource.com"
@ -65,12 +67,12 @@
 #    state: absent
 #  when: internet_available and is_debuntu
- name: Set up Node.js {{ nodejs_version }} apt sources
+- name: Run 'curl -sL https://deb.nodesource.com/setup_{{ nodejs_version }} | bash -' to overwrite /etc/apt/sources.list.d/nodesource.list
  shell: curl -sL https://deb.nodesource.com/setup_{{ nodejs_version }} | bash -
-  args:
+  #args:
-    warn: no
+  #  warn: no
-    creates: /etc/apt/sources.list.d/nodesource.list
+  #  creates: /etc/apt/sources.list.d/nodesource.list
-  when: internet_available
+  #when: internet_available    # 2021-08-04: Better to fail & notify implementer!
  #when: internet_available and (is_debian_8 or is_debian_9 or is_ubuntu_16 or is_ubuntu_17)
  # NOT NEC TO TEST FOR is_raspbian_8 OR is_raspbian_9 AS /opt/iiab/iiab/vars/<OS>.yml
  # DEFINES THESE AS SUBSETS OF is_debian_8 OR is_debian_9 (FOR NOW!)
@ -86,15 +88,9 @@
    name: nodejs
    state: latest
    #state: present
-  when: internet_available
+  #when: internet_available    # 2021-08-04: Better to fail & notify implementer!
  #when: internet_available and (is_debian_8 or is_debian_9 or is_ubuntu_16 or is_ubuntu_17)
 # - name: Set up & install Node.js {{ nodejs_version }} which includes /usr/bin/npm (redhat)
 #   shell: curl -sL https://rpm.nodesource.com/setup_{{ nodejs_version }} | bash -
 #   args:
 #     warn: no
 #   when: internet_available and is_redhat
 # 2018-07-14: BOTH STEPS ABOVE TAKE TIME, but Raspbian (apt offers npm
 # 1.4.21) & Debian 9 (apt offers no npm!) STILL NEED the above
--- a/roles/openvpn/tasks/install.yml
+++ b/roles/openvpn/tasks/install.yml
@ -1,18 +1,12 @@
- name: "Install packages: nmap, openvpn, sudo"
+- name: "Install packages: ncat, nmap, openvpn, sudo"
  package:
    name:
      - ncat    # Newer versions of NMap do not include NCat, needed to announce /etc/iiab/openvpn_handle (if Debian > 9 or Ubuntu > 18)
      - nmap
      - openvpn
      - sudo    # (1) Should be installed prior to installing IIAB, (2) Can also be installed by 1-prep here, (3) Is definitely installed by 1-prep's roles/iiab-admin/tasks/sudo-prereqs.yml, (4) Used to be installed by roles/2-common/tasks/packages.yml (but that's too late!)
    state: present
 # Newer versions of NMap do not include NCat, needed to announce /etc/iiab/openvpn_handle
 - name: Install Ncat package (if Debian > 9 or Ubuntu > 18)
  package:
    name: ncat
    state: present
  when: is_debuntu and not (is_debian_8 or is_debian_9 or is_ubuntu_16 or is_ubuntu_17 or is_ubuntu_18)
 - name: Install ssh public keys for remote support (if openvpn_install)
  lineinfile:
    line: "{{ item.pubkey }}"
--- a/roles/pbx/defaults/main.yml
+++ b/roles/pbx/defaults/main.yml
@ -5,21 +5,24 @@
 # pbx_install: False
 # pbx_enabled: False
 # pbx_try_nginx: False    # 2021-08-07: PLEASE TRY NGINX INSTEAD OF APACHE,
 # # AFTER READING https://github.com/iiab/iiab/issues/2914 AND #2916, THX !
 # asterisk_chan_dongle: False
 # pbx_signaling_ports_chan_sip: 5160:5161
 # pbx_signaling_ports_chan_pjsip: 5060
 # pbx_data_ports: 10000:20000
 # pbx_http_port: 83
-#
+
 # All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml
 # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
-asterisk_url: http://downloads.asterisk.org/pub/telephony/asterisk/
+asterisk_url: http://downloads.asterisk.org/pub/telephony/asterisk
 asterisk_src_file: asterisk-18-current.tar.gz
 asterisk_src_dir: /opt/iiab/asterisk
-freepbx_url: http://mirror.freepbx.org/modules/packages/freepbx/7.4/
+freepbx_url: http://mirror.freepbx.org/modules/packages/freepbx/7.4
 freepbx_src_file: freepbx-16.0-latest.tgz    # Beta as of 2021-06-21 but looking great!  Does NOT support PHP < 7.4 (you've been warned!)  Please review https://github.com/iiab/iiab/blob/master/roles/pbx/README.rst
 freepbx_src_dir: /opt/iiab/freepbx
 freepbx_install_dir: /var/www/html/freepbx
@ -30,6 +33,6 @@ asterisk_db_dbname: asterisk
 asterisk_db_password: asterisk
 asterisk_db_cdrdbname: asteriskcdrdb
-chan_dongle_url: https://github.com/wdoekes/asterisk-chan-dongle/archive/
+chan_dongle_url: https://github.com/wdoekes/asterisk-chan-dongle/archive
 chan_dongle_src_file: master.zip
 chan_dongle_src_dir: /opt/iiab/chan_dongle
--- a/roles/pbx/tasks/apache.yml
+++ b/roles/pbx/tasks/apache.yml
@ -0,0 +1,41 @@
 # Must happen before install of Apache, or it'll collide with NGINX port 80.
 # 2021-08-09: Used to be done by roles/nginx/tasks/install.yml
 - name: "FreePBX - Install from template: /etc/{{ apache_service }}/ports.conf containing 'Listen {{ pbx_http_port }}'"    # i.e. port 83
  template:
    src: ports.conf
    dest: /etc/{{ apache_service }}/
 - name: "FreePBX - Install Apache packages: {{ apache_service }}, libapache2-mod-php, libapache2-mpm-itk"
  package:
    name:
      - "{{ apache_service }}"    # 2021-08-07: Install apache2 directly, as we prepare to deprecate roles/httpd
      - libapache2-mod-php        # NOTE duplication: roles/httpd/tasks.install.yml installed libapache2-mod-php{{ php_version }} ostensibly for "Elgg, Moodle, etc"
      - libapache2-mpm-itk        # To serve FreePBX through a VirtualHost as asterisk user (#2914: Is this possible via NGINX?)
 - name: 'FreePBX - Enable Apache module, as with "a2enmod" command: rewrite'
  apache2_module:
    name: rewrite
 # Legacy code from roles/httpd/tasks/install.yml
 # - name: 'Enable 5 Apache modules, as with "a2enmod" command: headers, proxy, proxy_html, proxy_http, rewrite (for http://box/kiwix, http://box/kolibri, http://box/nodered, etc)'
 #   apache2_module:
 #     name: "{{ item }}"
 #   with_items:
 #     - headers
 #     - proxy
 #     - proxy_html
 #     - proxy_http
 #     - rewrite
 # 2021-08-08: Security risks?  But official install doc recommends this:
 # https://wiki.freepbx.org/display/FOP/Installing+FreePBX+16+on+Debian+10.9
 # (lineinfile doesn't quite do the job, as all instances are replaced)
 - name: FreePBX - Run "sed -i 's/AllowOverride None/AllowOverride All/' /etc/apache2/apache2.conf"
  command: sed -i 's/AllowOverride None/AllowOverride All/' /etc/apache2/apache2.conf
 - name: FreePBX - Install /etc/{{ apache_service }}/sites-available/freepbx.conf from template ({{ apache_user }}:{{ apache_user }}, 0644 by default)
  template:
    src: freepbx.conf.j2
    dest: /etc/{{ apache_service }}/sites-available/freepbx.conf    # apache2
    owner: "{{ apache_user }}"    # www-data
    group: "{{ apache_user }}"
--- a/roles/pbx/tasks/asterisk.yml
+++ b/roles/pbx/tasks/asterisk.yml
@ -1,38 +1,48 @@
-# 2021-08-03: Asterisk's own install_prereq (below) handles these?
+# 2021-08-05: Asterisk's own install_prereq (below) handles essentially all of these
 # - name: Asterisk - Install dependencies
-#  include: asterisk_dependencies.yml
+#   include_tasks: asterisk_dependencies.yml
- name: Asterisk - Download software to /opt/iiab/downloads
+# BEWARE: 'systemctl is-active asterix' falsely reports 'inactive' even when systemd
 # is compiled in below!   FWIW: /opt/iiab/asterisk/contrib/systemd/asterisk.service
 # https://github.com/asterisk/asterisk/blob/master/contrib/systemd/asterisk.service
 - name: Asterisk - Install package 'libsystemd-dev' so Asterisk compiles in imperfect-but-improving systemd support -- if ./configure below places '#define HAVE_SYSTEMD 1' in /opt/iiab/asterisk/include/asterisk/autoconfig.h -- please later confirm with 'ldd /usr/sbin/asterisk | grep systemd' -- per https://community.asterisk.org/t/systemctl-start-asterisk-is-fail-with-timeout/81123/3
  package:
    name: libsystemd-dev
    state: present
 - name: Asterisk - Download {{ asterisk_url }}/{{ asterisk_src_file }} to {{ downloads_dir }}
  get_url:
    url: "{{ asterisk_url }}/{{ asterisk_src_file }}"
-    dest: "{{ downloads_dir }}/{{ asterisk_src_file }}"
+    dest: "{{ downloads_dir }}"    # e.g. /opt/iiab/downloads/asterisk-18-current.tar.gz
    timeout: "{{ download_timeout }}"
  when: internet_available
- name: Asterisk - Check for /opt/iiab/downloads/{{ asterisk_src_file }}
+- name: Asterisk - Check for {{ downloads_dir }}/{{ asterisk_src_file }}
  stat:
    path: "{{ downloads_dir }}/{{ asterisk_src_file }}"
  register: asterisk_src
- name: Asterisk - FAIL (force Ansible to exit) IF /opt/iiab/downloads/{{ asterisk_src_file }} doesn't exist
+- name: Asterisk - FAIL (force Ansible to exit) IF {{ downloads_dir }}/{{ asterisk_src_file }} doesn't exist
  fail:
-    msg: "{ downloads_dir }}/{{ asterisk_src_file }} is REQUIRED in order to install."
+    msg: "{{ downloads_dir }}/{{ asterisk_src_file }} is REQUIRED to install Asterisk."
  when: not asterisk_src.stat.exists
- name: Asterisk - Create install source directory
+- name: Asterisk - Create source dir {{ asterisk_src_dir }}
  file:
-    path: "{{ asterisk_src_dir }}"
+    path: "{{ asterisk_src_dir }}"    # /opt/iiab/asterisk
    state: directory
- name: Asterisk - Extract source
+- name: Asterisk - Extract to source dir (root:root by default)
  unarchive:
    src: "{{ downloads_dir }}/{{ asterisk_src_file }}"
    dest: "{{ asterisk_src_dir }}"
-    owner: root
+    # owner: root
-    group: root
+    # group: root
    extra_opts: [--strip-components=1]
    creates: "{{ asterisk_src_dir }}/Makefile"
 # 2021-08-03: Asterisk's install_prereq script (stanza just below) installs
 # 'aptitude' regardless, within handle_debian() here:
 # https://github.com/asterisk/asterisk/blob/master/contrib/scripts/install_prereq#L262-L271
@ -42,39 +52,40 @@
 #     name: aptitude
 #     state: latest
- name: Asterisk - Ensure all dependencies are resolved - CAN TAKE 5 MIN OR LONGER!
+- name: Asterisk - Run 'install_prereq install' for dependencies - CAN TAKE 5 MIN OR LONGER!
  shell: export DEBIAN_FRONTEND=noninteractive && ./contrib/scripts/install_prereq install
  args:
    chdir: "{{ asterisk_src_dir }}"
-# 2021-08-03: Requires subversion (installed just above)
+- name: Asterisk - Download mp3 decoder library into source tree - requires 'subversion' installed just above
 - name: Asterisk - Download mp3 decoder library into source tree
  command: ./contrib/scripts/get_mp3_source.sh
  args:
    chdir: "{{ asterisk_src_dir }}"
    creates: addons/mp3/mpg123.h
- name: Asterisk - Run the configure script
+- name: Asterisk - Run './configure --with-pjproject-bundled --with-jansson-bundled'
-  command: ./configure --with-jansson-bundled
+  command: ./configure --with-pjproject-bundled --with-jansson-bundled
  args:
    chdir: "{{ asterisk_src_dir }}"
- name: Asterisk - Run make menuselect.makeopts
+- name: Asterisk - Run 'make menuselect.makeopts'
  command: make menuselect.makeopts
  args:
    chdir: "{{ asterisk_src_dir }}"
    creates: menuselect.makeopts
 - name: Asterisk - Do a bit of menuselect configuration
-  command: >
+  command: menuselect/menuselect --enable app_macro --enable format_mp3 menuselect.makeopts
-    menuselect/menuselect --enable app_macro --enable format_mp3
+  # 2021-08-06: Let's standardize (ABOVE) if 6 others (BELOW) aren't needed?
-    --enable CORE-SOUNDS-EN-WAV --enable CORE-SOUNDS-EN-G722
+  # command: >
-    --enable EXTRA-SOUNDS-EN-WAV --enable EXTRA-SOUNDS-EN-G722 --enable EXTRA-SOUNDS-EN-GSM
+  #   menuselect/menuselect --enable app_macro --enable format_mp3
-    --disable-category MENUSELECT_MOH
+  #   --enable CORE-SOUNDS-EN-WAV --enable CORE-SOUNDS-EN-G722
  #   --enable EXTRA-SOUNDS-EN-WAV --enable EXTRA-SOUNDS-EN-G722 --enable EXTRA-SOUNDS-EN-GSM
  #   --disable-category MENUSELECT_MOH
  args:
    chdir: "{{ asterisk_src_dir }}"
- name: Asterisk - Run 'make' - CAN TAKE 30 MIN OR LONGER!
+- name: Asterisk - Run 'make' - CAN TAKE 8-30 MIN OR LONGER!
  command: make
  args:
    chdir: "{{ asterisk_src_dir }}"
@ -91,37 +102,52 @@
  args:
    chdir: "{{ asterisk_src_dir }}"
- name: Asterisk - Run 'make samples'
+- name: Asterisk - Run 'make samples' - this creates /etc/asterisk/asterisk.conf used below
  command: make samples
  args:
    chdir: "{{ asterisk_src_dir }}"
 - name: Asterisk - Run 'ldconfig'
-  shell: ldconfig
+  command: ldconfig
  args:
    chdir: "{{ asterisk_src_dir }}"
- name: Asterisk - Ensure group 'asterisk' exists
+# 2021-08-06: Most install recipes do 'update-rc.d -f asterisk remove' here.
-  group:
+# Can't hurt but we do that a bit later in freepbx.yml
    name: asterisk
    state: present
- name: Asterisk - Ensure user 'asterisk' exists, and belongs to the required groups
+
 # 2021-08-06: Taken care of just below
 # - name: Asterisk - Ensure group 'asterisk' exists
 #   group:
 #     name: asterisk
 #     state: present
 #- name: Asterisk - Ensure system user 'asterisk' has primary group 'asterisk', groups 'audio,dialout', home '/var/lib/asterisk'
 - name: Asterisk - Create Linux user 'asterisk'
  user:
    name: asterisk
-    group: asterisk
+    # group: asterisk            # 2021-08-06: Implicit
-    groups: audio,dialout
+    groups: audio,dialout        # 2021-08-08: Plausibly might help?
-    home: /var/lib/asterisk
+    home: /var/lib/asterisk      # 2021-08-07: /home/asterisk (default) ok too
-    system: yes
+    system: yes                  # 2021-08-08: No evidence this is needed.  Hopefully it doesn't cause harm?  (FYI Ansible doesn't change pre-existing users)
-    append: yes
+    append: yes                  # 2021-08-08: Not essential.  So Ansible adds groups w/o deleting existing group memberships.
- name: "Asterisk - Set ownership of 5 directories: /etc/asterisk, /var/lib/asterisk, /var/log/asterisk, /var/spool/asterisk, /usr/lib/asterisk (asterisk:asterisk)"
+- name: Asterisk - Add user 'www-data' to group 'asterisk' - if pbx_try_nginx
  user:
    name: www-data
    groups: asterisk
    # system: yes                # 2021-08-06: Ansible doesn't change pre-existing users
    append: yes
  when: pbx_try_nginx
 - name: Asterisk - Set ownership for 6 directories (asterisk:asterisk, recurse)
  file:
    dest: "{{ item }}"
    owner: asterisk
    group: asterisk
    recurse: yes
  with_items:
    - /var/run/asterisk
    - /etc/asterisk
    - /var/lib/asterisk
    - /var/log/asterisk
--- a/roles/pbx/tasks/asterisk_dependencies.yml.unused
+++ b/roles/pbx/tasks/asterisk_dependencies.yml.unused
@ -1,12 +1,12 @@
 - name: Asterisk - Install dependencies
  package:
    name:
-      - git
+      - git                # 2021-08-05: Not in Asterisk's install_prereq
-      - curl
+      - curl               # 2021-08-05: Not in Asterisk's install_prereq
      - wget
      - libnewt-dev
      - libssl-dev
-      - libncurses5-dev
+      - libncurses5-dev    # 2021-08-05: Not in Asterisk's install_prereq
      - subversion
      - libsqlite3-dev
      - build-essential
--- a/roles/pbx/tasks/chan_dongle.yml
+++ b/roles/pbx/tasks/chan_dongle.yml
@ -1,49 +1,52 @@
- name: chan_dongle - Download software to /opt/iiab/downloads
+# RPi: http://mghadam.blogspot.com/2021/03/install-asterisk-18-freepbx-15-on.html
 - name: chan_dongle - Download {{ chan_dongle_url }}/{{ chan_dongle_src_file }} to {{ downloads_dir }}
  get_url:
-    url: "{{ chan_dongle_url }}/{{ chan_dongle_src_file }}"
+    url: "{{ chan_dongle_url }}/{{ chan_dongle_src_file }}"    # /opt/iiab/downloads/master.zip
-    dest: "{{ downloads_dir }}/{{ chan_dongle_src_file }}"
+    dest: "{{ downloads_dir }}/{{ chan_dongle_src_file }}"     # Keep name as "master.zip" whereas browsers rename it to asterisk-chan-dongle-master.zip
    timeout: "{{ download_timeout }}"
  when: internet_available
- name: chan_dongle - Check for /opt/iiab/downloads/{{ chan_dongle_src_file }}
+- name: chan_dongle - Check for {{ downloads_dir }}/{{ chan_dongle_src_file }}
  stat:
    path: "{{ downloads_dir }}/{{ chan_dongle_src_file }}"
  register: chan_dongle_src
 - name: chan_dongle - FAIL (force Ansible to exit) IF /opt/iiab/downloads/{{ chan_dongle_src_file }} doesn't exist
  fail:
-    msg: "{ downloads_dir }}/{{ chan_dongle_src_file }} is REQUIRED in order to install."
