From 853cd445f97857dd3d763974753a43351fa49a20 Mon Sep 17 00:00:00 2001
From: Jerry Vonau <jvonau3@gmail.com>
Date: Tue, 5 Apr 2022 22:44:13 -0500
Subject: [PATCH 01/14] visual feedback and record in iiab.ini

---
 roles/remoteit/tasks/main.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/roles/remoteit/tasks/main.yml b/roles/remoteit/tasks/main.yml
index c66cd921a..f152c6b52 100644
--- a/roles/remoteit/tasks/main.yml
+++ b/roles/remoteit/tasks/main.yml
@@ -18,6 +18,9 @@
 
 - include_tasks: enable-or-disable.yml
 
+- name: Find the claim code if blank the machine was registrated
+  shell: grep claim /etc/remoteit/config.json | rev | cut -d\" -f2 | rev
+  register: remoteit_claim
 
 - name: Add 'remoteit' variable values to {{ iiab_ini_file }}
   ini_file:
@@ -34,3 +37,5 @@
       value: "{{ remoteit_install }}"
     - option: remoteit_enabled
       value: "{{ remoteit_enabled }}"
+    - option: remoteit_claim_code
+      value: "{{ remoteit_claim.stdout }}"

From 296e8c20326e16708cddea4359822ec2529c7b44 Mon Sep 17 00:00:00 2001
From: Jerry Vonau <jvonau3@gmail.com>
Date: Wed, 6 Apr 2022 11:34:03 -0500
Subject: [PATCH 02/14] REGISTRATION_CODE

based on https://docs.remote.it/oem-and-bulk-provisioning/registration-into-a-users-account
---
 roles/remoteit/defaults/main.yml           | 1 +
 roles/remoteit/tasks/enable-or-disable.yml | 8 ++++++++
 roles/remoteit/tasks/install.yml           | 4 ++++
 3 files changed, 13 insertions(+)

diff --git a/roles/remoteit/defaults/main.yml b/roles/remoteit/defaults/main.yml
index e4ea3fc46..a98ed97f5 100644
--- a/roles/remoteit/defaults/main.yml
+++ b/roles/remoteit/defaults/main.yml
@@ -49,3 +49,4 @@ cli_suffixes:
   x86_64: x86_64
 remoteit_cli_suffix: "{{ cli_suffixes[ansible_architecture] | default('unknown') }}"
 remoteit_cli_url: https://downloads.remote.it/cli/latest/remoteit_linux_{{ remoteit_cli_suffix }}
+remoteit_REGISTRATION_CODE: none #eg "592AA9BB-68C8-520A-AACA-6E27654C3DF6" generated in the desktop or web portal
diff --git a/roles/remoteit/tasks/enable-or-disable.yml b/roles/remoteit/tasks/enable-or-disable.yml
index 41abf0286..a11286463 100644
--- a/roles/remoteit/tasks/enable-or-disable.yml
+++ b/roles/remoteit/tasks/enable-or-disable.yml
@@ -1,3 +1,7 @@
+- name: Using pre-created REGISTRATION_CODE from desktop or web portal
+  shell: echo {{ remoteit_REGISTRATION_CODE }} > /etc/remoteit/registration
+  when: remoteit_REGISTRATION_CODE is not none
+
 - name: Enable & Restart remote.it "parent" service connectd, which exits after spawning 2 "child" services/daemons below
   systemd:
     name: connectd
@@ -31,6 +35,10 @@
   ignore_errors: yes
   when: not remoteit_enabled
 
+- name: Clean up REGISTRATION_CODE from {{ iiab_local_vars_file }} if used
+  shell: sed -i '/remoteit_REGISTRATION_CODE/d' {{ iiab_local_vars_file }}
+  when: remoteit_REGISTRATION_CODE is not none
+
 # - name: Identify remoteit "Remote tcp connection service" unit file name, including uuid, e.g. remoteit@80:00:01:7F:7E:00:56:36.service
 #   shell: ls /etc/systemd/system/multi-user.target.wants/ | grep remoteit@
 #   register: remoteit_service
diff --git a/roles/remoteit/tasks/install.yml b/roles/remoteit/tasks/install.yml
index 0747b558e..adc2c2b4e 100644
--- a/roles/remoteit/tasks/install.yml
+++ b/roles/remoteit/tasks/install.yml
@@ -32,6 +32,10 @@
 #   apt:
 #     deb: "{{ remoteit_device_url }}"
 