+    msg: "{ downloads_dir }}/{{ chan_dongle_src_file }} is REQUIRED to install chan_dongle."
  when: not chan_dongle_src.stat.exists
- name: chan_dongle - Create install source directory
+- name: chan_dongle - Create source dir {{ chan_dongle_src_dir }}
  file: 
-    path: "{{ chan_dongle_src_dir }}"
+    path: "{{ chan_dongle_src_dir }}"    # /opt/iiab/chan_dongle
    state: directory
- name: chan_dongle - Extract source
+- name: chan_dongle - Extract to {{ downloads_dir }} (root:root)
  unarchive: 
    src: "{{ downloads_dir }}/{{ chan_dongle_src_file }}"
    dest: "{{ downloads_dir }}"
    owner: root
    group: root
- name: chan_dongle - move to {{ chan_dongle_src_dir }}
+- name: chan_dongle - Run 'rsync -av {{ downloads_dir }}/asterisk-chan-dongle-master/ {{ chan_dongle_src_dir }}'
  command: rsync -av {{ downloads_dir }}/asterisk-chan-dongle-master/ {{ chan_dongle_src_dir }}
  args:
    chdir: "{{ downloads_dir }}"
- name: chan_dongle - Run the bootstrap script
+
-  command: "./bootstrap"
+- name: chan_dongle - Run './bootstrap'
  command: ./bootstrap
  args:
    chdir: "{{ chan_dongle_src_dir }}"
    creates: "{{ chan_dongle_src_dir }}/configure"
- name: chan_dongle - Find out asterisk version
+- name: chan_dongle - Run 'asterisk -V | cut -d " " -f 2' for asterisk_ver
  shell: asterisk -V | cut -d " " -f 2
  register: asterisk_ver
- name: chan_dongle - Run the configure script
+- name: chan_dongle - Run './configure --with-astversion={{ asterisk_ver.stdout }}'
-  command: "./configure --with-astversion={{asterisk_ver.stdout}}"
+  command: ./configure --with-astversion={{ asterisk_ver.stdout }}
  args:
    chdir: "{{ chan_dongle_src_dir }}"
    creates: "{{ chan_dongle_src_dir }}/Makefile"
@ -60,9 +63,8 @@
    chdir: "{{ chan_dongle_src_dir }}"
    creates: "/usr/lib/asterisk/modules/chan_dongle.so"
- name: chan_dongle - Copy dongle.conf over
+- name: chan_dongle - Run 'cp {{ chan_dongle_src_dir }}/etc/dongle.conf /etc/asterisk/'
  command: cp {{ chan_dongle_src_dir }}/etc/dongle.conf /etc/asterisk/
  args:
    chdir: "{{ chan_dongle_src_dir }}"
    creates: "/etc/asterisk/dongle.conf"
--- a/roles/pbx/tasks/enable-or-disable.yml
+++ b/roles/pbx/tasks/enable-or-disable.yml
@ -1,35 +1,22 @@
- name: Enable & (Re)start 'asterisk' systemd service (if pbx_enabled)
+- name: Enable & (Re)start 'freepbx' systemd service, if pbx_enabled
  systemd:
    daemon_reload: yes
    name: asterisk
    enabled: yes
    state: restarted
  when: pbx_enabled
 - name: Disable & Stop 'asterisk' systemd service (if not pbx_enabled)
  systemd:
    daemon_reload: yes
    name: asterisk
    enabled: no
    state: stopped
  when: not pbx_enabled
 - name: Enable & (Re)start 'freepbx' systemd service (if pbx_enabled)
  systemd:
    name: freepbx
    enabled: yes
    state: restarted
  when: pbx_enabled
- name: Disable & Stop 'freepbx' systemd service (if not pbx_enabled)
+- name: Disable & Stop 'freepbx' systemd service, if not pbx_enabled
  systemd:
    daemon_reload: yes
    name: freepbx
    enabled: no
    state: stopped
  when: not pbx_enabled
 - block:
  - name: Enable http://box:{{ pbx_http_port }}/freepbx via Apache, if pbx_enabled    # http://box:83/freepbx
    command: a2ensite freepbx.conf
    when: pbx_enabled
@ -38,7 +25,58 @@
    command: a2dissite freepbx.conf
    when: not pbx_enabled
- name: Restart Apache service ({{ apache_service }})
+  - name: Restart & Enable '{{ apache_service }}' systemd service, if pbx_enabled
    systemd:
-    name: "{{ apache_service }}"    # httpd or apache2
+      name: "{{ apache_service }}"    # apache2
      state: restarted
      enabled: yes
    when: pbx_enabled
  - name: Stop & Disable '{{ apache_service }}' systemd service, if not pbx_enabled
    systemd:
      name: "{{ apache_service }}"
      state: stopped
      enabled: no
    when: not pbx_enabled
  when: not pbx_try_nginx
 - block:
  - name: Install /etc/php/{{ php_version }}/fpm/pool.d/asterisk.conf converted from www.conf for user 'asterisk', if pbx_enabled
    copy:
      src: roles/pbx/templates/asterisk.conf
      dest: /etc/php/{{ php_version }}/fpm/pool.d/asterisk.conf
    when: pbx_enabled
  - name: Remove /etc/php/{{ php_version }}/fpm/pool.d/asterisk.conf, if not pbx_enabled
    file:
      path: /etc/php/{{ php_version }}/fpm/pool.d/asterisk.conf
      state: absent
    when: not pbx_enabled
  - name: Enable & Restart 'php{{ php_version }}-fpm' systemd service
    systemd:
      name: php{{ php_version }}-fpm
      state: restarted
      enabled: yes
  - name: Enable http://box/freepbx via NGINX, by installing {{ nginx_conf_dir }}/freepbx-nginx.conf from template, if pbx_enabled
    template:
      src: freepbx-nginx.conf.j2
      dest: "{{ nginx_conf_dir }}/freepbx-nginx.conf"    # /etc/nginx/conf.d
    when: pbx_enabled
  - name: Disable http://box/freepbx via NGINX, by removing {{ nginx_conf_dir }}/freepbx-nginx.conf, if not pbx_enabled
    file:
      path: "{{ nginx_conf_dir }}/freepbx-nginx.conf"
      state: absent
    when: not pbx_enabled
  - name: Restart 'nginx' systemd service
    systemd:
      name: nginx
      state: restarted
  when: pbx_try_nginx
--- a/roles/pbx/tasks/freepbx.yml
+++ b/roles/pbx/tasks/freepbx.yml
@ -1,10 +1,73 @@
- name: FreePBX - Install dependencies
+# "Official" recipe: https://wiki.freepbx.org/display/FOP/Installing+FreePBX+16+on+Debian+10.9
-  include: freepbx_dependencies.yml
+# Comprehensive & recent recipe for RPi: http://mghadam.blogspot.com/2021/03/install-asterisk-18-freepbx-15-on.html
 # Quirky but still useful for comparison: https://computingforgeeks.com/how-to-install-asterisk-16-with-freepbx-15-on-ubuntu-debian/
 # 2012-2017: http://www.raspberry-asterisk.org
- name: FreePBX - Download software to /opt/iiab/downloads
+
 # 2021-08-04: Non-native systemd service 'asterisk.service' (redirects via
 # systemd-sysv-install, to '/etc/init.d/asterisk status' etc) is Enabled but
 # Not Active at this point.
 # 2021-08-05: Asterisk's systemd / systemctl support is getting there but Very
 # Imperfect (even when compiled in, as a result of package 'libsystemd-dev' at
 # the top of asterisk.yml).
 # 2021-08-12: Let's try to track the "official" init.d / update-rc.d
 # instructions ('update-rc.d -f asterisk remove') but using systemd instead,
 # to be more future-proof?
 - name: "FreePBX - Disable 'asterisk' systemd service, giving FreePBX full control during boot - similar to officially recommended 'update-rc.d -f asterisk remove' at: https://wiki.freepbx.org/display/FOP/Installing+FreePBX+16+on+Debian+10.9"
  systemd:
    daemon_reload: yes
    name: asterisk
    #state: stopped
    enabled: no
 - name: FreePBX - Install wget, git, unixodbc, sudo, net-tools, cron, sox + ~12 PHP dependencies (run 'php -m' or 'php -i' to verify PHP modules)
  package:
    name:
      - wget
      - git
      - unixodbc     # For Asterisk CDR (Call Detail Records)
      - sudo         # Required by FreePBX install script
      - net-tools    # Required by FWConsole (command-line utility, that controls FreePBX)
      - cron         # Required by FreePBX UCP package (User Control Panel)
      - sox          # Required for CDR web-playback
      # - php{{ php_version }}           # Basically drags in phpX.Y-cgi (already below!)
      - php{{ php_version }}-bcmath      # Likewise installed in nextcloud/tasks/install.yml, wordpress/tasks/install.yml
      - php{{ php_version }}-cgi
      # - php{{ php_version }}-common    # Auto-installed as an apt dependency.  REGARDLESS: php{{ php_version }}-common superset php{{ php_version }}-cli is auto-installed by php{{ php_version }}-fpm in nginx/tasks/install.yml
      - php{{ php_version }}-curl        # Likewise installed in moodle/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml
      - php{{ php_version }}-fpm         # Likewise installed in nginx/tasks/install.yml
      # - php{{ php_version }}-gettext
      - php{{ php_version }}-gd          # Likewise installed in moodle/tasks/install.yml, nextcloud/tasks/install.yml
      - php{{ php_version }}-imap
      # - php{{ php_version }}-json      # See stanza just below
      - php{{ php_version }}-mbstring    # Likewise installed in mediawiki/tasks/install.yml, moodle/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml
      # - python-mysqldb                 # https://github.com/Yannik/ansible-role-freepbx/blob/master/tasks/freepbx.yml#L33
      - php{{ php_version }}-mysql       # Likewise installed in mysql/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml
      - php-pear                         # Likewise installed for ADMIN CONSOLE https://github.com/iiab/iiab-admin-console/blob/master/roles/cmdsrv/tasks/main.yml#L19
      - php{{ php_version }}-snmp
      - php{{ php_version }}-xml         # Likewise installed in mediawiki/tasks/install.yml, moodle/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml -- AND REGARDLESS dragged in later by Admin Console's use of php-pear for roles/cmdsrv/tasks/main.yml -- run 'php -m | grep -i xml' which in the end shows {libxml, SimpleXML, xml, xmlreader, xmlwriter}
      - php{{ php_version }}-zip         # Likewise installed in moodle/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml
    state: latest
 # For PHP >= 8.0: phpX.Y-json is baked into PHP itself.
 # For PHP <  8.0: phpX.Y-json auto-installed by phpX.Y-fpm AND phpX.Y-cli in 3-base-server's nginx/tasks/install.yml, as confirmed by: apt rdepends phpX.Y-json
 #
 # - name: Install php{{ php_version }}-json if PHP < 8.0
 #   package:
 #     name: php{{ php_version }}-json
 #     state: present
 #   when: php_version is version('8.0', '<')
 - name: FreePBX - Install and configure Apache - if not pbx_try_nginx
  include_tasks: apache.yml
  when: not pbx_try_nginx
 - name: FreePBX - Download {{ freepbx_url }}/{{ freepbx_src_file }} to {{ downloads_dir }}
  get_url:
    url: "{{ freepbx_url }}/{{ freepbx_src_file }}"
-    dest: "{{ downloads_dir }}/{{ freepbx_src_file }}"
+    dest: "{{ downloads_dir }}"    # e.g. /opt/iiab/downloads/freepbx-16.0-latest.tgz
    timeout: "{{ download_timeout }}"
  when: internet_available
@ -15,15 +78,15 @@
 - name: FreePBX - FAIL (force Ansible to exit) IF {{ downloads_dir }}/{{ freepbx_src_file }} doesn't exist
  fail:
-    msg: "{ downloads_dir }}/{{ freepbx_src_file }} is REQUIRED in order to install."
+    msg: "{{ downloads_dir }}/{{ freepbx_src_file }} is REQUIRED to install FreePBX."
  when: not freepbx_src.stat.exists
- name: FreePBX - Create install source directory
+- name: FreePBX - Create source dir {{ freepbx_src_dir }}
  file:
-    path: "{{ freepbx_src_dir }}"
+    path: "{{ freepbx_src_dir }}"    # /opt/iiab/freepbx
    state: directory
- name: FreePBX - Extract source
+- name: FreePBX - Extract to source dir (root:root)
  unarchive:
    src: "{{ downloads_dir }}/{{ freepbx_src_file }}"
    dest: "{{ freepbx_src_dir }}"
@ -32,27 +95,29 @@
    extra_opts: [--strip-components=1]
    creates: "{{ freepbx_src_dir }}/install"
- name: FreePBX - Patch FreePBX source - IIAB Bug 1685
+# 2021-08-04: FreePBX 16 no longer needs this FreePBX 15 patch
-  patch:
+# - name: FreePBX - Patch FreePBX source - IIAB Bug 1685
-    src: roles/pbx/templates/71-freepbx-framework.patch
+#   patch:
-    dest: "{{ freepbx_src_dir }}/amp_conf/htdocs/admin/libraries/BMO/Framework.class.php"
+#     src: roles/pbx/templates/71-freepbx-framework.patch
 #     dest: "{{ freepbx_src_dir }}/amp_conf/htdocs/admin/libraries/BMO/Framework.class.php"
- name: FreePBX - Patch FreePBX source - wants [] not {}
+# 2021-08-04: FreePBX 16 no longer needs this FreePBX 15 patch
-  patch:
+# - name: FreePBX - Patch FreePBX source - wants [] not {}
-    src: roles/pbx/templates/pbx.patch
+#   patch:
-    dest: "{{ freepbx_src_dir }}/amp_conf/htdocs/admin/libraries/Composer/vendor/neitanod/forceutf8/src/ForceUTF8/Encoding.php"
+#     src: roles/pbx/templates/pbx.patch
 #     dest: "{{ freepbx_src_dir }}/amp_conf/htdocs/admin/libraries/Composer/vendor/neitanod/forceutf8/src/ForceUTF8/Encoding.php"
- name: FreePBX - Disable & Stop asterisk service
+# 2021-08-04: FreePBX 16 no longer needs this FreePBX 15 patch
-  systemd:
+# - name: FreePBX - Patch FreePBX source - disable get_magic_quotes_gpc()
-    daemon_reload: yes
+#   patch:
-    name: asterisk
+#     src: roles/pbx/templates/pbx2.patch
-    enabled: no
+#     dest: "{{ freepbx_install_dir }}/admin/libraries/view.functions.php"
    state: stopped
- name: FreePBX - Add mysql user
+
 - name: FreePBX - Add MySQL user ({{ asterisk_db_user }})
  mysql_user:
-    name: "{{ asterisk_db_user }}"
+    name: "{{ asterisk_db_user }}"            # asterisk
-    password: "{{ asterisk_db_password }}"
+    password: "{{ asterisk_db_password }}"    # asterisk
    priv: "{{ asterisk_db_dbname }}.*:ALL/{{ asterisk_db_cdrdbname }}.*:ALL"
    # login_host: "{{ asterisk_db_host }}"
    # login_user: root
@ -60,9 +125,9 @@
    host: "{{ (asterisk_db_host == 'localhost') | ternary('localhost', ansible_default_ipv4.address) }}"
    state: present
- name: FreePBX - Add mysql db
+- name: FreePBX - Add MySQL db ({{ asterisk_db_dbname }})
  mysql_db:
-    name: "{{ asterisk_db_dbname }}"
+    name: "{{ asterisk_db_dbname }}"    # asterisk
    encoding: utf8
    collation: utf8_general_ci
    # login_host: "{{ asterisk_db_host }}"
@ -70,15 +135,28 @@
    # login_password: "{{ mysql_root_password }}"
    state: present
- name: FreePBX - Add cdr mysql db
+- name: FreePBX - Add cdr MySQL db ({{ asterisk_db_cdrdbname }})
  mysql_db:
-    name: "{{ asterisk_db_cdrdbname }}"
+    name: "{{ asterisk_db_cdrdbname }}"    # asteriskcdrdb
    encoding: utf8
    collation: utf8_general_ci
    login_host: "{{ asterisk_db_host }}"
    state: present
- name: FreePBX - Don't let freepbx take over the php sessions dir
+
 - name: FreePBX - Create new php sessions dir /var/lib/php/asterisk_sessions/ - SEE 'php_value session.save_path /var/lib/php/asterisk_sessions/' IN pbx/templates/freepbx.conf.j2
  file:
    path: /var/lib/php/asterisk_sessions/
    state: directory
 - name: FreePBX - Set ownership for new php sessions dir (asterisk:asterisk)
  file:
    dest: /var/lib/php/asterisk_sessions/
    owner: asterisk
    group: asterisk
    recurse: yes
 - name: "FreePBX - Populate /etc/asterisk/freepbx_chown.conf to prevent 'fwconsole chown' takeover of /var/lib/php/sessions"    # And possibly later /etc/freepbx.conf, /var/log/asterisk/freepbx.log, /var/spool/asterisk/cache
  blockinfile:
    content: |
      [blacklist]
@ -89,60 +167,99 @@
    group: asterisk
    create: yes
 - name: FreePBX - Create php sessions directory
  file:
    path: /var/lib/php/asterisk_sessions/
    state: directory
- name: FreePBX - Set ownership for php sessions directory
+- name: FreePBX - 2-step install - won't run if {{ freepbx_install_dir }} already exists - CAN TAKE 3-12 MIN OR LONGER!