+- name: Going to use pre-created REGISTRATION_CODE from desktop or web portal
+  shell: mkdir /etc/remoteit || true && touch /etc/remoteit/registration
+  when: remoteit_REGISTRATION_CODE is not none
+
 - name: Install remote.it Device Package for your CPU/OS, using https://downloads.remote.it/remoteit/install_agent.sh
   shell: curl -L https://downloads.remote.it/remoteit/install_agent.sh | sh
 

From dcc6615d7209feadef7568fab56bc3aa60df7b3b Mon Sep 17 00:00:00 2001
From: root <holta@users.noreply.github.com>
Date: Wed, 6 Apr 2022 18:13:05 -0400
Subject: [PATCH 03/14] Allow remote.it license key to be pasted into
 local_vars.yml

---
 roles/remoteit/README.md                   | 31 +++++++++++++++++++++-
 roles/remoteit/defaults/main.yml           | 13 ++++++++-
 roles/remoteit/tasks/enable-or-disable.yml | 24 ++++++++++++-----
 roles/remoteit/tasks/install.yml           | 22 ++++++++++++---
 roles/remoteit/tasks/main.yml              | 10 +++----
 5 files changed, 82 insertions(+), 18 deletions(-)

diff --git a/roles/remoteit/README.md b/roles/remoteit/README.md
index 822d22286..83eb10f60 100644
--- a/roles/remoteit/README.md
+++ b/roles/remoteit/README.md
@@ -17,7 +17,7 @@ For other approaches, please see http://FAQ.IIAB.IO -> "How can I remotely manag
    COMPARISON: "The Desktop and [CLI](https://docs.remote.it/software/cli) can [each] support both peer to peer connections and proxy connections [whereas] the Web Portal and API can only support proxy connections" according to https://docs.remote.it/software/device-package/usage
 
 <!-- ### Install remote.it onto an IIAB + register it + authorize services/ports -->
-### Generate a remote.it claim code for your IIAB + register it + authorize services/ports
+### OPTION #1: Generate a remote.it claim code for your IIAB + register it + authorize services/ports
 
 Prerequisite: Find any IIAB with `remoteit_installed: True` in `/etc/iiab/iiab_state.yml` (this is the default!)  It means that the remote.it [Device Package](https://docs.remote.it/software/device-package) is installed on your IIAB, most important.  It also means the _strictly optional_ `/usr/bin/remoteit` [command-line interface (CLI)](https://docs.remote.it/software/cli) is installed, offering [a few more features](https://support.remote.it/hc/en-us/articles/4412786750861-Install-the-remoteit-agent-on-your-device) than the Device Package.
 
@@ -83,6 +83,35 @@ Prerequisite: Find any IIAB with `remoteit_installed: True` in `/etc/iiab/iiab_s
 
    EXAMPLES: Add an SSH Service on port 22 and/or add an HTTP Service on port 80 ([screenshot guide](https://support.remote.it/hc/en-us/articles/360058603991-Configuring-remoteit-Services-on-devices-with-remote-it-Desktop)).
 
+### OPTION #2: Paste your remote.it license key to IIAB + enable it + authorize services/ports
+
+1. Copy your remote.it account _license key_ from their Desktop Application (https://remote.it/download/) (or from their https://remote.it Web Portal) as shown in this [screenshot](https://docs.remote.it/oem-and-bulk-provisioning/registration-into-a-users-account#3.-user-receives-the-device-and-registers-his-account).
+
+   Paste it into your IIAB's [/etc/iiab/local_vars.yml](https://wiki.iiab.io/go/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F) as in this example:
+
+   ```
+   remoteit_license_key: 592AA9BB-XXXX-YYYY-ZZZZ-6E27654C3DF6
+   ```
+
+2. Also set `remoteit_enabled: True` in /etc/iiab/local_vars.yml
+
+3. If your [IIAB software](https://download.iiab.io/) is not yet installed, do that e.g. by running `sudo iiab` and following any on-screen instructions &mdash; until "INTERNET-IN-A-BOX (IIAB) SOFTWARE INSTALL IS COMPLETE" eventually appears on screen.
+
+   When that's complete, skip to Step 5.
+
+4. If your IIAB software is already installed, make sure your IIAB is online, and then run:
+
+   ```
+   cd /opt/iiab/iiab
+   sudo ./runrole remoteit
+   ```
+
+5. Authorize services/ports (e.g. SSH, HTTP, etc) for your IIAB device, as shown in these [screenshots](https://docs.remote.it/software/device-package/installation#4.-set-up-services-on-your-device).
+
+   SUMMARY: One or more [remote.it "Services"](https://support.remote.it/hc/en-us/articles/360060992631-Services) needs to be authorized (registered) to allow remote access to your IIAB device.
+
+   EXAMPLES: Add an SSH Service on port 22 and/or add an HTTP Service on port 80 ([screenshot guide](https://support.remote.it/hc/en-us/articles/360058603991-Configuring-remoteit-Services-on-devices-with-remote-it-Desktop)).
+
 ### How to I disable remote.it on my IIAB?
 