-  file:
+  command: "{{ item }}"
    dest: /var/lib/php/asterisk_sessions/
    owner: asterisk
    group: asterisk
    recurse: yes
 - name: FreePBX - Install (just run once) - CAN TAKE 12 MIN OR LONGER!
  command: ./start_asterisk start
  args:
    chdir: "{{ freepbx_src_dir }}"
-    creates: "{{ freepbx_install_dir }}"
+    creates: "{{ freepbx_install_dir }}"    # /var/www/html/freepbx
  with_items:
    - ./start_asterisk start
    - ./install -n --webroot {{ freepbx_install_dir }} --dbuser {{ asterisk_db_user }} --dbpass {{ asterisk_db_password }} --dbname {{ asterisk_db_dbname }} --cdrdbname {{ asterisk_db_cdrdbname }}
- name: FreePBX - Install (just run once) - CAN TAKE 12 MIN OR LONGER!
+- name: "Run 'fwconsole stop' and 'killall -9 safe_asterisk' to stop both Asterisk processes -- this avoids \"Unable to run Pre-Asterisk hooks, because Asterisk is already running\" in 'journalctl -u freepbx' logs"
-  command: ./install -n --webroot {{ freepbx_install_dir }} --dbuser {{ asterisk_db_user }} --dbpass {{ asterisk_db_password }} --dbname {{ asterisk_db_dbname }} --cdrdbname {{ asterisk_db_cdrdbname }}
+  command: "{{ item }}"
-  args:
+  with_items:
-    chdir: "{{ freepbx_src_dir }}"
+    - fwconsole stop
-    creates: "{{ freepbx_install_dir }}"
+    - killall -9 safe_asterisk        # 2021-08-08: Stronger medicine needed for 64-bit Ubuntu Server 21.04 on RPi 4.  Originally from @jvonau's PR #2912.
    - killall -9 "PM2 v4.5.0: God"    # 2021-08-09: Missed by fwconsole (does this matter?)
    # - killall -9 asterisk       # 2021-08-05: Also from @jvonau's PR #2912, to brute force this.  In the end, above 'fwconsole stop' works more gracefully.
    # - ./start_asterisk stop     # Buggy!
    # - /usr/sbin/asterisk -rx "core stop gracefully"
    # - fwconsole reload
    # - fwconsole restart
    # - fwconsole ma disablerepo commercial
    # - fwconsole ma installall
    # - fwconsole ma delete firewall
    # - fwconsole reload
    # - fwconsole restart
  ignore_errors: yes    # 2021-08-08: For things like 'killall -9 safe_asterisk' that fail when process doesn't exist
-# 2021-08-02: FreePBX 16 seems to no longer need this FreePBX 15 patch?
+# 2021-08-06: This stanza works, but above is more graceful.  (FYI PRs #2908,
-#- name: FreePBX - Patch FreePBX source - disable get_magic_quotes_gpc()
+# #2912, #2913 didn't quite work -- whereas this PR #2915 at least worked!)
-#  patch:
+# - name: FreePBX - Run 'systemctl restart freepbx' TWICE (THIS IS 1 OF 2) to get past 'systemctl status freepbx' glitch "Unable to run Pre-Asterisk hooks, because Asterisk is already running"
-#    src: roles/pbx/templates/pbx2.patch
+#   systemd:
-#    dest: "{{ freepbx_install_dir }}/admin/libraries/view.functions.php"
+#     daemon_reload: yes
 #     name: freepbx
 #     enabled: yes
 #     state: restarted
- name: FreePBX - Install /etc/odbc.ini from template (root:root, 0644 by default)
+
 - name: FreePBX - Install /etc/odbc.ini from template (root:root, 0644 by default) for CDR 'asteriskcdrdb' - in future consider compiling ODBC driver for aarch64 per http://mghadam.blogspot.com/2021/03/install-asterisk-18-freepbx-15-on.html ?
  template:
-    src: odbc.ini.j2
+    src: odbc.ini
-    dest: /etc/odbc.ini
+    dest: /etc/
    # owner: root
    # group: root
    # mode: '0644'
- name: FreePBX - Install /etc/apache2/sites-available/freepbx.conf from template ({{ apache_user }}:{{ apache_user }}, 0644 by default)
+- name: FreePBX - Install /etc/systemd/system/freepbx.service from template (root:root, 0644 by default)
  template:
-    src: freepbx.conf.j2
+    src: freepbx.service
-    dest: /etc/apache2/sites-available/freepbx.conf
+    dest: /etc/systemd/system/
    owner: "{{ apache_user }}"
    group: "{{ apache_user }}"
    # mode: '0644'
 - name: FreePBX - Add directive "Listen {{ pbx_http_port }}" to /etc/apache2/ports.conf
  lineinfile:
    path: /etc/apache2/ports.conf
    line: "Listen {{ pbx_http_port }}"
    #insertafter: Listen 80
- name: FreePBX - Install /etc/systemd/system/freepbx.service systemd unit file from template (root:root, 0644 by default)
+- name: FreePBX - Run 'fwconsole ma upgradeall' on installed FreePBX modules, e.g. 16 default modules (of about 70 total) - CAN TAKE 2 MIN OR LONGER!
-  template:
+  command: fwconsole ma upgradeall
-    src: freepbx.service.j2
+
-    dest: /etc/systemd/system/freepbx.service
+- name: FreePBX - Run 'fwconsole set CHECKREFERER 0' (0 means false) - if pbx_try_nginx - so 'Submit' button definitively works at http://box/freepbx >> Settings >> Advanced Settings -- FYI you can run 'fwconsole set -l' or 'fwconsole set CHECKREFERER' to view FreePBX settings -- FYI /etc/freepbx.conf can completely override FreePBX's stored settings if nec
-    # mode: '0755'    # Let's go with '0644' per unit file norms
+  command: fwconsole set CHECKREFERER 0    # Or/later run 'fwconsole set CHECKREFERER 1' (1 means true) to restore FreePBX's default strict checking.
  when: pbx_try_nginx
 # - name: Add "$amp_conf['CHECKREFERER'] = false;" to /etc/freepbx.conf #2931 - if pbx_try_nginx"
 #   lineinfile:
 #     path: /etc/freepbx.conf
 #     insertbefore: '^\?>$'    # Match exact line '?>' -- BOTTOM OF FILE NEC!
 #     line: "$amp_conf['CHECKREFERER'] = false;"
 #   when: pbx_try_nginx
 # - name: 'FreePBX - fix file permissions for NGINX: /etc/freepbx.conf (0644), /var/log/asterisk/freepbx.log (0666)'
 #   file:
 #     #state: file
 #     path: "{{ item.path }}"
 #     mode: "{{ item.mode }}"
 #   with_items:
 #     - { path: '/etc/freepbx.conf', mode: u=rw,g=r,o=r }                  # 2021-08-04: LATER ENDS UP AS 0660
 #     - { path: '/var/log/asterisk/freepbx.log', mode: u=rw,g=rw,o=rw }    # 2021-08-04: LATER ENDS UP AS 0664
 #   when: pbx_try_nginx
 # - name: 'FreePBX - fix dir permissions for NGINX: /var/spool/asterisk/cache (0777)'
 #   file:
 #     state: directory
 #     path: "{{ item }}"
 #     mode: u=rwx,g=rwx,o=rwx    # 2021-08-04: MOST CONTENT THEREIN ENDS UP AS asterisk:asterisk 664 (files) & 775 (dirs)
 #     # recurse: yes             # Probably Doesn't Help?
 #   with_items:
 #     # - /var/www/html/freepbx/admin/assets/less/cache
 #     - /var/spool/asterisk/cache
 #   when: pbx_try_nginx
 # For 'pbx_try_nginx: True' -- FreePBX's initial page (Admin user registration)
 # tries to set up a cron job but fails:
 #   "Exception: Trying to edit user asterisk, when I'm running as www-data"
 # 2021-08-10: Hacking /etc/freepbx.conf WAS NOT TESTED PROPERLY -- AS VARS MUST
 # BE NEAR BOTTOM OF FILE: github.com/iiab/iiab/pull/2916#issuecomment-894585322
 # - name: "2021-08-06: Try \"$amp_conf['AMPASTERISKWEBUSER'] = 'www-data';\" in /etc/freepbx.conf for #2916 registration cron fix ?'"
 #   lineinfile:
 #     path: /etc/freepbx.conf
 #     #insertafter: '^<\?php$'    # Match exact line '<?php' -- BUT TOP OF FILE FAILS :(
 #     insertbefore: '^\?>$'       # Match exact line '?>' -- BOTTOM OF FILE NECESSARY :)
 #     line: "$amp_conf['AMPASTERISKWEBUSER'] = 'www-data';"
 #   when: pbx_try_nginx
--- a/roles/pbx/tasks/freepbx_dependencies.yml.unused
+++ b/roles/pbx/tasks/freepbx_dependencies.yml.unused
@ -1,13 +1,13 @@
- name: FreePBX - Install dependencies (run 'php -m' or 'php -i' to verify PHP modules)
+- name: FreePBX - Install wget, git, unixodbc, sudo, net-tools, cron, sox + ~12 PHP dependencies (run 'php -m' or 'php -i' to verify PHP modules)
  package:
    name:
      - wget
      - git
-      - unixodbc     # for Asterisk CDR (Call Detail Records)
+      - unixodbc     # For Asterisk CDR (Call Detail Records)
-      - sudo         # required by FreePBX install script
+      - sudo         # Required by FreePBX install script
-      - net-tools    # required by FWConsole (command-line utility, that controls FreePBX)
+      - net-tools    # Required by FWConsole (command-line utility, that controls FreePBX)
-      - cron         # required by FreePBX UCP package (User Control Panel)
+      - cron         # Required by FreePBX UCP package (User Control Panel)
-      - sox          # required for CDR web-playback
+      - sox          # Required for CDR web-playback
      # - php{{ php_version }}           # Basically drags in phpX.Y-cgi (already below!)
      - php{{ php_version }}-bcmath      # Likewise installed in nextcloud/tasks/install.yml, wordpress/tasks/install.yml
      - php{{ php_version }}-cgi
@ -19,14 +19,12 @@
      - php{{ php_version }}-imap
      # - php{{ php_version }}-json      # See stanza just below
      - php{{ php_version }}-mbstring    # Likewise installed in mediawiki/tasks/install.yml, moodle/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml
      # - python-mysqldb                 # https://github.com/Yannik/ansible-role-freepbx/blob/master/tasks/freepbx.yml#L33
      - php{{ php_version }}-mysql       # Likewise installed in mysql/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml
      - php-pear                         # Likewise installed for ADMIN CONSOLE https://github.com/iiab/iiab-admin-console/blob/master/roles/cmdsrv/tasks/main.yml#L19
      - php{{ php_version }}-snmp
      - php{{ php_version }}-xml         # Likewise installed in mediawiki/tasks/install.yml, moodle/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml -- AND REGARDLESS dragged in later by Admin Console's use of php-pear for roles/cmdsrv/tasks/main.yml -- run 'php -m | grep -i xml' which in the end shows {libxml, SimpleXML, xml, xmlreader, xmlwriter}
      - php{{ php_version }}-zip         # Likewise installed in moodle/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml
      - libapache2-mod-php
      #- python-mysqldb       # https://github.com/Yannik/ansible-role-freepbx/blob/master/tasks/freepbx.yml#L33
      - libapache2-mpm-itk    # To serve FreePBX through a VirtualHost as asterisk user
    state: latest
 # For PHP >= 8.0: phpX.Y-json is baked into PHP itself.
--- a/roles/pbx/tasks/install.yml
+++ b/roles/pbx/tasks/install.yml
@ -22,44 +22,23 @@
 #   when: nodejs_version != "12.x"
- name: "Set 'apache_install: True' and 'apache_enabled: True'"
+# 2021-08-09: Moved to roles/pbx/tasks/apache.yml
  set_fact:
    apache_install: True
    apache_enabled: True
- name: APACHE - run 'httpd' role
+# - name: "Set 'apache_install: True' and 'apache_enabled: True'"
-  include_role:
+#   set_fact:
-    name: httpd
+#     apache_install: True
 #     apache_enabled: True
 # - name: APACHE - run 'httpd' role
 #   include_role:
 #     name: httpd
 # 2021-07-27: Taken care of by main.yml
 #- name: TODO: Check if asterisk and freepbx are already installed
 #
 #- name: Check if /etc/systemd/system/freepbx.service is already installed
 #  stat: 
 #    path: /etc/systemd/system/freepbx.service
 #  register: freepbx_installed
 #
 #- debug:
 #    msg: >-
 #      FreePBX already installed. Reinstall shall be skipped
 #  when: freepbx_installed.stat.exists
 # 2021-08-03: Taken care of by asterisk.yml's scripts/install_prereq
 #- name: Install 'make' package
 #  package:
 #    name: make
 #    state: present
 - name: Install Asterisk
  include_tasks: asterisk.yml
  #when: internet_available and pbx_install and (pbx_installed is undefined) and is_debuntu and (not freepbx_installed.stat.exists)
  #when: internet_available and pbx_install and (not pbx_installed) and ((is_debian and ansible_distribution_major_version == "9") or is_ubuntu_18)
 - name: Install FreePBX
  include_tasks: freepbx.yml
  #when: internet_available and pbx_install and (pbx_installed is undefined) and is_debuntu and (not freepbx_installed.stat.exists)
  #when: internet_available and pbx_install and (not pbx_installed) and ((is_debian and ansible_distribution_major_version == "9") or is_ubuntu_18)
 # RECORD PBX AS INSTALLED
--- a/roles/pbx/tasks/main.yml
+++ b/roles/pbx/tasks/main.yml
@ -26,7 +26,7 @@
 - include_tasks: enable-or-disable.yml
- name: Asterisk - Install chan_dongle
+- name: Install chan_dongle for Huawei USB modems - if asterisk_chan_dongle
  include: chan_dongle.yml
  when: asterisk_chan_dongle
--- a/roles/pbx/templates/71-freepbx-framework.patch.unused
+++ b/roles/pbx/templates/71-freepbx-framework.patch.unused
--- a/roles/pbx/templates/asterisk.conf
+++ b/roles/pbx/templates/asterisk.conf
@ -0,0 +1,467 @@
 ; 2021-08-10: @jvonau derived this from /etc/php/7.4/fpm/pool.d/www.conf (apt
 ; package php7.4-fpm) with just 4 changes:  (github.com/iiab/iiab/pull/2930)
 ;
 ; 1. [www]  ->  [asterisk]
 ; 2. user = www-data  ->  user = asterisk
 ; 3. listen = /run/php/php7.4-fpm.sock  ->  listen = /run/php/php-asterisk.sock
 ; 4. listen.owner = www-data  ->  listen.owner = asterisk
 ;
 ; See also the top of asterisk.conf.patch and asterisk.conf.diff here:
 ; https://github.com/iiab/iiab/tree/master/roles/pbx/templates
 ;
 ; "One set of workers is running as www-data and the other set of workers is
 ; running as asterisk but on different sockets."
 ;
 ; This should resolve both iiab/iiab#2914 -> iiab/iiab#2916 "NGINX" issues:
 ; (1) As you tried to register at http://box/freepbx, cron setup failed with
 ; exception "Trying to edit user asterisk, when I'm running as www-data"
 ; https://github.com/iiab/iiab/pull/2916#issuecomment-894585322
 ; (2) When you clicked Settings >> Advanced Settings >> Submit >> Apply Config,
 ; it failed with "Unknown Error. Please Run: fwconsole reload --verbose"
 ; https://github.com/iiab/iiab/pull/2916#issuecomment-894604982
 ; Start a new pool named 'www'.
 ; the variable $pool can be used in any directive and will be replaced by the
 ; pool name ('www' here)
 [asterisk]
 ; Per pool prefix
 ; It only applies on the following directives:
 ; - 'access.log'
 ; - 'slowlog'
 ; - 'listen' (unixsocket)
 ; - 'chroot'
 ; - 'chdir'
 ; - 'php_values'
 ; - 'php_admin_values'
 ; When not set, the global prefix (or /usr) applies instead.
 ; Note: This directive can also be relative to the global prefix.
 ; Default Value: none
 ;prefix = /path/to/pools/$pool
 ; Unix user/group of processes
 ; Note: The user is mandatory. If the group is not set, the default user's group
 ;       will be used.
 user = asterisk
 group = www-data
 ; The address on which to accept FastCGI requests.
 ; Valid syntaxes are:
 ;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific IPv4 address on
 ;                            a specific port;
 ;   '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
 ;                            a specific port;
 ;   'port'                 - to listen on a TCP socket to all addresses
 ;                            (IPv6 and IPv4-mapped) on a specific port;
 ;   '/path/to/unix/socket' - to listen on a unix socket.
 ; Note: This value is mandatory.
 listen = /run/php/php-asterisk.sock
 ; Set listen(2) backlog.
 ; Default Value: 511 (-1 on FreeBSD and OpenBSD)
 ;listen.backlog = 511
 ; Set permissions for unix socket, if one is used. In Linux, read/write
 ; permissions must be set in order to allow connections from a web server. Many
 ; BSD-derived systems allow connections regardless of permissions. The owner
 ; and group can be specified either by name or by their numeric IDs.
 ; Default Values: user and group are set as the running user
 ;                 mode is set to 0660
 listen.owner = asterisk
 listen.group = www-data
 ;listen.mode = 0660
 ; When POSIX Access Control Lists are supported you can set them using
 ; these options, value is a comma separated list of user/group names.
 ; When set, listen.owner and listen.group are ignored
 ;listen.acl_users =
 ;listen.acl_groups =
 ; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
 ; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
 ; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
 ; must be separated by a comma. If this value is left blank, connections will be
 ; accepted from any ip address.
 ; Default Value: any
 ;listen.allowed_clients = 127.0.0.1
 ; Specify the nice(2) priority to apply to the pool processes (only if set)
 ; The value can vary from -19 (highest priority) to 20 (lower priority)
 ; Note: - It will only work if the FPM master process is launched as root
 ;       - The pool processes will inherit the master process priority
 ;         unless it specified otherwise
 ; Default Value: no set
 ; process.priority = -19
 ; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user
 ; or group is differrent than the master process user. It allows to create process
 ; core dump and ptrace the process for the pool user.
 ; Default Value: no
 ; process.dumpable = yes
 ; Choose how the process manager will control the number of child processes.
 ; Possible Values:
 ;   static  - a fixed number (pm.max_children) of child processes;
 ;   dynamic - the number of child processes are set dynamically based on the
 ;             following directives. With this process management, there will be
 ;             always at least 1 children.
 ;             pm.max_children      - the maximum number of children that can
 ;                                    be alive at the same time.
 ;             pm.start_servers     - the number of children created on startup.
 ;             pm.min_spare_servers - the minimum number of children in 'idle'
 ;                                    state (waiting to process). If the number
 ;                                    of 'idle' processes is less than this
 ;                                    number then some children will be created.
 ;             pm.max_spare_servers - the maximum number of children in 'idle'
 ;                                    state (waiting to process). If the number
 ;                                    of 'idle' processes is greater than this
 ;                                    number then some children will be killed.
 ;  ondemand - no children are created at startup. Children will be forked when
 ;             new requests will connect. The following parameter are used:
 ;             pm.max_children           - the maximum number of children that
 ;                                         can be alive at the same time.
 ;             pm.process_idle_timeout   - The number of seconds after which
 ;                                         an idle process will be killed.
 ; Note: This value is mandatory.
 pm = dynamic
 ; The number of child processes to be created when pm is set to 'static' and the
 ; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
 ; This value sets the limit on the number of simultaneous requests that will be
 ; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
 ; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
 ; CGI. The below defaults are based on a server without much resources. Don't
 ; forget to tweak pm.* to fit your needs.
 ; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
 ; Note: This value is mandatory.
 ;pm.max_children = 5
 pm.max_children=120
 ; The number of child processes created on startup.
 ; Note: Used only when pm is set to 'dynamic'
 ; Default Value: (min_spare_servers + max_spare_servers) / 2
 ;pm.start_servers = 2
 pm.start_servers=12
 ; The desired minimum number of idle server processes.
 ; Note: Used only when pm is set to 'dynamic'
 ; Note: Mandatory when pm is set to 'dynamic'
 ;pm.min_spare_servers = 1
 pm.min_spare_servers=6
 ; The desired maximum number of idle server processes.
 ; Note: Used only when pm is set to 'dynamic'
 ; Note: Mandatory when pm is set to 'dynamic'
 ;pm.max_spare_servers = 3
 pm.max_spare_servers=18
 ; The number of seconds after which an idle process will be killed.
 ; Note: Used only when pm is set to 'ondemand'
 ; Default Value: 10s
 ;pm.process_idle_timeout = 10s;
 ; The number of requests each child process should execute before respawning.
 ; This can be useful to work around memory leaks in 3rd party libraries. For
 ; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
 ; Default Value: 0
 ;pm.max_requests = 500
 ; The URI to view the FPM status page. If this value is not set, no URI will be
 ; recognized as a status page. It shows the following informations:
 ;   pool                 - the name of the pool;
 ;   process manager      - static, dynamic or ondemand;
 ;   start time           - the date and time FPM has started;
 ;   start since          - number of seconds since FPM has started;
 ;   accepted conn        - the number of request accepted by the pool;
 ;   listen queue         - the number of request in the queue of pending
 ;                          connections (see backlog in listen(2));
 ;   max listen queue     - the maximum number of requests in the queue
 ;                          of pending connections since FPM has started;
 ;   listen queue len     - the size of the socket queue of pending connections;
 ;   idle processes       - the number of idle processes;
 ;   active processes     - the number of active processes;
 ;   total processes      - the number of idle + active processes;
 ;   max active processes - the maximum number of active processes since FPM
 ;                          has started;
 ;   max children reached - number of times, the process limit has been reached,
 ;                          when pm tries to start more children (works only for
 ;                          pm 'dynamic' and 'ondemand');
 ; Value are updated in real time.
 ; Example output:
 ;   pool:                 www
 ;   process manager:      static
 ;   start time:           01/Jul/2011:17:53:49 +0200
 ;   start since:          62636
 ;   accepted conn:        190460
 ;   listen queue:         0
 ;   max listen queue:     1
 ;   listen queue len:     42
 ;   idle processes:       4
 ;   active processes:     11
 ;   total processes:      15
 ;   max active processes: 12
 ;   max children reached: 0
 ;
 ; By default the status page output is formatted as text/plain. Passing either
 ; 'html', 'xml' or 'json' in the query string will return the corresponding
 ; output syntax. Example:
 ;   http://www.foo.bar/status
 ;   http://www.foo.bar/status?json
 ;   http://www.foo.bar/status?html
 ;   http://www.foo.bar/status?xml
 ;
 ; By default the status page only outputs short status. Passing 'full' in the
 ; query string will also return status for each pool process.
 ; Example:
 ;   http://www.foo.bar/status?full
 ;   http://www.foo.bar/status?json&full
 ;   http://www.foo.bar/status?html&full
 ;   http://www.foo.bar/status?xml&full
 ; The Full status returns for each process:
 ;   pid                  - the PID of the process;
 ;   state                - the state of the process (Idle, Running, ...);
 ;   start time           - the date and time the process has started;
 ;   start since          - the number of seconds since the process has started;
 ;   requests             - the number of requests the process has served;
 ;   request duration     - the duration in µs of the requests;
 ;   request method       - the request method (GET, POST, ...);
 ;   request URI          - the request URI with the query string;
 ;   content length       - the content length of the request (only with POST);
 ;   user                 - the user (PHP_AUTH_USER) (or '-' if not set);
 ;   script               - the main script called (or '-' if not set);
 ;   last request cpu     - the %cpu the last request consumed
 ;                          it's always 0 if the process is not in Idle state
 ;                          because CPU calculation is done when the request
 ;                          processing has terminated;
 ;   last request memory  - the max amount of memory the last request consumed
 ;                          it's always 0 if the process is not in Idle state
 ;                          because memory calculation is done when the request
 ;                          processing has terminated;
 ; If the process is in Idle state, then informations are related to the
 ; last request the process has served. Otherwise informations are related to
 ; the current request being served.
 ; Example output:
 ;   ************************
 ;   pid:                  31330
 ;   state:                Running
 ;   start time:           01/Jul/2011:17:53:49 +0200
 ;   start since:          63087
 ;   requests:             12808
 ;   request duration:     1250261
 ;   request method:       GET
 ;   request URI:          /test_mem.php?N=10000
 ;   content length:       0
 ;   user:                 -
 ;   script:               /home/fat/web/docs/php/test_mem.php
 ;   last request cpu:     0.00
 ;   last request memory:  0
 ;
 ; Note: There is a real-time FPM status monitoring sample web page available
 ;       It's available in: /usr/share/php/7.4/fpm/status.html
 ;
 ; Note: The value must start with a leading slash (/). The value can be
 ;       anything, but it may not be a good idea to use the .php extension or it
 ;       may conflict with a real PHP file.
 ; Default Value: not set
 ;pm.status_path = /status
 ; The ping URI to call the monitoring page of FPM. If this value is not set, no
 ; URI will be recognized as a ping page. This could be used to test from outside
 ; that FPM is alive and responding, or to
 ; - create a graph of FPM availability (rrd or such);
 ; - remove a server from a group if it is not responding (load balancing);
 ; - trigger alerts for the operating team (24/7).
 ; Note: The value must start with a leading slash (/). The value can be
 ;       anything, but it may not be a good idea to use the .php extension or it
 ;       may conflict with a real PHP file.
 ; Default Value: not set
 ;ping.path = /ping
 ; This directive may be used to customize the response of a ping request. The
 ; response is formatted as text/plain with a 200 response code.
 ; Default Value: pong
 ;ping.response = pong
 ; The access log file
 ; Default: not set
 ;access.log = log/$pool.access.log
 ; The access log format.
 ; The following syntax is allowed
 ;  %%: the '%' character
 ;  %C: %CPU used by the request
 ;      it can accept the following format:
 ;      - %{user}C for user CPU only
 ;      - %{system}C for system CPU only
 ;      - %{total}C  for user + system CPU (default)
 ;  %d: time taken to serve the request
 ;      it can accept the following format:
 ;      - %{seconds}d (default)
 ;      - %{miliseconds}d
 ;      - %{mili}d
 ;      - %{microseconds}d
 ;      - %{micro}d
 ;  %e: an environment variable (same as $_ENV or $_SERVER)
 ;      it must be associated with embraces to specify the name of the env
 ;      variable. Some exemples:
 ;      - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
 ;      - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
 ;  %f: script filename
 ;  %l: content-length of the request (for POST request only)
 ;  %m: request method
 ;  %M: peak of memory allocated by PHP
 ;      it can accept the following format:
 ;      - %{bytes}M (default)
 ;      - %{kilobytes}M
 ;      - %{kilo}M
 ;      - %{megabytes}M
 ;      - %{mega}M
 ;  %n: pool name
 ;  %o: output header
 ;      it must be associated with embraces to specify the name of the header:
 ;      - %{Content-Type}o
 ;      - %{X-Powered-By}o
 ;      - %{Transfert-Encoding}o
 ;      - ....
 ;  %p: PID of the child that serviced the request
 ;  %P: PID of the parent of the child that serviced the request
 ;  %q: the query string
 ;  %Q: the '?' character if query string exists
 ;  %r: the request URI (without the query string, see %q and %Q)
 ;  %R: remote IP address
 ;  %s: status (response code)
 ;  %t: server time the request was received
 ;      it can accept a strftime(3) format:
 ;      %d/%b/%Y:%H:%M:%S %z (default)
 ;      The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
 ;      e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
 ;  %T: time the log has been written (the request has finished)
 ;      it can accept a strftime(3) format:
 ;      %d/%b/%Y:%H:%M:%S %z (default)
 ;      The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
 ;      e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
 ;  %u: remote user
 ;
 ; Default: "%R - %u %t \"%m %r\" %s"
 ;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
 ; The log file for slow requests
 ; Default Value: not set
 ; Note: slowlog is mandatory if request_slowlog_timeout is set
 ;slowlog = log/$pool.log.slow
 ; The timeout for serving a single request after which a PHP backtrace will be
 ; dumped to the 'slowlog' file. A value of '0s' means 'off'.
 ; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
 ; Default Value: 0
 ;request_slowlog_timeout = 0
 ; Depth of slow log stack trace.
 ; Default Value: 20
 ;request_slowlog_trace_depth = 20
 ; The timeout for serving a single request after which the worker process will
 ; be killed. This option should be used when the 'max_execution_time' ini option
 ; does not stop script execution for some reason. A value of '0' means 'off'.
 ; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
 ; Default Value: 0
 ;request_terminate_timeout = 0
 ; The timeout set by 'request_terminate_timeout' ini option is not engaged after
 ; application calls 'fastcgi_finish_request' or when application has finished and
 ; shutdown functions are being called (registered via register_shutdown_function).
 ; This option will enable timeout limit to be applied unconditionally
 ; even in such cases.
 ; Default Value: no
 ;request_terminate_timeout_track_finished = no
 ; Set open file descriptor rlimit.
 ; Default Value: system defined value
 ;rlimit_files = 1024
 ; Set max core size rlimit.
 ; Possible Values: 'unlimited' or an integer greater or equal to 0
 ; Default Value: system defined value
 ;rlimit_core = 0
 ; Chroot to this directory at the start. This value must be defined as an
 ; absolute path. When this value is not set, chroot is not used.
 ; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
 ; of its subdirectories. If the pool prefix is not set, the global prefix
 ; will be used instead.
 ; Note: chrooting is a great security feature and should be used whenever
 ;       possible. However, all PHP paths will be relative to the chroot
 ;       (error_log, sessions.save_path, ...).
 ; Default Value: not set
 ;chroot =
 ; Chdir to this directory at the start.
 ; Note: relative path can be used.
 ; Default Value: current directory or / when chroot
 ;chdir = /var/www
 ; Redirect worker stdout and stderr into main error log. If not set, stdout and
 ; stderr will be redirected to /dev/null according to FastCGI specs.
 ; Note: on highloaded environement, this can cause some delay in the page
 ; process time (several ms).
 ; Default Value: no
 ;catch_workers_output = yes
 ; Decorate worker output with prefix and suffix containing information about
 ; the child that writes to the log and if stdout or stderr is used as well as
 ; log level and time. This options is used only if catch_workers_output is yes.
 ; Settings to "no" will output data as written to the stdout or stderr.
 ; Default value: yes
 ;decorate_workers_output = no
 ; Clear environment in FPM workers
 ; Prevents arbitrary environment variables from reaching FPM worker processes
 ; by clearing the environment in workers before env vars specified in this
 ; pool configuration are added.
 ; Setting to "no" will make all environment variables available to PHP code
 ; via getenv(), $_ENV and $_SERVER.
 ; Default Value: yes
 ;clear_env = no
 clear_env = no
 ; Limits the extensions of the main script FPM will allow to parse. This can
 ; prevent configuration mistakes on the web server side. You should only limit
 ; FPM to .php extensions to prevent malicious users to use other extensions to
 ; execute php code.
 ; Note: set an empty value to allow all extensions.
 ; Default Value: .php
 ;security.limit_extensions = .php .php3 .php4 .php5 .php7
 ; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
 ; the current environment.
 ; Default Value: clean env
 ;env[HOSTNAME] = $HOSTNAME
 ;env[PATH] = /usr/local/bin:/usr/bin:/bin
 env[PATH]=/usr/local/bin:/usr/bin:/bin
 ;env[TMP] = /tmp
 ;env[TMPDIR] = /tmp
 ;env[TEMP] = /tmp
 ; Additional php.ini defines, specific to this pool of workers. These settings
 ; overwrite the values previously defined in the php.ini. The directives are the
 ; same as the PHP SAPI:
 ;   php_value/php_flag             - you can set classic ini defines which can
 ;                                    be overwritten from PHP call 'ini_set'.
 ;   php_admin_value/php_admin_flag - these directives won't be overwritten by
 ;                                     PHP call 'ini_set'
 ; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
 ; Defining 'extension' will load the corresponding shared extension from
 ; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
 ; overwrite previously defined php.ini values, but will append the new value
 ; instead.
 ; Note: path INI options can be relative and will be expanded with the prefix
 ; (pool, global or /usr)
 ; Default Value: nothing is defined by default except the values in php.ini and
 ;                specified at startup with the -d argument
 ;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
 ;php_flag[display_errors] = off
 ;php_admin_value[error_log] = /var/log/fpm-php.www.log
 ;php_admin_flag[log_errors] = on
 ;php_admin_value[memory_limit] = 32M
--- a/roles/pbx/templates/asterisk.conf.diff
+++ b/roles/pbx/templates/asterisk.conf.diff
@ -0,0 +1,40 @@
 4c4
 < [www]
 ---
 > [asterisk]
 23c23
 < user = www-data
 ---
 > user = asterisk
 36c36
 < listen = /run/php/php7.4-fpm.sock
 ---
 > listen = /run/php/php-asterisk.sock
 48c48
 < listen.owner = www-data
 ---
 > listen.owner = asterisk
 114c114,115
 < pm.max_children = 5
 ---
 > ;pm.max_children = 5
 > pm.max_children=120
 119c120,121
 < pm.start_servers = 2
 ---
 > ;pm.start_servers = 2
 > pm.start_servers=12
 124c126,127
 < pm.min_spare_servers = 1
 ---
 > ;pm.min_spare_servers = 1
 > pm.min_spare_servers=6
 129c132,133
 < pm.max_spare_servers = 3
 ---
 > ;pm.max_spare_servers = 3
 > pm.max_spare_servers=18
 397a402
 > clear_env = no
 411a417
 > env[PATH]=/usr/local/bin:/usr/bin:/bin
--- a/roles/pbx/templates/asterisk.conf.patch
+++ b/roles/pbx/templates/asterisk.conf.patch
@ -0,0 +1,85 @@
 --- /etc/php/7.4/fpm/pool.d/www.conf	2021-07-01 23:59:48.000000000 -0400
 +++ /etc/php/7.4/fpm/pool.d/asterisk.conf	2021-08-10 05:25:09.808067373 -0400
@@ -1,7 +1,7 @@
 ; Start a new pool named 'www'.
 ; the variable $pool can be used in any directive and will be replaced by the
 ; pool name ('www' here)
 -[www]
 +[asterisk]
 ; Per pool prefix
 ; It only applies on the following directives:
@@ -20,7 +20,7 @@
 ; Unix user/group of processes
 ; Note: The user is mandatory. If the group is not set, the default user's group
 ;       will be used.
 -user = www-data
 +user = asterisk
 group = www-data
 ; The address on which to accept FastCGI requests.
@@ -33,7 +33,7 @@
 ;                            (IPv6 and IPv4-mapped) on a specific port;
 ;   '/path/to/unix/socket' - to listen on a unix socket.
 ; Note: This value is mandatory.
 -listen = /run/php/php7.4-fpm.sock
 +listen = /run/php/php-asterisk.sock
 ; Set listen(2) backlog.
 ; Default Value: 511 (-1 on FreeBSD and OpenBSD)
@@ -45,7 +45,7 @@
 ; and group can be specified either by name or by their numeric IDs.
 ; Default Values: user and group are set as the running user
 ;                 mode is set to 0660
 -listen.owner = www-data
 +listen.owner = asterisk
 listen.group = www-data
 ;listen.mode = 0660
 ; When POSIX Access Control Lists are supported you can set them using
@@ -111,22 +111,26 @@
 ; forget to tweak pm.* to fit your needs.
 ; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
 ; Note: This value is mandatory.
 -pm.max_children = 5
 +;pm.max_children = 5
 +pm.max_children=120
 ; The number of child processes created on startup.
 ; Note: Used only when pm is set to 'dynamic'
 ; Default Value: (min_spare_servers + max_spare_servers) / 2
 -pm.start_servers = 2
 +;pm.start_servers = 2
 +pm.start_servers=12
 ; The desired minimum number of idle server processes.
 ; Note: Used only when pm is set to 'dynamic'
 ; Note: Mandatory when pm is set to 'dynamic'
 -pm.min_spare_servers = 1
 +;pm.min_spare_servers = 1
 +pm.min_spare_servers=6
 ; The desired maximum number of idle server processes.
 ; Note: Used only when pm is set to 'dynamic'
 ; Note: Mandatory when pm is set to 'dynamic'
 -pm.max_spare_servers = 3
 +;pm.max_spare_servers = 3
 +pm.max_spare_servers=18
 ; The number of seconds after which an idle process will be killed.
 ; Note: Used only when pm is set to 'ondemand'
@@ -395,6 +399,7 @@
 ; via getenv(), $_ENV and $_SERVER.