 1. Run `sudo iiab-remoteit-off`
diff --git a/roles/remoteit/defaults/main.yml b/roles/remoteit/defaults/main.yml
index a98ed97f5..48a7f0304 100644
--- a/roles/remoteit/defaults/main.yml
+++ b/roles/remoteit/defaults/main.yml
@@ -49,4 +49,15 @@ cli_suffixes:
   x86_64: x86_64
 remoteit_cli_suffix: "{{ cli_suffixes[ansible_architecture] | default('unknown') }}"
 remoteit_cli_url: https://downloads.remote.it/cli/latest/remoteit_linux_{{ remoteit_cli_suffix }}
-remoteit_REGISTRATION_CODE: none #eg "592AA9BB-68C8-520A-AACA-6E27654C3DF6" generated in the desktop or web portal
+
+# OPTION #1: Run 'sudo iiab-remoteit' after IIAB is installed.
+
+# OPTION #2: Pre-populate your remote.it account "license key" (a.k.a.
+# R3_REGISTRATION_CODE) in /etc/iiab/local_vars.yml -- e.g. prior to installing
+# IIAB -- by using a line like:
+#
+# remoteit_license_key: 592AA9BB-XXXX-YYYY-ZZZZ-6E27654C3DF6
+#
+# BACKGROUND: You can obtain a license key at https://remote.it or by using
+# their Desktop Application (https://remote.it/download/) as shown here:
+# https://docs.remote.it/oem-and-bulk-provisioning/registration-into-a-users-account#3.-user-receives-the-device-and-registers-his-account
diff --git a/roles/remoteit/tasks/enable-or-disable.yml b/roles/remoteit/tasks/enable-or-disable.yml
index db828ec56..6e762952a 100644
--- a/roles/remoteit/tasks/enable-or-disable.yml
+++ b/roles/remoteit/tasks/enable-or-disable.yml
@@ -1,6 +1,20 @@
-- name: Using pre-created REGISTRATION_CODE from desktop or web portal
-  shell: echo {{ remoteit_REGISTRATION_CODE }} > /etc/remoteit/registration
-  when: remoteit_REGISTRATION_CODE is not none
+- name: Copy OPTIONAL remoteit_license_key, e.g. from /etc/iiab/local_vars.yml to /etc/remoteit/registration, if remoteit_enabled and remoteit_license_key is defined
+  # shell: echo {{ remoteit_license_key }} > /etc/remoteit/registration
+  template:
+    src: registration.j2
+    dest: /etc/remoteit/registration
+  when: remoteit_enabled and remoteit_license_key is defined
+
+- name: Redact OPTIONAL remoteit_license_key from /etc/iiab/local_vars.yml, if remoteit_enabled and remoteit_license_key is defined
+  # shell: sed -i '/^remoteit_license_key:/d' {{ iiab_local_vars_file }}
+  lineinfile:
+    path: "{{ iiab_local_vars_file }}"
+    regexp: '^remoteit_license_key:.*'
+    state: absent
+  when: remoteit_enabled and remoteit_license_key is defined
+
+# 2022-04-06 QUESTION: Does connectd (below) delete /etc/remoteit/registration,
+# but only after confirming online that the license key is valid?
 
 - name: Enable & Restart remote.it "parent" service connectd, which exits after spawning 2 "child" services/daemons below
   systemd:
@@ -35,10 +49,6 @@
   ignore_errors: yes
   when: not remoteit_enabled
 
-- name: Clean up REGISTRATION_CODE from {{ iiab_local_vars_file }} if used
-  shell: sed -i '/remoteit_REGISTRATION_CODE/d' {{ iiab_local_vars_file }}
-  when: remoteit_REGISTRATION_CODE is not none
-
 # - name: Identify remoteit "Remote tcp connection service" unit file name, including uuid, e.g. remoteit@80:00:01:7F:7E:00:56:36.service
 #   shell: ls /etc/systemd/system/multi-user.target.wants/ | grep remoteit@
 #   register: remoteit_service
diff --git a/roles/remoteit/tasks/install.yml b/roles/remoteit/tasks/install.yml
index 636af2088..3b9df9556 100644
--- a/roles/remoteit/tasks/install.yml
+++ b/roles/remoteit/tasks/install.yml
@@ -24,6 +24,23 @@
     purge: yes
   ignore_errors: yes
 
+
+# Speeds things up a bit, deferring online claim code generation if not nec:
+# https://docs.remote.it/oem-and-bulk-provisioning/registration-into-a-users-account
+
+- name: "'mkdir /etc/remoteit' e.g. if your 'remoteit_license_key: 592AA9BB-XXXX-YYYY-ZZZZ-6E27654C3DF6' exists in /etc/iiab/local_vars.yml"
+  file:
+    state: directory
+    path: /etc/remoteit
+  when: remoteit_license_key is defined
+
+- name: "'touch /etc/remoteit/registration' e.g. if your 'remoteit_license_key: 592AA9BB-XXXX-YYYY-ZZZZ-6E27654C3DF6' exists in /etc/iiab/local_vars.yml"
+  file:
+    state: touch
+    path: /etc/remoteit/registration
+  when: remoteit_license_key is defined
+
+
 # - name: "Install Device Package: {{ downloads_dir }}/{{ remoteit_deb }}"
 #   apt:
 #     deb: "{{ downloads_dir }}/{{ remoteit_deb }}"
@@ -32,13 +49,10 @@
 #   apt:
 #     deb: "{{ remoteit_device_url }}"
 
-- name: Going to use pre-created REGISTRATION_CODE from desktop or web portal
-  shell: mkdir /etc/remoteit || true && touch /etc/remoteit/registration
-  when: remoteit_REGISTRATION_CODE is not none
-
 - name: Install remote.it Device Package for your CPU/OS, using https://downloads.remote.it/remoteit/install_agent.sh -- this puts a claim code in /etc/remoteit/config.json which is valid for 24h
   shell: curl -L https://downloads.remote.it/remoteit/install_agent.sh | sh
 
+
 - name: Install /usr/bin/iiab-remoteit from template -- so IIAB operators can quickly enable remote.it AND generate a new remote.it claim code (in /etc/remoteit/config.json) -- optionally downloading + installing the very latest Device Package (like the 2 steps above)
   template:
     src: iiab-remoteit
diff --git a/roles/remoteit/tasks/main.yml b/roles/remoteit/tasks/main.yml
index f152c6b52..1e1c85230 100644
--- a/roles/remoteit/tasks/main.yml
+++ b/roles/remoteit/tasks/main.yml
@@ -18,9 +18,9 @@
 
 - include_tasks: enable-or-disable.yml
 
-- name: Find the claim code if blank the machine was registrated
-  shell: grep claim /etc/remoteit/config.json | rev | cut -d\" -f2 | rev
-  register: remoteit_claim
+# - name: Extract claim code from /etc/remoteit/config.json if it exists
+#   shell: grep claim /etc/remoteit/config.json | rev | cut -d\" -f2 | rev
+#   register: remoteit_claim_code
 
 - name: Add 'remoteit' variable values to {{ iiab_ini_file }}
   ini_file:
@@ -37,5 +37,5 @@
       value: "{{ remoteit_install }}"
     - option: remoteit_enabled
       value: "{{ remoteit_enabled }}"
-    - option: remoteit_claim_code
-      value: "{{ remoteit_claim.stdout }}"
+    # - option: remoteit_claim_code
+    #   value: "{{ remoteit_claim_code.stdout }}"

From a8a6b0318e626c554d23ddacb65d50e37eb340ca Mon Sep 17 00:00:00 2001
From: root <holta@users.noreply.github.com>
Date: Wed, 6 Apr 2022 18:34:33 -0400
Subject: [PATCH 04/14] remoteit/README.md: Clarify OPTION #2 license key
 approach

---
 roles/remoteit/README.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/roles/remoteit/README.md b/roles/remoteit/README.md
index 83eb10f60..6c480f98f 100644
--- a/roles/remoteit/README.md
+++ b/roles/remoteit/README.md
@@ -85,7 +85,7 @@ Prerequisite: Find any IIAB with `remoteit_installed: True` in `/etc/iiab/iiab_s
 