 ; Default Value: yes
 ;clear_env = no
 +clear_env = no
 ; Limits the extensions of the main script FPM will allow to parse. This can
 ; prevent configuration mistakes on the web server side. You should only limit
@@ -409,6 +414,7 @@
 ; Default Value: clean env
 ;env[HOSTNAME] = $HOSTNAME
 ;env[PATH] = /usr/local/bin:/usr/bin:/bin
 +env[PATH]=/usr/local/bin:/usr/bin:/bin
 ;env[TMP] = /tmp
 ;env[TMPDIR] = /tmp
 ;env[TEMP] = /tmp
--- a/roles/pbx/templates/freepbx-nginx.conf.j2
+++ b/roles/pbx/templates/freepbx-nginx.conf.j2
@ -0,0 +1,31 @@
 location ~ ^/freepbx(|/.*)$ {    # '~' -> '~*' for case-insensitive regex
    root /var/www/html;
    # root {{ freepbx_install_dir }};    # /var/www/html/freepbx
    # root {{ doc_root }};               # /library/www/html
    # location ~ ^/freepbx {
    #   root  {{ doc_root }};
    # }
    location ~ ^/freepbx(.*)\.php(.*)$ {
        alias {{ freepbx_install_dir }}$1.php$2;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_index index.php;
        fastcgi_pass unix:/run/php/php-asterisk.sock;
        include fastcgi_params;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
        #fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
        fastcgi_param HTACCESS on;    # disables FreePBX htaccess warning
    }
    # disallows the things that the FreePBX .htaccess files disallow
    location ~ /freepbx(/\.ht|/\.git|\.ini$|/libraries|/helpers|/i18n|/node|/views/.+php$) {
        deny all;
    }
    # from the api module .htaccess file
    rewrite ^/freepbx/admin/api/([^/]*)/([^/]*)/?(.*)?$ /freepbx/admin/api/api.php?module=$1&command=$2&route=$3 last;
 }
--- a/roles/pbx/templates/freepbx.service
+++ b/roles/pbx/templates/freepbx.service
@ -0,0 +1,17 @@
 [Unit]
 Description=FreePBX VoIP Server
 After=mysql.service
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 ExecStart=/usr/sbin/fwconsole start
 ExecStop=/usr/sbin/fwconsole stop
 ExecStopPost=killall -9 "PM2 v4.5.0: God"
 # 2021-08-10: Asterisk stuff doesn't stop reliably, right after freepbx.yml
 # 'install -n' completes -- hence "Unable to run Pre-Asterisk hooks, because
 # Asterisk is already running" issue when freepbx.service next tries to start
 # it. See pbx/tasks/freepbx.yml workarounds e.g. github.com/iiab/iiab/pull/2915
 [Install]
 WantedBy=multi-user.target
--- a/roles/pbx/templates/freepbx.service.j2
+++ b/roles/pbx/templates/freepbx.service.j2
@ -1,12 +0,0 @@
 [Unit]
 Description=FreePBX VoIP Server
 After=mysql.service
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 ExecStart=/usr/sbin/fwconsole start
 ExecStop=/usr/sbin/fwconsole stop
 [Install]
 WantedBy=multi-user.target
--- a/roles/pbx/templates/odbc.ini.j2
+++ b/roles/pbx/templates/odbc.ini.j2
--- a/roles/pbx/templates/pbx.patch.unused
+++ b/roles/pbx/templates/pbx.patch.unused
--- a/roles/nginx/templates/ports.conf.j2
+++ b/roles/nginx/templates/ports.conf.j2
@ -2,7 +2,14 @@
 # have to change the VirtualHost statement in
 # /etc/apache2/sites-enabled/000-default.conf
-Listen 127.0.0.1:{{ apache_port }}
+# Apache's stock default
 #Listen 80
 # IIAB NGINX proxying to legacy svcs (Dec 2019 - Aug 2021)
 #Listen 127.0.0.1:8090
 # IIAB FreePBX for Asterisk
 Listen {{ pbx_http_port }}
 #<IfModule ssl_module>
 #	Listen 443
--- a/roles/phpmyadmin/tasks/enable-or-disable.yml
+++ b/roles/phpmyadmin/tasks/enable-or-disable.yml
@ -1,9 +1,9 @@
- name: Enable phpMyAdmin via Apache, if phpmyadmin_enabled
+# - name: Enable phpMyAdmin via Apache, if phpmyadmin_enabled
-  command: a2ensite phpmyadmin.conf
+#   command: a2ensite phpmyadmin.conf
-  when: phpmyadmin_enabled
+#   when: phpmyadmin_enabled
-  #when: apache_installed is defined and phpmyadmin_enabled
+#   #when: apache_installed is defined and phpmyadmin_enabled
- name: Disable phpMyAdmin via Apache, if not phpmyadmin_enabled
+# - name: Disable phpMyAdmin via Apache, if not phpmyadmin_enabled
-  command: a2dissite phpmyadmin.conf
+#   command: a2dissite phpmyadmin.conf
-  when: not phpmyadmin_enabled
+#   when: not phpmyadmin_enabled
-  #when: apache_installed is defined and not phpmyadmin_enabled
+#   #when: apache_installed is defined and not phpmyadmin_enabled
--- a/roles/phpmyadmin/tasks/install.yml
+++ b/roles/phpmyadmin/tasks/install.yml
@ -1,17 +1,17 @@
- name: "Set 'apache_install: True' and 'apache_enabled: True'"
+# - name: "Set 'apache_install: True' and 'apache_enabled: True'"
-  set_fact:
+#   set_fact:
-    apache_install: True
+#     apache_install: True
-    apache_enabled: True
+#     apache_enabled: True
-
+#
- name: APACHE - run 'httpd' role
+# - name: APACHE - run 'httpd' role
-  include_role:
+#   include_role:
-    name: httpd
+#     name: httpd
 - name: Unarchive {{ phpmyadmin_dl_url }} (7+ MB) to /opt (60+ MB)
  unarchive:
    remote_src: yes    # Overwrite even if "already exists on the target"
-    src: "{{ phpmyadmin_dl_url }}"    # e.g. https://files.phpmyadmin.net/phpMyAdmin/5.1.0/phpMyAdmin-5.1.0-all-languages.tar.xv
+    src: "{{ phpmyadmin_dl_url }}"    # e.g. https://files.phpmyadmin.net/phpMyAdmin/5.1.1/phpMyAdmin-5.1.1-all-languages.tar.xv
    dest: /opt
    owner: "{{ apache_user }}"    # www-data on debuntu
    group: "{{ apache_user }}"
@ -33,11 +33,11 @@
    owner: "{{ apache_user }}"
    group: "{{ apache_user }}"
- name: Install /etc/{{ apache_conf_dir }}/phpmyadmin.conf from template
+# - name: Install /etc/{{ apache_conf_dir }}/phpmyadmin.conf from template
-  template:
+#   template:
-    src: phpmyadmin.j2
+#     src: phpmyadmin.j2
-    dest: "/etc/{{ apache_conf_dir }}/phpmyadmin.conf"
+#     dest: "/etc/{{ apache_conf_dir }}/phpmyadmin.conf"
-  #when: apache_installed is defined
+#   #when: apache_installed is defined
 # RECORD phpMyAdmin AS INSTALLED
--- a/roles/phpmyadmin/tasks/main.yml
+++ b/roles/phpmyadmin/tasks/main.yml
@ -19,12 +19,13 @@
    quiet: yes
- name: Install phpMyAdmin if 'phpmyadmin_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
+- name: "INCOMPLETE WITHOUT APACHE AS OF 2021-07-06: Install phpMyAdmin if 'phpmyadmin_installed' not defined, e.g. in {{ iiab_state_file }}"    # /etc/iiab/iiab_state.yml
  include_tasks: install.yml
  when: phpmyadmin_installed is undefined
- include_tasks: enable-or-disable.yml
+- name: INCOMPLETE WITHOUT APACHE AS OF 2021-07-06
  include_tasks: enable-or-disable.yml
 - name: Add 'phpmyadmin' variable values to {{ iiab_ini_file }}
--- a/roles/phpmyadmin/templates/phpmyadmin.j2.unused
+++ b/roles/phpmyadmin/templates/phpmyadmin.j2.unused
--- a/roles/postgresql/tasks/install.yml
+++ b/roles/postgresql/tasks/install.yml
@ -3,6 +3,7 @@
    name:
      - postgresql
      - postgresql-client
      - python3-psycopg2    # For Ansible modules {postgresql_db, postgresql_user} in Ansible collection community.postgresql -- used in moodle/tasks/install.yml
    state: present
 - name: Install /etc/systemd/system/postgresql-iiab.service from template (0644 by default)
--- a/roles/usb_lib/tasks/apache.yml.unused
+++ b/roles/usb_lib/tasks/apache.yml.unused
--- a/roles/usb_lib/tasks/install.yml
+++ b/roles/usb_lib/tasks/install.yml
@ -47,13 +47,13 @@
    state: present
  when: is_ubuntu
- name: Add dir {{ doc_root }}/local_content, where USB drive links can appear
+- name: Add dir {{ doc_root }}/local_content, where USB drive links can appear (0775)
  file:
    state: directory
    path: "{{ doc_root }}/local_content"
    owner: "{{ apache_user }}"
    group: "{{ apache_user }}"    # 2020-02-13: changed from iiab_admin_user, after discussion on weekly call (#1228, #2222)
-    mode: '0775'
+    mode: 0775
 - name: 'Install from template: /etc/udev/rules.d/usbmount.rules, /etc/systemd/system/usbmount@.service, /usr/bin/iiab-usb_lib-show-all-on, /usr/bin/iiab-usb_lib-show-all-off, /usr/sbin/iiab-clean-usb.sh'
  template:
@ -81,13 +81,6 @@
    path: /etc/usbmount/mount.d/00_create_model_symlink
    state: absent
 # 2021-03-25: Consider removing this stanza & all of this role's Apache logic!
 - name: Install /etc/{{ apache_conf_dir }}/content_dir.conf from template
  template:
    src: content_dir.conf
    dest: "/etc/{{ apache_conf_dir }}"    # apache2/sites-available on debuntu
  when: apache_installed is defined
 # RECORD 'USB_LIB' AS INSTALLED
--- a/roles/usb_lib/tasks/main.yml
+++ b/roles/usb_lib/tasks/main.yml
@ -56,13 +56,9 @@
  when: not usb_lib_umask0000_for_kolibri
- name: Enable/Disable/Restart Apache if primary
+- name: Enable/Disable/Restart NGINX
  include_tasks: apache.yml
  when: not nginx_enabled
 - name: Enable/Disable/Restart NGINX if primary
  include_tasks: nginx.yml
-  when: nginx_enabled
+
 # 2021-04-29: Clean up here to catch the already installed users, remove for the next release (PR #2760)
 - name: Remove /etc/usbmount/mount.d/00_create_model_symlink
--- a/roles/www_options/tasks/main.yml
+++ b/roles/www_options/tasks/main.yml
@ -85,6 +85,10 @@
      - { regexp: '^max_input_vars', line: 'max_input_vars = 1000    ; default is 1000 / Moodle 3.11+ requires 5000+ with PHP 8+' }
    when: not nginx_high_php_limits and not moodle_install    # REMINDER: THIS ENTIRE 5-STANZA BLOCK IS ONLY INVOKED... when: moodle_install or nextcloud_install or pbx_install or wordpress_install
  # WARNING: This might cause excess use of RAM/disk or other resources!
  # The first 5 values below were chosen by @ericnitschke and @kananigit on
  # 2018-09-19: https://github.com/iiab/iiab/issues/1147
  # 2020-03-08: IIAB DOES NOT SUPPORT UNINSTALLING APPS, so additional
  # clauses (to reset/restore PHP's defaults) are not necessary at this time.
@ -92,12 +96,7 @@
  # editing /etc/php/{{ php_version }}/cli/php.ini (below) -- though during
  # regular operation it uses:     .../fpm/php.ini
  # And in the past it used:       .../apache2/php.ini
  #
  # SEE ALSO roles/moodle/tasks/install.yml WHERE SIMILAR SURGERY'S DONE TO
  # /etc/php/{{ php_version }}/apache2/php.ini UNTIL MOODLE'S PORTED TO NGINX!
  # WARNING: This might cause excess use of RAM/disk or other resources!
  # The 5 first values below were chosen by @ericnitschke and @kananigit in ~2018.
  - name: "Enact 'nginx_high_php_limits: True' in /etc/php/{{ php_version }}/fpm/php.ini for schools that use WordPress/Moodle/Nextcloud/PBX intensively (allow photos/docs up to 500MB, 300s timeouts, memory_limit = 512M for Nextcloud, max_input_vars = 5000 for Moodle)"
    lineinfile:
      path: /etc/php/{{ php_version }}/fpm/php.ini    # COMPARE /etc/php/{{ php_version }}/cli/php.ini AND /etc/php/{{ php_version }}/apache2/php.ini
--- a/scripts/ansible
+++ b/scripts/ansible
@ -4,7 +4,6 @@
 # https://stackoverflow.com/questions/9952177/whats-the-meaning-of-the-parameter-e-for-bash-shell-command-line/9952249
 # PLZ SEE http://FAQ.IIAB.IO > "What is Ansible and what version should I use?"
 #         https://github.com/iiab/iiab/tree/master/scripts/ansible.md
 #         https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide#ansible
 APT_PATH=/usr/bin     # Avoids problematic /usr/local/bin/apt on Linux Mint
@ -149,13 +148,24 @@ fi
 ###echo -e 'ENSURE ANSIBLE UPDATES CLEANLY: (then re-run this script to be sure!)\n'
 ###grep '^deb .*ansible' /etc/apt/sources.list /etc/apt/sources.list.d/*.list | grep -v '^/etc/apt/sources.list.d/iiab-ansible.list:' || true    # Override bash -e (instead of aborting at 1st error)
-echo -e "\napt update; apt install of python3-* / virtualenv packages explained at:"
+echo -e "\napt update; apt install python3-pip    # Also installs 'python3-setuptools' and 'python3' etc"
-echo -e "https://github.com/iiab/iiab/blob/master/scripts/ansible.md\n"
+#echo -e "https://github.com/iiab/iiab/blob/master/scripts/ansible.md\n"
 $APT_PATH/apt update
 $APT_PATH/apt -y install python3-pip
 # 2021-07-29:
 # 'python3-packaging' dropped for now
 # 'python3-pymysql' (drags in 'python3' which drags in 'python3-venv' on Debian 11 but not on Ubuntu 20.04) -- moved to roles/mysql/tasks/install.yml
 # 'python3-psycopg2' moved to roles/postgresql/tasks/install.yml
 # 'python3-passlib' moved to roles/munin/tasks/install.yml
 # 'python3-venv' moved to roles/2-common/tasks/packages.yml
 # 'virtualenv' for Python 2 moved to roles/kalite/tasks/install.yml
 #
 #$APT_PATH/apt -y install \
 #              python3-pymysql python3-psycopg2 python3-passlib python3-pip \
 #              python3-setuptools python3-packaging python3-venv virtualenv
 #$APT_PATH/apt -y --allow-downgrades install ansible-core \
 $APT_PATH/apt -y install \
              python3-pymysql python3-psycopg2 python3-passlib python3-pip \
              python3-setuptools python3-packaging python3-venv virtualenv
 echo -e "\n\n'pip3 install --upgrade ansible-core' will now run:\n"