 ### OPTION #2: Paste your remote.it license key to IIAB + enable it + authorize services/ports
 
-1. Copy your remote.it account _license key_ from their Desktop Application (https://remote.it/download/) (or from their https://remote.it Web Portal) as shown in this [screenshot](https://docs.remote.it/oem-and-bulk-provisioning/registration-into-a-users-account#3.-user-receives-the-device-and-registers-his-account).
+1. Copy your remote.it account _license key_ from their Desktop Application (https://remote.it/download/) or from their Web Portal (https://remote.it) &mdash; as shown in this [screenshot](https://docs.remote.it/oem-and-bulk-provisioning/registration-into-a-users-account#3.-user-receives-the-device-and-registers-his-account).
 
    Paste it into your IIAB's [/etc/iiab/local_vars.yml](https://wiki.iiab.io/go/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F) as in this example:
 
@@ -95,6 +95,8 @@ Prerequisite: Find any IIAB with `remoteit_installed: True` in `/etc/iiab/iiab_s
 
 2. Also set `remoteit_enabled: True` in /etc/iiab/local_vars.yml
 
+   (And verify that `remoteit_install: True` is set.)
+
 3. If your [IIAB software](https://download.iiab.io/) is not yet installed, do that e.g. by running `sudo iiab` and following any on-screen instructions &mdash; until "INTERNET-IN-A-BOX (IIAB) SOFTWARE INSTALL IS COMPLETE" eventually appears on screen.
 
    When that's complete, skip to Step 5.

From 2b217b0534087e215dca24a7250e5d18c2bc5450 Mon Sep 17 00:00:00 2001
From: root <holta@users.noreply.github.com>
Date: Wed, 6 Apr 2022 18:51:12 -0400
Subject: [PATCH 05/14] remoteit/README.md: Clarify 'sudo ./runrole remoteit'
 context & options

---
 roles/remoteit/README.md | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/roles/remoteit/README.md b/roles/remoteit/README.md
index 6c480f98f..ee1b2c8e7 100644
--- a/roles/remoteit/README.md
+++ b/roles/remoteit/README.md
@@ -101,13 +101,22 @@ Prerequisite: Find any IIAB with `remoteit_installed: True` in `/etc/iiab/iiab_s
 
    When that's complete, skip to Step 5.
 
-4. If your IIAB software is already installed, make sure your IIAB is online, and then run:
+4. If your IIAB software is already installed, make sure your IIAB is online.
+
+   Now register your IIAB to your remote.it account (while enabling remote.it on your IIAB device) by running:
 
    ```
    cd /opt/iiab/iiab
    sudo ./runrole remoteit
    ```
 
+   If you also want to reinstall the (latest) remote.it Device Package on your IIAB, you can instead run:
+
+   ```
+   cd /opt/iiab/iiab
+   sudo ./runrole --reinstall remoteit
+   ```
+
 5. Authorize services/ports (e.g. SSH, HTTP, etc) for your IIAB device, as shown in these [screenshots](https://docs.remote.it/software/device-package/installation#4.-set-up-services-on-your-device).
 
    SUMMARY: One or more [remote.it "Services"](https://support.remote.it/hc/en-us/articles/360060992631-Services) needs to be authorized (registered) to allow remote access to your IIAB device.

From 9e0ffcf5a7b06c3b407d3e740e46910f37f30dea Mon Sep 17 00:00:00 2001
From: root <holta@users.noreply.github.com>
Date: Thu, 7 Apr 2022 10:17:35 -0400
Subject: [PATCH 06/14] Fancier & dancier roles/remoteit

---
 roles/remoteit/README.md                 |  2 +-
 roles/remoteit/tasks/install.yml         | 30 ++++++++++++++---
 roles/remoteit/templates/iiab-remoteit   | 41 ++++++++++++++++++++----
 roles/remoteit/templates/registration.j2 |  1 +
 vars/default_vars.yml                    |  2 ++
 vars/local_vars_large.yml                |  2 ++
 vars/local_vars_medium.yml               |  2 ++
 vars/local_vars_small.yml                |  2 ++
 vars/local_vars_unittest.yml             |  2 ++
 9 files changed, 71 insertions(+), 13 deletions(-)
 create mode 100644 roles/remoteit/templates/registration.j2

diff --git a/roles/remoteit/README.md b/roles/remoteit/README.md
index ee1b2c8e7..8bba5ee40 100644
--- a/roles/remoteit/README.md
+++ b/roles/remoteit/README.md
@@ -23,7 +23,7 @@ Prerequisite: Find any IIAB with `remoteit_installed: True` in `/etc/iiab/iiab_s
 
 1. Run `sudo iiab-remoteit` to enable remote.it on your IIAB.
 
-   Hit `[Enter]` twice if you want to quickly generate a new claim code for your IIAB.
+   Hit `[Enter]` (repeatedly if necessary, to accept all defaults) if you want to quickly generate a new claim code for your IIAB.
 
    (The claim code is put in `/etc/remoteit/config.json` and must be used [within 24 hours](https://docs.remote.it/device-package/installation#2.-update-your-package-manager-and-install).)
 
diff --git a/roles/remoteit/tasks/install.yml b/roles/remoteit/tasks/install.yml
index 3b9df9556..da9c1a594 100644
--- a/roles/remoteit/tasks/install.yml
+++ b/roles/remoteit/tasks/install.yml
@@ -17,6 +17,8 @@
 
 # 2022-04-03: Unfort still necessary, as their install_agent.sh below uses apt
 # with 'install -y' instead of '-y reinstall' or '-y --reinstall install'
+# FWIW: Some remoteit.*.deb installers also work with '-y --allow-downgrades install'
+# (e.g. *.amd64.deb) but others (e.g. both *.rpi.deb) do not.
 - name: Purge previously installed 'remoteit*' Device Package(s)
   apt:
     name: remoteit*
@@ -28,17 +30,27 @@
 # Speeds things up a bit, deferring online claim code generation if not nec:
 # https://docs.remote.it/oem-and-bulk-provisioning/registration-into-a-users-account
 
-- name: "'mkdir /etc/remoteit' e.g. if your 'remoteit_license_key: 592AA9BB-XXXX-YYYY-ZZZZ-6E27654C3DF6' exists in /etc/iiab/local_vars.yml"
+# - name: "'mkdir /etc/remoteit' e.g. if your 'remoteit_license_key: 592AA9BB-XXXX-YYYY-ZZZZ-6E27654C3DF6' exists in /etc/iiab/local_vars.yml"
+#   file:
+#     state: directory
+#     path: /etc/remoteit
+#   when: remoteit_license_key is defined
+
+# - name: "'touch /etc/remoteit/registration' e.g. if your 'remoteit_license_key: 592AA9BB-XXXX-YYYY-ZZZZ-6E27654C3DF6' exists in /etc/iiab/local_vars.yml"
+#   file:
+#     state: touch
+#     path: /etc/remoteit/registration
+#   when: remoteit_license_key is defined
+
+- name: "'mkdir /etc/remoteit'"
   file:
     state: directory
     path: /etc/remoteit
-  when: remoteit_license_key is defined
 
-- name: "'touch /etc/remoteit/registration' e.g. if your 'remoteit_license_key: 592AA9BB-XXXX-YYYY-ZZZZ-6E27654C3DF6' exists in /etc/iiab/local_vars.yml"
+- name: "'touch /etc/remoteit/registration' to block generation of claim code below, also speeding things up a bit"
   file:
     state: touch
     path: /etc/remoteit/registration
-  when: remoteit_license_key is defined
 
 
 # - name: "Install Device Package: {{ downloads_dir }}/{{ remoteit_deb }}"
@@ -49,10 +61,18 @@
 #   apt:
 #     deb: "{{ remoteit_device_url }}"
 
-- name: Install remote.it Device Package for your CPU/OS, using https://downloads.remote.it/remoteit/install_agent.sh -- this puts a claim code in /etc/remoteit/config.json which is valid for 24h
+# - name: Install remote.it Device Package for your CPU/OS, using https://downloads.remote.it/remoteit/install_agent.sh -- this puts a claim code in /etc/remoteit/config.json which is valid for 24h
+- name: Install remote.it Device Package for your CPU/OS, using https://downloads.remote.it/remoteit/install_agent.sh
   shell: curl -L https://downloads.remote.it/remoteit/install_agent.sh | sh
 