 pip3 install --upgrade ansible-core
--- a/scripts/ansible.md.unused
+++ b/scripts/ansible.md.unused
--- a/tests/test.yml
+++ b/tests/test.yml
@ -28,11 +28,11 @@
    #- { role: dokuwiki }
    #- { role: ejabberd }
    #- { role: ejabberd_xs }
-    - { role: elgg }
+    #- { role: elgg }
    - { role: firmware }
    - { role: gitea }
    #- { role: homepage }
-    - { role: httpd }
+    #- { role: httpd }
    #- { role: idmgr }
    - { role: iiab-admin }
    - { role: internetarchive }
--- a/unmaintained-roles.txt
+++ b/unmaintained-roles.txt
@ -6,7 +6,9 @@ docker
 dokuwiki
 ejabberd
 ejabberd_xs
 elgg
 homepage
 httpd
 httpd-enable
 idmgr
 moodle-1.9
--- a/vars/default_vars.yml
+++ b/vars/default_vars.yml
@ -43,10 +43,6 @@ py3_dist_path: /usr/lib/python3/dist-packages
 # Ansible's default timeout for "get_url:" downloads (10 seconds) often fails
 download_timeout: 200
 # Languages (for Apache)
 default_language: en
 language_priority: en es fr
 # Real-time clock: RTC chip family.  Future auto-detection plausible?
 rtc_id: none    # Or ds3231 ?  Used in 1-prep/tasks/raspberry_pi.yml
@ -154,9 +150,11 @@ iiab_gateway_enabled: False
 gw_squid_whitelist: False
 gw_block_https: False
 # UNMAINTAINED as of July 2021
 dhcpd_install: False
 dhcpd_enabled: False
 # UNMAINTAINED as of July 2021
 # named (BIND)
 named_install: False
 named_enabled: False
@ -169,17 +167,7 @@ dnsmasq_enabled: True
 # Enable in local_vars.yml AFTER installing IIAB!  Then run "cd /opt/iiab/iiab; ./iiab-network"
 dns_jail_enabled: False
-# Python-based Captive Portal, that @m-anish & @jvonau experimented with in
+# Bluetooth PAN access to IIAB server - for Raspberry Pi - for 4-SERVER-OPTIONS
 # July 2018 (https://github.com/iiab/iiab/pull/870) and that @georgejhunt
 # extensively later refined (PRs #1179, #1300, #1327, #2070).
 captiveportal_install: True
 captiveportal_enabled: False
 captiveportal_port: 9090
 captiveportal_splash_page: /
 # You might also want to set iiab_home_url (above!)
 # In a pinch, disable Captive Portal using instructions in http://FAQ.IIAB.IO
 # Bluetooth PAN access to IIAB server
 bluetooth_install: True
 bluetooth_enabled: False
 bluetooth_term_enabled: False
@ -215,9 +203,6 @@ sshd_install: True    # Required by OpenVPN
 sshd_enabled: True
 sshd_port: 22    # Not fully functional.  SEE: roles/sshd/tasks/install.yml
 # IIAB-ADMIN runs here - see its vars near top of this file:
 # e.g. iiab_admin_user_install, iiab_admin_user, iiab_admin_pwd_hash
 openvpn_install: True
 openvpn_enabled: False
 # For /etc/iiab/openvpn_handle
@ -231,6 +216,9 @@ openvpn_server_real_ip: 3.89.148.185
 openvpn_server_virtual_ip: 10.8.0.1
 openvpn_server_port: 1194
 # IIAB-ADMIN runs here - see its vars near top of this file:
 # e.g. iiab_admin_user_install, iiab_admin_user, iiab_admin_pwd_hash
 # Some prefer 512MB for Zero W, others prefer 2048MB or higher for RPi 3 and 4.
 # Please see recommendations at: https://itsfoss.com/swap-size/
 pi_swap_file_size: 1024
@ -273,17 +261,6 @@ nginx_high_php_limits: False
 # Make this False to disable http://box/common/services/power_off.php button:
 apache_allow_sudo: True
 # See also Apache vars {default_language, language_priority} @ top of this file
 #
 # 2020-09-24: BOTH VALUES BELOW ARE IGNORED as Apache is installed on demand as
 # a dependency -- by CUPS, Elgg, Lokole, Moodle, Node-RED, PBX &/or phpMyAdmin
 apache_install: False
 apache_enabled: False
 #
 # NGINX proxies to Apache for legacy IIAB services, using:
 apache_port: 8090
 apache_interface: 127.0.0.1    # 2020-01-13: Var unused
 # 4-SERVER-OPTIONS
@ -292,9 +269,11 @@ apache_interface: 127.0.0.1    # 2020-01-13: Var unused
 # DNS prep (dnsmasq, named &/or dhcpd) run here.  The full network stage runs
 # after 9-LOCAL-ADDONS (or manually run "cd /opt/iiab/iiab; ./iiab-network")
 # UNMAINTAINED as of July 2021
 squid_install: False
 squid_enabled: False
 # UNMAINTAINED as of July 2021
 # DansGuardian REQUIRES Squid (above) be installed & enabled.
 # DansGuardian is NO LONGER AVAILABLE in Debian Buster i.e. since June 2019.
 dansguardian_install: False
@ -349,7 +328,6 @@ idmgr_enabled: False    # 2020-01-23: UNUSED
 # 6-GENERIC-APPS
 # UNMAINTAINED as of September 2020
 azuracast_install: False
 azuracast_enabled: False    # This var is currently IGNORED
 azuracast_http_port: 10080
@ -370,6 +348,7 @@ dokuwiki_url: /dokuwiki
 ejabberd_install: False
 ejabberd_enabled: False
 # UNMAINTAINED as of July 2021
 elgg_install: False
 elgg_enabled: False
 # elgg_mysql_password: $6$iiab51$jeTwnATcbaa92xo0QBTgjLBU.5aVDDrbKeNyyC99R/TAWz6pvfzj.L7lfnOVVjD78nxqT.gkNn6XZmuRV0W3o1
@ -432,17 +411,6 @@ nextcloud_enabled: False
 # Uncomment the following line to end that: (might install an older Nextcloud!)
 # nextcloud_dl_url: http://d.iiab.io/packages/latest.tar.bz2
 # A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX.
 # Untested since Ubuntu 18.04, Debian 9 w/ Node.js 10.x.  Experimental on RPi.
 # If using PBX intensively, set nginx_high_php_limits further above.
 pbx_install: False
 pbx_enabled: False
 asterisk_chan_dongle: False
 pbx_signaling_ports_chan_sip: 5160:5161
 pbx_signaling_ports_chan_pjsip: 5060
 pbx_data_ports: 10000:20000
 pbx_http_port: 83
 # If using WordPress intensively, set nginx_high_php_limits further above.
 wordpress_install: False
 wordpress_enabled: False
@ -560,15 +528,16 @@ monit_install: False
 monit_enabled: False
 watchdog:
  - sshd
-  - idmgr
+  #- idmgr
-  - ejabberd
+  #- ejabberd
-  - httpd
+  #- httpd
  - postgresql
-  - squid
+  #- squid
 munin_install: False
 munin_enabled: False
 # UNMAINTAINED as of July 2021
 # Handy for maintaining tables, but DANGEROUS if not locked down
 phpmyadmin_install: False
 phpmyadmin_enabled: False
@ -579,6 +548,16 @@ vnstat_enabled: False
 # 9-LOCAL-ADDONS
 # Python-based Captive Portal, that @m-anish & @jvonau experimented with in
 # July 2018 (https://github.com/iiab/iiab/pull/870) and that @georgejhunt
 # extensively later refined (PRs #1179, #1300, #1327, #2070).
 captiveportal_install: True
 captiveportal_enabled: False
 captiveportal_port: 9090
 captiveportal_splash_page: /
 # You might also want to set iiab_home_url (above!)
 # In a pinch, disable Captive Portal using instructions in http://FAQ.IIAB.IO
 # 2020-09-24: BOTH VALUES BELOW ARE IGNORED as Yarn is installed on demand as a
 # dependency -- by Internet Archive
 yarn_install: False
@ -599,7 +578,20 @@ minetest_server_admin: Admin
 minetest_default_game: carbone-ng    # only carbone-ng and minetest are supported
 minetest_flat_world: False
-# Calibre E-Book Library
+# Calibre-Web E-Book Library -- Alternative to Calibre, offers a clean/modern UX
 calibreweb_install: False
 calibreweb_enabled: False
 calibreweb_port: 8083       # PORT VARIABLE HAS NO EFFECT (as of January 2019)
 # http://box/books works.  Add {box/libros, box/livres, box/livros, box/liv} etc?
 calibreweb_url1: /books     # For SHORT URL http://box/books  (English)
 calibreweb_url2: /libros    # For SHORT URL http://box/libros (Spanish)
 calibreweb_url3: /livres    # For SHORT URL http://box/livres (French)
 calibreweb_home: "{{ content_base }}/calibre-web"    # /library/calibre-web
 # SUGGESTION: Calibre-Web can use Calibre's /usr/bin/ebook-convert program, so
 # ALSO CONSIDER installing Calibre (below, if its graphical bloat is tolerable!)
 # Calibre E-Book Library -- https://calibre-ebook.com
 # WARNING: CALIBRE INSTALLS GRAPHICAL LIBRARIES SIMILAR TO X WINDOWS & OPENGL
 # ON (HEADLESS, SERVER, LITE) OS'S THAT DON'T ALREADY HAVE THESE INSTALLED.
 calibre_install: False
@ -616,18 +608,19 @@ calibre_port: 8080
 calibre_web_path: calibre  #NEEDS WORK: https://github.com/iiab/iiab/issues/529
 # Avoid URL collisions w/ calibreweb_url1, calibreweb_url2, calibreweb_url3 below!
-# WARNING: Calibre-Web (below) depends on Calibre's own /usr/bin/ebook-convert
+# A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX.
-# program, so we recommend you also install Calibre (above!)
+# REQUIRES PHP 7.4 e.g. Ubuntu 20.04, Debian 11 -- RaspiOS 11 might also work.
-
+# INSTRUCTIONS: https://github.com/iiab/iiab/tree/master/roles/pbx#pbx-readme
-# Calibre-Web alternative to Calibre, offers a clean/modern UX
+# If using PBX intensively, investigate nginx_high_php_limits further above.
-calibreweb_install: False
+pbx_install: False
-calibreweb_enabled: False
+pbx_enabled: False
-calibreweb_port: 8083       # PORT VARIABLE HAS NO EFFECT (as of January 2019)
+pbx_try_nginx: False    # 2021-08-07: PLEASE TRY NGINX INSTEAD OF APACHE,
-# http://box/books works.  Add {box/libros, box/livres, box/livros, box/liv} etc?
+# AFTER READING https://github.com/iiab/iiab/issues/2914 AND #2916, THX !
-calibreweb_url1: /books     # For SHORT URL http://box/books  (English)
+asterisk_chan_dongle: False
-calibreweb_url2: /libros    # For SHORT URL http://box/libros (Spanish)
+pbx_signaling_ports_chan_sip: 5160:5161
-calibreweb_url3: /livres    # For SHORT URL http://box/livres (French)
+pbx_signaling_ports_chan_pjsip: 5060
-calibreweb_home: "{{ content_base }}/calibre-web"    # /library/calibre-web
+pbx_data_ports: 10000:20000
 pbx_http_port: 83
 # =============================================================================
--- a/vars/local_vars_big.yml
+++ b/vars/local_vars_big.yml
@ -15,10 +15,6 @@
 # Ansible's default timeout for "get_url:" downloads (10 seconds) often fails
 download_timeout: 200
 # Languages (for Apache)
 default_language: en
 language_priority: en es fr
 # Real-time clock: set RTC chip family here.  Future auto-detection plausible?
 rtc_id: none    # Or ds3231 ?
@ -102,38 +98,14 @@ ports_externally_visible: 3     # ssh + http-or-https + common IIAB services
 # Set True if client machines should have "passthrough" access to WAN/Internet:
 iiab_gateway_enabled: False
 dhcpd_install: False
 dhcpd_enabled: False
 # named (BIND)
 named_install: False
 named_enabled: False
 # dnsmasq - handles DHCP and DNS
 dnsmasq_install: True
 dnsmasq_enabled: True
 # Enable AFTER installing IIAB!  Then run "cd /opt/iiab/iiab; ./iiab-network"
 dns_jail_enabled: False
-# Python-based Captive Portal, that @m-anish & @jvonau experimented with in
+# Bluetooth PAN access to IIAB server - for Raspberry Pi - for 4-SERVER-OPTIONS
 # July 2018 (https://github.com/iiab/iiab/pull/870) and that @georgejhunt
 # extensively later refined (PRs #1179, #1300, #1327, #2070).
 captiveportal_install: True
 captiveportal_enabled: False
 captiveportal_splash_page: /
 # You might also want to set iiab_home_url (above!)
 # In a pinch, disable Captive Portal using instructions in http://FAQ.IIAB.IO
 # Bluetooth PAN access to IIAB server
 bluetooth_install: True
 bluetooth_enabled: False
 bluetooth_term_enabled: False
 # UNMAINTAINED as of October 2017: https://github.com/iiab/iiab/pull/382
 # wondershaper_install: False
 # wondershaper_enabled: False
 # 1-PREP
@ -141,15 +113,15 @@ bluetooth_term_enabled: False
 sshd_install: True    # Required by OpenVPN
 sshd_enabled: True
 # IIAB-ADMIN runs here - see its vars near top of this file:
 # e.g. iiab_admin_user_install, iiab_admin_user, iiab_admin_pwd_hash
 # SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security
 openvpn_install: True
 openvpn_enabled: False
 # Set /etc/iiab/openvpn_handle in advance here:
 openvpn_handle: BIG-sized - Put Your Name Here
 # IIAB-ADMIN runs here - see its vars near top of this file:
 # e.g. iiab_admin_user_install, iiab_admin_user, iiab_admin_pwd_hash
 # Some prefer 512MB for Zero W, others prefer 2048MB or higher for RPi 3 and 4.
 # Please see recommendations at: https://itsfoss.com/swap-size/
 pi_swap_file_size: 1024
@ -173,8 +145,6 @@ nginx_high_php_limits: False
 # https://github.com/iiab/iiab/blob/master/roles/www_options/tasks/main.yml#L53-L133
 # ...ARE SUITABLE FOR YOUR HARDWARE, as saved in: /etc/php/<VERSION>/*/php.ini
 # See also Apache vars {default_language, language_priority} @ top of this file
 #
 # Make this False to disable http://box/common/services/power_off.php button:
 apache_allow_sudo: True
@ -186,14 +156,6 @@ apache_allow_sudo: True
 # DNS prep (dnsmasq, named &/or dhcpd) run here.  The full network stage runs
 # after 9-LOCAL-ADDONS (or manually run "cd /opt/iiab/iiab; ./iiab-network")
 squid_install: False
 squid_enabled: False
 # DansGuardian REQUIRES Squid (above) be installed & enabled.
 # DansGuardian is NO LONGER AVAILABLE in Debian Buster i.e. since June 2019.
 dansguardian_install: False
 dansguardian_enabled: False
 # Common UNIX Printing System (CUPS)
 cups_install: True
 cups_enabled: True
@ -214,42 +176,12 @@ usb_lib_umask0000_for_kolibri: True
 # Lesser-supported XO services need additional testing.  Please contact
 # http://lists.laptop.org/pipermail/server-devel/ if you're able to help test.
 # UNMAINTAINED
 # xo_services_install: False
 # xo_services_enabled: False
 # UNMAINTAINED
 # activity_server_install: False
 # activity_server_enabled: False
 # UNMAINTAINED
 # Please instead consider 'ejabberd' in Stage 6-GENERIC-APPS below
 # ejabberd_xs_install: False
 # ejabberd_xs_enabled: False
 # UNMAINTAINED
 # Change calibre_port from 8080 to 8010 below, if you enable idmgr
 # idmgr_install: False
 # idmgr_enabled: False
 # 6-GENERIC-APPS
 # UNMAINTAINED as of September 2020
 azuracast_install: False
 azuracast_enabled: False    # This var is currently IGNORED.
 # UNMAINTAINED as of January 2020: https://github.com/iiab/iiab/issues/2056
 # dokuwiki_install: False
 # dokuwiki_enabled: False
 # UNMAINTAINED as of November 2019
 # ejabberd_install: False
 # ejabberd_enabled: False
 elgg_install: True
 elgg_enabled: True
 # Gitea (lightweight self-hosted "GitHub") from https://gitea.io
 gitea_install: True
 gitea_enabled: True
@ -289,13 +221,6 @@ nextcloud_enabled: True
 # Uncomment the following line to end that: (might install an older Nextcloud!)
 # nextcloud_dl_url: http://d.iiab.io/packages/latest.tar.bz2
 # A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX.
 # Untested since Ubuntu 18.04, Debian 9 w/ Node.js 10.x.  Experimental on RPi.
 # If using PBX intensively, set nginx_high_php_limits further above.
 pbx_install: False
 pbx_enabled: False
 asterisk_chan_dongle: False
 # If using WordPress intensively, set nginx_high_php_limits further above.
 wordpress_install: True
 wordpress_enabled: True
@ -367,8 +292,9 @@ monit_enabled: False
 munin_install: True
 munin_enabled: True
 # UNMAINTAINED as of July 2021
 # Handy for maintaining tables, but DANGEROUS if not locked down
-phpmyadmin_install: True
+phpmyadmin_install: False
 phpmyadmin_enabled: False
 vnstat_install: True
@ -377,6 +303,15 @@ vnstat_enabled: True
 # 9-LOCAL-ADDONS
 # Python-based Captive Portal, that @m-anish & @jvonau experimented with in
 # July 2018 (https://github.com/iiab/iiab/pull/870) and that @georgejhunt
 # extensively later refined (PRs #1179, #1300, #1327, #2070).
 captiveportal_install: True
 captiveportal_enabled: False
 captiveportal_splash_page: /
 # You might also want to set iiab_home_url (above!)
 # In a pinch, disable Captive Portal using instructions in http://FAQ.IIAB.IO
 # Internet Archive Decentralized Web - create your own offline version box:4244
 # (or http://box/archive) arising from digital library https://dweb.archive.org
 internetarchive_install: True
@ -386,7 +321,20 @@ internetarchive_enabled: True
 minetest_install: True
 minetest_enabled: True
-# Calibre E-Book Library
+# Calibre-Web E-Book Library -- Alternative to Calibre, offers a clean/modern UX
 calibreweb_install: True
 calibreweb_enabled: True
 calibreweb_port: 8083       # PORT VARIABLE HAS NO EFFECT (as of January 2019)
 # http://box/books works.  Add {box/libros, box/livres, box/livros, box/liv} etc?
 calibreweb_url1: /books     # For SHORT URL http://box/books  (English)
 calibreweb_url2: /libros    # For SHORT URL http://box/libros (Spanish)
 calibreweb_url3: /livres    # For SHORT URL http://box/livres (French)
 calibreweb_home: /library/calibre-web    # default_vars.yml uses: "{{ content_base }}/calibre-web"
 # SUGGESTION: Calibre-Web can use Calibre's /usr/bin/ebook-convert program, so
 # ALSO CONSIDER installing Calibre (below, if its graphical bloat is tolerable!)
 # Calibre E-Book Library -- https://calibre-ebook.com
 # WARNING: CALIBRE INSTALLS GRAPHICAL LIBRARIES SIMILAR TO X WINDOWS & OPENGL
 # ON (HEADLESS, SERVER, LITE) OS'S THAT DON'T ALREADY HAVE THESE INSTALLED.
 calibre_install: False
@ -397,15 +345,12 @@ calibre_port: 8080
 calibre_web_path: calibre  #NEEDS WORK: https://github.com/iiab/iiab/issues/529
 # Avoid URL collisions w/ calibreweb_url1, calibreweb_url2, calibreweb_url3 below!
-# WARNING: Calibre-Web (below) depends on Calibre's own /usr/bin/ebook-convert
+# A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX.
-# program, so we recommend you also install Calibre (above!)
+# REQUIRES PHP 7.4 e.g. Ubuntu 20.04, Debian 11 -- RaspiOS 11 might also work.
-
+# INSTRUCTIONS: https://github.com/iiab/iiab/tree/master/roles/pbx#pbx-readme
-# Calibre-Web alternative to Calibre, offers a clean/modern UX
+# If using PBX intensively, investigate nginx_high_php_limits further above.
-calibreweb_install: True
+pbx_install: False
-calibreweb_enabled: True
+pbx_enabled: False
-calibreweb_port: 8083       # PORT VARIABLE HAS NO EFFECT (as of January 2019)
+pbx_try_nginx: False    # 2021-08-07: PLEASE TRY NGINX INSTEAD OF APACHE,
-# http://box/books works.  Add {box/libros, box/livres, box/livros, box/liv} etc?
+# AFTER READING https://github.com/iiab/iiab/issues/2914 AND #2916, THX !
-calibreweb_url1: /books     # For SHORT URL http://box/books  (English)
+asterisk_chan_dongle: False
 calibreweb_url2: /libros    # For SHORT URL http://box/libros (Spanish)
 calibreweb_url3: /livres    # For SHORT URL http://box/livres (French)
 calibreweb_home: /library/calibre-web    # default_vars.yml uses: "{{ content_base }}/calibre-web"
--- a/vars/local_vars_medium.yml
+++ b/vars/local_vars_medium.yml
@ -15,10 +15,6 @@
 # Ansible's default timeout for "get_url:" downloads (10 seconds) often fails
 download_timeout: 200
 # Languages (for Apache)
 default_language: en
 language_priority: en es fr
 # Real-time clock: set RTC chip family here.  Future auto-detection plausible?
 rtc_id: none    # Or ds3231 ?