 
+- name: "'rm /etc/remoteit/registration' (empty file used just above)"
+  file:
+    state: absent
+    path: /etc/remoteit/registration
+  ignore_errors: yes    # In case a future version of install_agent.sh deletes it for us
+
+
 - name: Install /usr/bin/iiab-remoteit from template -- so IIAB operators can quickly enable remote.it AND generate a new remote.it claim code (in /etc/remoteit/config.json) -- optionally downloading + installing the very latest Device Package (like the 2 steps above)
   template:
     src: iiab-remoteit
diff --git a/roles/remoteit/templates/iiab-remoteit b/roles/remoteit/templates/iiab-remoteit
index d529be39b..816d43f6c 100755
--- a/roles/remoteit/templates/iiab-remoteit
+++ b/roles/remoteit/templates/iiab-remoteit
@@ -9,14 +9,26 @@
 
 # 2022-04-03: SEE ALSO roles/remoteit/templates/iiab-remote.old
 
-echo -e "\nhttps://remote.it can help you remotely manage this IIAB.  Summary:\n"
+echo -e "\nhttps://remote.it can help you remotely manage this IIAB.\n"
+
+echo -e "Let's generate a claim code and enable it.  Documentation:\n"
 
 echo -e "https://github.com/iiab/iiab/blob/master/roles/remoteit/README.md\n"
 
-echo -en "\e[1mTo proceed we will delete /etc/remoteit/config.json, Ok? [Y/n]\e[0m "
-read ans < /dev/tty    # Strips outer whitespace, whether we like it or not!
-echo
-[[ $ans = "n" ]] || [[ $ans = "N" ]] && exit 1
+if [ -f /etc/remoteit/config.json ]; then
+    echo -en "\e[1mTo proceed we will delete /etc/remoteit/config.json, Ok? [Y/n]\e[0m "
+    read ans < /dev/tty    # Strips outer whitespace, whether we like it or not!
+    echo
+    [[ $ans = "n" ]] || [[ $ans = "N" ]] && exit 1
+fi
+
+# Explanation below, on lines 65-72
+if [ -f /etc/remoteit/registration ]; then
+    echo -en "\e[1mTo proceed we will delete /etc/remoteit/registration, Ok? [Y/n]\e[0m "
+    read ans < /dev/tty    # Strips outer whitespace, whether we like it or not!
+    echo
+    [[ $ans = "n" ]] || [[ $ans = "N" ]] && exit 1
+fi
 
 echo -e "\nThis IIAB must be online to begin!\n"
 
@@ -41,8 +53,23 @@ else
 
     systemctl stop connectd      # "Safer" (though it's generally exited already!)
 
-    # '|| true' overrides 'bash -e' so script continues if config.json missing
-    mv /etc/remoteit/config.json /etc/remoteit/config.json.$(date +%F_%T_%Z) || true
+    # If someone manually deleted the dir, this blocks generation of claim code
+    [ ! -d /etc/remoteit ] &&
+        mkdir /etc/remoteit
+
+    [ -f /etc/remoteit/config.json ] &&
+        mv /etc/remoteit/config.json /etc/remoteit/config.json.$(date +%F_%T_%Z)
+    [ -f /etc/remoteit/registration ] &&
+        mv /etc/remoteit/registration /etc/remoteit/registration.$(date +%F_%T_%Z)
+
+    # /etc/remoteit/registration is deleted above, but just FYI if it existed:
+    #
+    # 1) If /etc/remoteit/registration exists and is empty, connectd (below)
+    #    will not create /etc/remoteit/config.json
+    # 2) If /etc/remoteit/registration contains an invalid license key, connectd
+    #    (below) will create /etc/remoteit/config.json WITH a claim code.
+    # 3) If /etc/remoteit/registration contains a valid license key, connectd
+    #    (below) will create /etc/remoteit/config.json WITHOUT a claim code.
 
     systemctl start connectd     # Claim Code logic + kickstarts 2 svcs below
     # /usr/share/remoteit/refresh.sh does the same thing (or close) as per:
diff --git a/roles/remoteit/templates/registration.j2 b/roles/remoteit/templates/registration.j2
new file mode 100644
index 000000000..774abae03
--- /dev/null
+++ b/roles/remoteit/templates/registration.j2
@@ -0,0 +1 @@
+{{ remoteit_license_key }}
diff --git a/vars/default_vars.yml b/vars/default_vars.yml
index 80808c308..a617b4ae5 100644
--- a/vars/default_vars.yml
+++ b/vars/default_vars.yml
@@ -213,6 +213,8 @@ sshd_port: 22    # Not fully functional.  SEE: roles/sshd/tasks/install.yml
 # INSTRUCTIONS: https://github.com/iiab/iiab/tree/master/roles/remoteit
 remoteit_install: True
 remoteit_enabled: False
+# OPTION #1: Run 'sudo iiab-remoteit' later.  OPTION #2: Set this now:
+# remoteit_license_key: 592AA9BB-XXXX-YYYY-ZZZZ-6E27654C3DF6
 