@ -102,38 +98,14 @@ ports_externally_visible: 3     # ssh + http-or-https + common IIAB services
 # Set True if client machines should have "passthrough" access to WAN/Internet:
 iiab_gateway_enabled: False
 dhcpd_install: False
 dhcpd_enabled: False
 # named (BIND)
 named_install: False
 named_enabled: False
 # dnsmasq - handles DHCP and DNS
 dnsmasq_install: True
 dnsmasq_enabled: True
 # Enable AFTER installing IIAB!  Then run "cd /opt/iiab/iiab; ./iiab-network"
 dns_jail_enabled: False
-# Python-based Captive Portal, that @m-anish & @jvonau experimented with in
+# Bluetooth PAN access to IIAB server - for Raspberry Pi - for 4-SERVER-OPTIONS
 # July 2018 (https://github.com/iiab/iiab/pull/870) and that @georgejhunt
 # extensively later refined (PRs #1179, #1300, #1327, #2070).
 captiveportal_install: True
 captiveportal_enabled: False
 captiveportal_splash_page: /
 # You might also want to set iiab_home_url (above!)
 # In a pinch, disable Captive Portal using instructions in http://FAQ.IIAB.IO
 # Bluetooth PAN access to IIAB server
 bluetooth_install: True
 bluetooth_enabled: False
 bluetooth_term_enabled: False
 # UNMAINTAINED as of October 2017: https://github.com/iiab/iiab/pull/382
 # wondershaper_install: False
 # wondershaper_enabled: False
 # 1-PREP
@ -141,15 +113,15 @@ bluetooth_term_enabled: False
 sshd_install: True    # Required by OpenVPN
 sshd_enabled: True
 # IIAB-ADMIN runs here - see its vars near top of this file:
 # e.g. iiab_admin_user_install, iiab_admin_user, iiab_admin_pwd_hash
 # SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security
 openvpn_install: True
 openvpn_enabled: False
 # Set /etc/iiab/openvpn_handle in advance here:
 openvpn_handle: MEDIUM-sized - Put Your Name Here
 # IIAB-ADMIN runs here - see its vars near top of this file:
 # e.g. iiab_admin_user_install, iiab_admin_user, iiab_admin_pwd_hash
 # Some prefer 512MB for Zero W, others prefer 2048MB or higher for RPi 3 and 4.
 # Please see recommendations at: https://itsfoss.com/swap-size/
 pi_swap_file_size: 1024
@ -173,8 +145,6 @@ nginx_high_php_limits: False
 # https://github.com/iiab/iiab/blob/master/roles/www_options/tasks/main.yml#L53-L133
 # ...ARE SUITABLE FOR YOUR HARDWARE, as saved in: /etc/php/<VERSION>/*/php.ini
 # See also Apache vars {default_language, language_priority} @ top of this file
 #
 # Make this False to disable http://box/common/services/power_off.php button:
 apache_allow_sudo: True
@ -186,14 +156,6 @@ apache_allow_sudo: True
 # DNS prep (dnsmasq, named &/or dhcpd) run here.  The full network stage runs
 # after 9-LOCAL-ADDONS (or manually run "cd /opt/iiab/iiab; ./iiab-network")
 squid_install: False
 squid_enabled: False
 # DansGuardian REQUIRES Squid (above) be installed & enabled.
 # DansGuardian is NO LONGER AVAILABLE in Debian Buster i.e. since June 2019.
 dansguardian_install: False
 dansguardian_enabled: False
 # Common UNIX Printing System (CUPS)
 cups_install: False
 cups_enabled: False
@ -214,42 +176,12 @@ usb_lib_umask0000_for_kolibri: True
 # Lesser-supported XO services need additional testing.  Please contact
 # http://lists.laptop.org/pipermail/server-devel/ if you're able to help test.
 # UNMAINTAINED
 # xo_services_install: False
 # xo_services_enabled: False
 # UNMAINTAINED
 # activity_server_install: False
 # activity_server_enabled: False
 # UNMAINTAINED
 # Please instead consider 'ejabberd' in Stage 6-GENERIC-APPS below
 # ejabberd_xs_install: False
 # ejabberd_xs_enabled: False
 # UNMAINTAINED
 # Change calibre_port from 8080 to 8010 below, if you enable idmgr
 # idmgr_install: False
 # idmgr_enabled: False
 # 6-GENERIC-APPS
 # UNMAINTAINED as of September 2020
 azuracast_install: False
 azuracast_enabled: False    # This var is currently IGNORED.
 # UNMAINTAINED as of January 2020: https://github.com/iiab/iiab/issues/2056
 # dokuwiki_install: False
 # dokuwiki_enabled: False
 # UNMAINTAINED as of November 2019
 # ejabberd_install: False
 # ejabberd_enabled: False
 elgg_install: False
 elgg_enabled: False
 # Gitea (lightweight self-hosted "GitHub") from https://gitea.io
 gitea_install: False
 gitea_enabled: False
@ -289,13 +221,6 @@ nextcloud_enabled: True
 # Uncomment the following line to end that: (might install an older Nextcloud!)
 # nextcloud_dl_url: http://d.iiab.io/packages/latest.tar.bz2
 # A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX.
 # Untested since Ubuntu 18.04, Debian 9 w/ Node.js 10.x.  Experimental on RPi.
 # If using PBX intensively, set nginx_high_php_limits further above.
 pbx_install: False
 pbx_enabled: False
 asterisk_chan_dongle: False
 # If using WordPress intensively, set nginx_high_php_limits further above.
 wordpress_install: True
 wordpress_enabled: True
@ -367,6 +292,7 @@ monit_enabled: False
 munin_install: False
 munin_enabled: False
 # UNMAINTAINED as of July 2021
 # Handy for maintaining tables, but DANGEROUS if not locked down
 phpmyadmin_install: False
 phpmyadmin_enabled: False
@ -377,6 +303,15 @@ vnstat_enabled: False
 # 9-LOCAL-ADDONS
 # Python-based Captive Portal, that @m-anish & @jvonau experimented with in
 # July 2018 (https://github.com/iiab/iiab/pull/870) and that @georgejhunt
 # extensively later refined (PRs #1179, #1300, #1327, #2070).
 captiveportal_install: True
 captiveportal_enabled: False
 captiveportal_splash_page: /
 # You might also want to set iiab_home_url (above!)
 # In a pinch, disable Captive Portal using instructions in http://FAQ.IIAB.IO
 # Internet Archive Decentralized Web - create your own offline version box:4244
 # (or http://box/archive) arising from digital library https://dweb.archive.org
 internetarchive_install: False
@ -386,7 +321,20 @@ internetarchive_enabled: False
 minetest_install: False
 minetest_enabled: False
-# Calibre E-Book Library
+# Calibre-Web E-Book Library -- Alternative to Calibre, offers a clean/modern UX
 calibreweb_install: True
 calibreweb_enabled: True
 calibreweb_port: 8083       # PORT VARIABLE HAS NO EFFECT (as of January 2019)
 # http://box/books works.  Add {box/libros, box/livres, box/livros, box/liv} etc?
 calibreweb_url1: /books     # For SHORT URL http://box/books  (English)
 calibreweb_url2: /libros    # For SHORT URL http://box/libros (Spanish)
 calibreweb_url3: /livres    # For SHORT URL http://box/livres (French)
 calibreweb_home: /library/calibre-web    # default_vars.yml uses: "{{ content_base }}/calibre-web"
 # SUGGESTION: Calibre-Web can use Calibre's /usr/bin/ebook-convert program, so
 # ALSO CONSIDER installing Calibre (below, if its graphical bloat is tolerable!)
 # Calibre E-Book Library -- https://calibre-ebook.com
 # WARNING: CALIBRE INSTALLS GRAPHICAL LIBRARIES SIMILAR TO X WINDOWS & OPENGL
 # ON (HEADLESS, SERVER, LITE) OS'S THAT DON'T ALREADY HAVE THESE INSTALLED.
 calibre_install: False
@ -397,15 +345,12 @@ calibre_port: 8080
 calibre_web_path: calibre  #NEEDS WORK: https://github.com/iiab/iiab/issues/529
 # Avoid URL collisions w/ calibreweb_url1, calibreweb_url2, calibreweb_url3 below!
-# WARNING: Calibre-Web (below) depends on Calibre's own /usr/bin/ebook-convert
+# A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX.
-# program, so we recommend you also install Calibre (above!)
+# REQUIRES PHP 7.4 e.g. Ubuntu 20.04, Debian 11 -- RaspiOS 11 might also work.
-
+# INSTRUCTIONS: https://github.com/iiab/iiab/tree/master/roles/pbx#pbx-readme
-# Calibre-Web alternative to Calibre, offers a clean/modern UX
+# If using PBX intensively, investigate nginx_high_php_limits further above.
-calibreweb_install: True
+pbx_install: False
-calibreweb_enabled: True
+pbx_enabled: False
-calibreweb_port: 8083       # PORT VARIABLE HAS NO EFFECT (as of January 2019)
+pbx_try_nginx: False    # 2021-08-07: PLEASE TRY NGINX INSTEAD OF APACHE,
-# http://box/books works.  Add {box/libros, box/livres, box/livros, box/liv} etc?
+# AFTER READING https://github.com/iiab/iiab/issues/2914 AND #2916, THX !
-calibreweb_url1: /books     # For SHORT URL http://box/books  (English)
+asterisk_chan_dongle: False
 calibreweb_url2: /libros    # For SHORT URL http://box/libros (Spanish)
 calibreweb_url3: /livres    # For SHORT URL http://box/livres (French)
 calibreweb_home: /library/calibre-web    # default_vars.yml uses: "{{ content_base }}/calibre-web"
--- a/vars/local_vars_min.yml
+++ b/vars/local_vars_min.yml
@ -15,10 +15,6 @@
 # Ansible's default timeout for "get_url:" downloads (10 seconds) often fails
 download_timeout: 200
 # Languages (for Apache)
 default_language: en
 language_priority: en es fr
 # Real-time clock: set RTC chip family here.  Future auto-detection plausible?
 rtc_id: none    # Or ds3231 ?
@ -102,38 +98,14 @@ ports_externally_visible: 3     # ssh + http-or-https + common IIAB services
 # Set True if client machines should have "passthrough" access to WAN/Internet:
 iiab_gateway_enabled: False
 dhcpd_install: False
 dhcpd_enabled: False
 # named (BIND)
 named_install: False
 named_enabled: False
 # dnsmasq - handles DHCP and DNS
 dnsmasq_install: True
 dnsmasq_enabled: True
 # Enable AFTER installing IIAB!  Then run "cd /opt/iiab/iiab; ./iiab-network"
 dns_jail_enabled: False
-# Python-based Captive Portal, that @m-anish & @jvonau experimented with in
+# Bluetooth PAN access to IIAB server - for Raspberry Pi - for 4-SERVER-OPTIONS
 # July 2018 (https://github.com/iiab/iiab/pull/870) and that @georgejhunt
 # extensively later refined (PRs #1179, #1300, #1327, #2070).
 captiveportal_install: True
 captiveportal_enabled: False
 captiveportal_splash_page: /
 # You might also want to set iiab_home_url (above!)
 # In a pinch, disable Captive Portal using instructions in http://FAQ.IIAB.IO
 # Bluetooth PAN access to IIAB server
 bluetooth_install: True
 bluetooth_enabled: False
 bluetooth_term_enabled: False
 # UNMAINTAINED as of October 2017: https://github.com/iiab/iiab/pull/382
 # wondershaper_install: False
 # wondershaper_enabled: False
 # 1-PREP
@ -141,15 +113,15 @@ bluetooth_term_enabled: False
 sshd_install: True    # Required by OpenVPN
 sshd_enabled: True
 # IIAB-ADMIN runs here - see its vars near top of this file:
 # e.g. iiab_admin_user_install, iiab_admin_user, iiab_admin_pwd_hash
 # SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security
 openvpn_install: True
 openvpn_enabled: False
 # Set /etc/iiab/openvpn_handle in advance here:
 openvpn_handle: MIN-sized - Put Your Name Here
 # IIAB-ADMIN runs here - see its vars near top of this file:
 # e.g. iiab_admin_user_install, iiab_admin_user, iiab_admin_pwd_hash
 # Some prefer 512MB for Zero W, others prefer 2048MB or higher for RPi 3 and 4.
 # Please see recommendations at: https://itsfoss.com/swap-size/
 pi_swap_file_size: 1024
@ -173,8 +145,6 @@ nginx_high_php_limits: False
 # https://github.com/iiab/iiab/blob/master/roles/www_options/tasks/main.yml#L53-L133
 # ...ARE SUITABLE FOR YOUR HARDWARE, as saved in: /etc/php/<VERSION>/*/php.ini
 # See also Apache vars {default_language, language_priority} @ top of this file
 #
 # Make this False to disable http://box/common/services/power_off.php button:
 apache_allow_sudo: True
@ -186,14 +156,6 @@ apache_allow_sudo: True
 # DNS prep (dnsmasq, named &/or dhcpd) run here.  The full network stage runs
 # after 9-LOCAL-ADDONS (or manually run "cd /opt/iiab/iiab; ./iiab-network")
 squid_install: False
 squid_enabled: False
 # DansGuardian REQUIRES Squid (above) be installed & enabled.
 # DansGuardian is NO LONGER AVAILABLE in Debian Buster i.e. since June 2019.
 dansguardian_install: False
 dansguardian_enabled: False
 # Common UNIX Printing System (CUPS)
 cups_install: False
 cups_enabled: False
@ -214,42 +176,12 @@ usb_lib_umask0000_for_kolibri: True
 # Lesser-supported XO services need additional testing.  Please contact
 # http://lists.laptop.org/pipermail/server-devel/ if you're able to help test.
 # UNMAINTAINED
 # xo_services_install: False
 # xo_services_enabled: False
 # UNMAINTAINED
 # activity_server_install: False
 # activity_server_enabled: False
 # UNMAINTAINED
 # Please instead consider 'ejabberd' in Stage 6-GENERIC-APPS below
 # ejabberd_xs_install: False
 # ejabberd_xs_enabled: False
 # UNMAINTAINED
 # Change calibre_port from 8080 to 8010 below, if you enable idmgr
 # idmgr_install: False
 # idmgr_enabled: False
 # 6-GENERIC-APPS
 # UNMAINTAINED as of September 2020
 azuracast_install: False
 azuracast_enabled: False    # This var is currently IGNORED.
 # UNMAINTAINED as of January 2020: https://github.com/iiab/iiab/issues/2056
 # dokuwiki_install: False
 # dokuwiki_enabled: False
 # UNMAINTAINED as of November 2019
 # ejabberd_install: False
 # ejabberd_enabled: False
 elgg_install: False
 elgg_enabled: False
 # Gitea (lightweight self-hosted "GitHub") from https://gitea.io
 gitea_install: False
 gitea_enabled: False
@ -289,13 +221,6 @@ nextcloud_enabled: False
 # Uncomment the following line to end that: (might install an older Nextcloud!)
 # nextcloud_dl_url: http://d.iiab.io/packages/latest.tar.bz2
 # A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX.
 # Untested since Ubuntu 18.04, Debian 9 w/ Node.js 10.x.  Experimental on RPi.
 # If using PBX intensively, set nginx_high_php_limits further above.
 pbx_install: False
 pbx_enabled: False
 asterisk_chan_dongle: False
 # If using WordPress intensively, set nginx_high_php_limits further above.
 wordpress_install: False
 wordpress_enabled: False
@ -367,6 +292,7 @@ monit_enabled: False
 munin_install: False
 munin_enabled: False
 # UNMAINTAINED as of July 2021
 # Handy for maintaining tables, but DANGEROUS if not locked down
 phpmyadmin_install: False
 phpmyadmin_enabled: False
@ -377,6 +303,15 @@ vnstat_enabled: False
 # 9-LOCAL-ADDONS
 # Python-based Captive Portal, that @m-anish & @jvonau experimented with in
 # July 2018 (https://github.com/iiab/iiab/pull/870) and that @georgejhunt
 # extensively later refined (PRs #1179, #1300, #1327, #2070).
 captiveportal_install: True
 captiveportal_enabled: False
 captiveportal_splash_page: /
 # You might also want to set iiab_home_url (above!)
 # In a pinch, disable Captive Portal using instructions in http://FAQ.IIAB.IO
 # Internet Archive Decentralized Web - create your own offline version box:4244
 # (or http://box/archive) arising from digital library https://dweb.archive.org
 internetarchive_install: False
@ -386,7 +321,20 @@ internetarchive_enabled: False
 minetest_install: False
 minetest_enabled: False
-# Calibre E-Book Library
+# Calibre-Web E-Book Library -- Alternative to Calibre, offers a clean/modern UX
 calibreweb_install: False
 calibreweb_enabled: False
 calibreweb_port: 8083       # PORT VARIABLE HAS NO EFFECT (as of January 2019)
 # http://box/books works.  Add {box/libros, box/livres, box/livros, box/liv} etc?
 calibreweb_url1: /books     # For SHORT URL http://box/books  (English)
 calibreweb_url2: /libros    # For SHORT URL http://box/libros (Spanish)
 calibreweb_url3: /livres    # For SHORT URL http://box/livres (French)
 calibreweb_home: /library/calibre-web    # default_vars.yml uses: "{{ content_base }}/calibre-web"
 # SUGGESTION: Calibre-Web can use Calibre's /usr/bin/ebook-convert program, so
 # ALSO CONSIDER installing Calibre (below, if its graphical bloat is tolerable!)
 # Calibre E-Book Library -- https://calibre-ebook.com
 # WARNING: CALIBRE INSTALLS GRAPHICAL LIBRARIES SIMILAR TO X WINDOWS & OPENGL
 # ON (HEADLESS, SERVER, LITE) OS'S THAT DON'T ALREADY HAVE THESE INSTALLED.
 calibre_install: False
@ -397,15 +345,12 @@ calibre_port: 8080
 calibre_web_path: calibre  #NEEDS WORK: https://github.com/iiab/iiab/issues/529
 # Avoid URL collisions w/ calibreweb_url1, calibreweb_url2, calibreweb_url3 below!
-# WARNING: Calibre-Web (below) depends on Calibre's own /usr/bin/ebook-convert
+# A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX.
-# program, so we recommend you also install Calibre (above!)
+# REQUIRES PHP 7.4 e.g. Ubuntu 20.04, Debian 11 -- RaspiOS 11 might also work.
-
+# INSTRUCTIONS: https://github.com/iiab/iiab/tree/master/roles/pbx#pbx-readme
-# Calibre-Web alternative to Calibre, offers a clean/modern UX
+# If using PBX intensively, investigate nginx_high_php_limits further above.
-calibreweb_install: False
+pbx_install: False
-calibreweb_enabled: False
+pbx_enabled: False
-calibreweb_port: 8083       # PORT VARIABLE HAS NO EFFECT (as of January 2019)
+pbx_try_nginx: False    # 2021-08-07: PLEASE TRY NGINX INSTEAD OF APACHE,
-# http://box/books works.  Add {box/libros, box/livres, box/livros, box/liv} etc?
+# AFTER READING https://github.com/iiab/iiab/issues/2914 AND #2916, THX !
-calibreweb_url1: /books     # For SHORT URL http://box/books  (English)
+asterisk_chan_dongle: False
 calibreweb_url2: /libros    # For SHORT URL http://box/libros (Spanish)
 calibreweb_url3: /livres    # For SHORT URL http://box/livres (French)
 calibreweb_home: /library/calibre-web    # default_vars.yml uses: "{{ content_base }}/calibre-web"
--- a/vars/local_vars_olpc.yml.unused
+++ b/vars/local_vars_olpc.yml.unused
--- a/vars/local_vars_unittest.yml
+++ b/vars/local_vars_unittest.yml
@ -0,0 +1,356 @@
 # This is local_vars_unittest.yml -- copy it to /etc/iiab/local_vars.yml then...
 # modify variables below, to override /opt/iiab/iiab/vars/default_vars.yml
 # PLZ READ http://wiki.laptop.org/go/IIAB/local_vars.yml AND http://FAQ.IIAB.IO
 # Orig Idea: branch github.com/xsce/xsce-local for your deployment/community
 # IIAB does NOT currently support uninstalling apps!  So: if any IIAB app is
 # installed with 'APP_XYZ_install: True' below, do NOT later change that.
 # WARNING: IF YOU CONNECT YOUR IIAB'S INTERNAL WIFI TO THE INTERNET OVER 5 GHz,
 # YOU'LL PREVENT OLDER LAPTOPS/PHONES/TABLETS (WHICH REQUIRE 2.4 GHz) FROM
 # CONNECTING TO YOUR IIAB'S INTERNAL HOTSPOT.  See "wifi_up_down: True" below.
 # Ansible's default timeout for "get_url:" downloads (10 seconds) often fails
 download_timeout: 200
 # Real-time clock: set RTC chip family here.  Future auto-detection plausible?
 rtc_id: none    # Or ds3231 ?
 # Please read more about the 'iiab-admin' Linux user, for login to IIAB's
 # Admin Console (http://box.lan/admin) AND to help you at the command-line:
 # https://github.com/iiab/iiab/tree/master/roles/iiab-admin
 # https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md
 #
 iiab_admin_user: iiab-admin    # Some prefer to reuse 'pi' or 'ubuntu' etc.
 # Set iiab_admin_user_install: False if you don't want iiab_admin_user auto-
 # configured e.g. by IIAB's 1-line installer & iiab-admin/tasks/admin-user.yml
 iiab_admin_user_install: True    # If False, THE SETTING BELOW WILL BE IGNORED.
 iiab_admin_can_sudo: True    # For /usr/bin/iiab-* support commands.  Optional.
 # Set these to False if you do not want to install/enable IIAB Admin Console
 admin_console_install: False
 admin_console_enabled: False
 #
 # Set to "False" if you do not want to use the latest js-menus, either because
 # you use WordPress or another home page, or if you prefer the older
 # https://github.com/iiab/iiab-menu (no longer maintained)
 js_menu_install: True
 # IIAB Networking README: https://github.com/iiab/iiab/tree/master/roles/network
 # IIAB Networking Doc: https://github.com/iiab/iiab/wiki/IIAB-Networking
 # Read it offline too: http://box/info > "IIAB Networking"
 iiab_hostname: box
 iiab_domain: lan
 # Homepage: set to /home or /wordpress or /wiki (for MediaWiki)
 iiab_home_url: /home
 # You might also want to set captiveportal_splash_page (below!)
 # WARNING: IF YOU CONNECT YOUR IIAB'S INTERNAL WIFI TO THE INTERNET OVER 5 GHz,
 # YOU'LL PREVENT OLDER LAPTOPS/PHONES/TABLETS (WHICH REQUIRE 2.4 GHz) FROM
 # CONNECTING TO YOUR IIAB'S INTERNAL HOTSPOT.  See "wifi_up_down: True" below.
 #
 # Raspberry Pi OS requires Wi-Fi country since March 2018.  Please set it here:
 host_country_code: US
 host_ssid: unittest
 host_wifi_mode: g
 host_channel: 6
 hostapd_secure: False # 2021-03-02 #2696 WiFi EAPOL fails if hotspot passwords,
 hostapd_password: changeme # eg if firmware wifi_hotspot_capacity_rpi_fix: True
 wifi_hotspot_capacity_rpi_fix: True    # Restores the ability of RPi internal
 # WiFi hotspots to service 30-to-32 client devices.  Background explanation:
 # https://github.com/iiab/iiab/issues/823#issuecomment-662285202 and PR #2472.
 wifi_up_down: True    # Creates a 2nd virtual WiFi adapter for upstream WiFi
 # (e.g. to Internet) in addition to downstream WiFi (e.g. classroom hotspot).
 # You can set iiab_gateway_enabled below, to enable "passthrough" to Internet.
 # See "How do I set a static IP address?" for Ethernet, in http://FAQ.IIAB.IO
 wan_ip: dhcp       # wan_ip: 192.168.1.99
 wan_netmask:       # wan_netmask: 255.255.255.0
 wan_gateway:       # wan_gateway: 192.168.1.254
 # If nec wan_nameserver can override ISP-provided DNS servers via dnsmasq:
 # /etc/resolv.conf dictates which backend is used for the machine itself, so
 # 127.0.0.1 means you get dnsmasq (so it works right away on RaspiOS) while
 # 127.0.0.53 gives you systemd-networkd (so Ubuntu itself does NOT use this
 # dnsmasq-specified upstream DNS [e.g. wan_nameserver] but its LAN clients do!)
 wan_nameserver:    # wan_nameserver: 192.168.1.254 or 8.8.8.8 or 1.1.1.1
 wan_try_dhcp_before_static_ip: True   # Facilitate field updates w/ cablemodems
 # Enable "campus access" to ~10 common IIAB services like Kiwix (3000), KA Lite
 # (8008) and Calibre (8010 or 8080) etc, on the WAN side of your IIAB server.
 # Only 1 of the 6 lines below should be uncommented:
 #
 #ports_externally_visible: 0    # none
 #ports_externally_visible: 1    # ssh only
 #ports_externally_visible: 2    # ssh + http-or-https (for Admin Console's box.lan/admin too)
 ports_externally_visible: 3     # ssh + http-or-https + common IIAB services
 #ports_externally_visible: 4    # ssh + http-or-https + common IIAB services + Samba
 #ports_externally_visible: 5    # all but databases
 #
 # Or further customize your iptables firewall by editing:
 # /opt/iiab/iiab/roles/network/templates/gateway/iiab-gen-iptables
 # And then run: cd /opt/iiab/iiab; ./iiab-network
 # Set True if client machines should have "passthrough" access to WAN/Internet:
 iiab_gateway_enabled: False
 # Enable AFTER installing IIAB!  Then run "cd /opt/iiab/iiab; ./iiab-network"
 dns_jail_enabled: False
 # Bluetooth PAN access to IIAB server - for Raspberry Pi - for 4-SERVER-OPTIONS
 bluetooth_install: False
 bluetooth_enabled: False
 bluetooth_term_enabled: False
 # 1-PREP
 # SSHD runs here & also below in 4-SERVER-OPTIONS
 sshd_install: True    # Required by OpenVPN
 sshd_enabled: True
 # SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security
 openvpn_install: True
 openvpn_enabled: True
 # Set /etc/iiab/openvpn_handle in advance here:
 openvpn_handle: unittest - Put Your Name Here
 # IIAB-ADMIN runs here - see its vars near top of this file:
 # e.g. iiab_admin_user_install, iiab_admin_user, iiab_admin_pwd_hash
 # Some prefer 512MB for Zero W, others prefer 2048MB or higher for RPi 3 and 4.
 # Please see recommendations at: https://itsfoss.com/swap-size/
 pi_swap_file_size: 1024
 # 2-COMMON
 # /usr/libexec/iiab-startup.sh is much like autoexec.bat & /etc/rc.local
 # It's put in place by 2-common/tasks/iiab-startup.yml at the end of Stage 2.
 # 3-BASE-SERVER
 # roles/mysql runs here (mandatory)
 # For schools that use WordPress/Nextcloud/Moodle/PBX intensively:
 nginx_high_php_limits: False
 # WARNING: Enabling this might cause excess use of RAM/disk or other resources!
 # roles/www_options & roles/moodle FORCE high limits if 'moodle_install: True'
 # REGARDLESS: AFTER INSTALLING IIAB, PLEASE VERIFY THESE 6 SETTINGS...
 # https://github.com/iiab/iiab/blob/master/roles/www_options/tasks/main.yml#L53-L133
 # ...ARE SUITABLE FOR YOUR HARDWARE, as saved in: /etc/php/<VERSION>/*/php.ini
 # Make this False to disable http://box/common/services/power_off.php button:
 apache_allow_sudo: True
 # 4-SERVER-OPTIONS
 # SSHD runs here & also above in 1-PREP
 # DNS prep (dnsmasq, named &/or dhcpd) run here.  The full network stage runs
 # after 9-LOCAL-ADDONS (or manually run "cd /opt/iiab/iiab; ./iiab-network")
 # Common UNIX Printing System (CUPS)
 cups_install: False
 cups_enabled: False
 # At Your Own Risk: take a security audit seriously before deploying this
 samba_install: False
 samba_enabled: False
 # Show entire contents of USB sticks/drives (at http://box/usb)
 iiab_usb_lib_show_all: True
 # Set umask=0000 for VFAT, NTFS and exFAT in /etc/usbmount/usbmount.conf so
 # Kolibri can export & import channels to USB sticks/drive:
 usb_lib_umask0000_for_kolibri: True
 # 5-XO-SERVICES
 # Lesser-supported XO services need additional testing.  Please contact
 # http://lists.laptop.org/pipermail/server-devel/ if you're able to help test.
 # 6-GENERIC-APPS
 azuracast_install: False
 azuracast_enabled: False    # This var is currently IGNORED.
 # Gitea (lightweight self-hosted "GitHub") from https://gitea.io
 gitea_install: False
 gitea_enabled: False
 # JupyterHub programming environment with student Notebooks
 jupyterhub_install: False
 jupyterhub_enabled: False
 # Lokole (email for rural communities) from https://ascoderu.ca
 lokole_install: False
 lokole_enabled: False
 mediawiki_install: False
 mediawiki_enabled: False
 # MQTT pub-sub broker for IoT on Raspberry Pi etc
 mosquitto_install: False
 mosquitto_enabled: False
 # Flow-based visual programming for wiring together IoT hardware devices etc
 nodered_install: False
 nodered_enabled: False
 # Store your docs, calendar, contacts & photos on your local server not cloud!
 # If using Nextcloud intensively, set nginx_high_php_limits further above.
 nextcloud_install: False
 nextcloud_enabled: False
 #
 # 2020-02-15: UNUSED at this time.  Legacy remains from Apache:
 # nextcloud_allow_public_ips: True
 #
 # Configuration tips for IPv4 access controls and tuning RAM/resources:
 # https://github.com/iiab/iiab/blob/master/roles/nextcloud/README.md
 #
 # 2020-01-07: If installing IIAB often, download.nextcloud.com may throttle
 # you to ~100 kbit/sec, delaying your IIAB install by an hour or more (#2112).
 # Uncomment the following line to end that: (might install an older Nextcloud!)
 # nextcloud_dl_url: http://d.iiab.io/packages/latest.tar.bz2
 # If using WordPress intensively, set nginx_high_php_limits further above.
 wordpress_install: False
 wordpress_enabled: False
 # 7-EDU-APPS
 # KA Lite - SEE THE "Transmission" BITTORRENT DOWNLOADER FURTHER BELOW, TO INSTALL THOUSANDS OF VIDEOS
 kalite_install: False
 kalite_enabled: False
 kolibri_install: False
 kolibri_enabled: False
 kolibri_language: en    # ar,bg-bg,bn-bd,de,en,es-es,es-419,fa,fr-fr,ff-cm,gu-in,hi-in,it,km,ko,mr,my,nyn,pt-br,sw-tz,te,ur-pk,vi,yo,zh-hans
 # kiwix_install: True is REQUIRED, if you install IIAB's Admin Console
 kiwix_install: False
 kiwix_enabled: False
 # Warning: Moodle is a serious LMS, that takes a while to install.
 moodle_install: False
 moodle_enabled: False
 # If using Moodle intensively, set nginx_high_php_limits further above.
 # Regional OSM vector maps use far less disk space than bitmap/raster versions.
 # Instructions: https://github.com/iiab/iiab/wiki/IIAB-Maps
 osm_vector_maps_install: False
 osm_vector_maps_enabled: False
 # Set to "True" to download .mbtiles files from Archive.org (might be slow!)
 maps_from_internet_archive: False
 # Might stall MongoDB on Power Failure: github.com/xsce/xsce/issues/879
 # Sugarizer 1.0.1+ strategies to solve? github.com/iiab/iiab/pull/957
 # 2020-09-22: Both vars WERE IGNORED on Deb 10 (MongoDB) but no longer?  #1437
 sugarizer_install: False
 sugarizer_enabled: False
 # 8-MGMT-TOOLS
 # BitTorrent downloader for large Content Packs etc
 transmission_install: False
 transmission_enabled: False
 # A. UNCOMMENT LANGUAGE(S) TO DOWNLOAD KA Lite VIDEOS TO /library/transmission
 #    using http://pantry.learningequality.org/downloads/ka-lite/0.17/content/
 transmission_kalite_languages:
  #- english
  #- french
  #- hindi
  #- portugal-portuguese
  #- brazilian-portuguese
  #- spanish
  #- swahili
 # B. Monitor BitTorrent downloads at http://box:9091 using Admin/changeme
 #    until the download is confirmed complete (can take hours if not days!)
 # C. Carefully move all videos/thumbnails into /library/ka-lite/content
 #    (DO NOT OVERWRITE SUBFOLDERS assessment, locale, srt !)
 # D. Log in to KA Lite at http://box:8008/updates/videos/ using Admin/changeme
 #    then click "Scan content folder for videos" (can take many minutes!)
 # E. READ "KA Lite Administration: What tips & tricks exist?" AT http://FAQ.IIAB.IO
 awstats_install: False
 awstats_enabled: False
 # 2020-09-22 WARNING: both vars are IGNORED on Debian 10 due to: iiab/iiab#1849
 monit_install: False
 monit_enabled: False
 munin_install: False
 munin_enabled: False
 # UNMAINTAINED as of July 2021
 # Handy for maintaining tables, but DANGEROUS if not locked down
 phpmyadmin_install: False
 phpmyadmin_enabled: False
 vnstat_install: False
 vnstat_enabled: False
 # 9-LOCAL-ADDONS
 # Python-based Captive Portal, that @m-anish & @jvonau experimented with in
 # July 2018 (https://github.com/iiab/iiab/pull/870) and that @georgejhunt
 # extensively later refined (PRs #1179, #1300, #1327, #2070).
 captiveportal_install: False
 captiveportal_enabled: False
 captiveportal_splash_page: /
 # You might also want to set iiab_home_url (above!)
 # In a pinch, disable Captive Portal using instructions in http://FAQ.IIAB.IO
 # Internet Archive Decentralized Web - create your own offline version box:4244
 # (or http://box/archive) arising from digital library https://dweb.archive.org
 internetarchive_install: False
 internetarchive_enabled: False
 # Minetest is an open source clone of the Minecraft building blocks game
 minetest_install: False
 minetest_enabled: False
 # Calibre-Web E-Book Library -- Alternative to Calibre, offers a clean/modern UX
 calibreweb_install: False
 calibreweb_enabled: False
 calibreweb_port: 8083       # PORT VARIABLE HAS NO EFFECT (as of January 2019)
 # http://box/books works.  Add {box/libros, box/livres, box/livros, box/liv} etc?
 calibreweb_url1: /books     # For SHORT URL http://box/books  (English)
 calibreweb_url2: /libros    # For SHORT URL http://box/libros (Spanish)
 calibreweb_url3: /livres    # For SHORT URL http://box/livres (French)
 calibreweb_home: /library/calibre-web    # default_vars.yml uses: "{{ content_base }}/calibre-web"
 # SUGGESTION: Calibre-Web can use Calibre's /usr/bin/ebook-convert program, so
 # ALSO CONSIDER installing Calibre (below, if its graphical bloat is tolerable!)
 # Calibre E-Book Library -- https://calibre-ebook.com
 # WARNING: CALIBRE INSTALLS GRAPHICAL LIBRARIES SIMILAR TO X WINDOWS & OPENGL
 # ON (HEADLESS, SERVER, LITE) OS'S THAT DON'T ALREADY HAVE THESE INSTALLED.
 calibre_install: False
 calibre_enabled: False
 # Change calibre_port to 8010 if you're using XO laptops needing above idmgr ?
 calibre_port: 8080
 # Change calibre to XYZ to add your own mnemonic URL like: http://box/XYZ
 calibre_web_path: calibre  #NEEDS WORK: https://github.com/iiab/iiab/issues/529
 # Avoid URL collisions w/ calibreweb_url1, calibreweb_url2, calibreweb_url3 below!
 # A full-featured PBX (for rural telephony, etc) based on Asterisk and FreePBX.
 # REQUIRES PHP 7.4 e.g. Ubuntu 20.04, Debian 11 -- RaspiOS 11 might also work.
 # INSTRUCTIONS: https://github.com/iiab/iiab/tree/master/roles/pbx#pbx-readme
 # If using PBX intensively, investigate nginx_high_php_limits further above.
 pbx_install: False
 pbx_enabled: False
 pbx_try_nginx: False    # 2021-08-07: PLEASE TRY NGINX INSTEAD OF APACHE,
 # AFTER READING https://github.com/iiab/iiab/issues/2914 AND #2916, THX !
 asterisk_chan_dongle: False