 # SECURITY WARNING: https://wiki.iiab.io/go/Security
 openvpn_install: True
diff --git a/vars/local_vars_large.yml b/vars/local_vars_large.yml
index 1135c715b..6478638c3 100644
--- a/vars/local_vars_large.yml
+++ b/vars/local_vars_large.yml
@@ -128,6 +128,8 @@ sshd_enabled: True
 # INSTRUCTIONS: https://github.com/iiab/iiab/tree/master/roles/remoteit
 remoteit_install: True
 remoteit_enabled: False
+# OPTION #1: Run 'sudo iiab-remoteit' later.  OPTION #2: Set this now:
+# remoteit_license_key: 592AA9BB-XXXX-YYYY-ZZZZ-6E27654C3DF6
 
 # SECURITY WARNING: https://wiki.iiab.io/go/Security
 openvpn_install: True
diff --git a/vars/local_vars_medium.yml b/vars/local_vars_medium.yml
index fde1c39a5..6c56bf89e 100644
--- a/vars/local_vars_medium.yml
+++ b/vars/local_vars_medium.yml
@@ -128,6 +128,8 @@ sshd_enabled: True
 # INSTRUCTIONS: https://github.com/iiab/iiab/tree/master/roles/remoteit
 remoteit_install: True
 remoteit_enabled: False
+# OPTION #1: Run 'sudo iiab-remoteit' later.  OPTION #2: Set this now:
+# remoteit_license_key: 592AA9BB-XXXX-YYYY-ZZZZ-6E27654C3DF6
 
 # SECURITY WARNING: https://wiki.iiab.io/go/Security
 openvpn_install: True
diff --git a/vars/local_vars_small.yml b/vars/local_vars_small.yml
index 50d8b0d79..a3c7ed0bc 100644
--- a/vars/local_vars_small.yml
+++ b/vars/local_vars_small.yml
@@ -128,6 +128,8 @@ sshd_enabled: True
 # INSTRUCTIONS: https://github.com/iiab/iiab/tree/master/roles/remoteit
 remoteit_install: True
 remoteit_enabled: False
+# OPTION #1: Run 'sudo iiab-remoteit' later.  OPTION #2: Set this now:
+# remoteit_license_key: 592AA9BB-XXXX-YYYY-ZZZZ-6E27654C3DF6
 
 # SECURITY WARNING: https://wiki.iiab.io/go/Security
 openvpn_install: True
diff --git a/vars/local_vars_unittest.yml b/vars/local_vars_unittest.yml
index 7808c109a..48226893a 100644
--- a/vars/local_vars_unittest.yml
+++ b/vars/local_vars_unittest.yml
@@ -128,6 +128,8 @@ sshd_enabled: True
 # INSTRUCTIONS: https://github.com/iiab/iiab/tree/master/roles/remoteit
 remoteit_install: True
 remoteit_enabled: False
+# OPTION #1: Run 'sudo iiab-remoteit' later.  OPTION #2: Set this now:
+# remoteit_license_key: 592AA9BB-XXXX-YYYY-ZZZZ-6E27654C3DF6
 
 # SECURITY WARNING: https://wiki.iiab.io/go/Security
 openvpn_install: True

From 9181a4e04d014ed6f73d1780bf470d644de21ec8 Mon Sep 17 00:00:00 2001
From: root <holta@users.noreply.github.com>
Date: Thu, 7 Apr 2022 11:43:32 -0400
Subject: [PATCH 07/14] enable-or-disable.yml: Clarify connectd doesn't delete
 /etc/remoteit/registration

---
 roles/remoteit/tasks/enable-or-disable.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/roles/remoteit/tasks/enable-or-disable.yml b/roles/remoteit/tasks/enable-or-disable.yml
index 6e762952a..c32e79b9a 100644
--- a/roles/remoteit/tasks/enable-or-disable.yml
+++ b/roles/remoteit/tasks/enable-or-disable.yml
@@ -13,8 +13,7 @@
     state: absent
   when: remoteit_enabled and remoteit_license_key is defined
 
-# 2022-04-06 QUESTION: Does connectd (below) delete /etc/remoteit/registration,
-# but only after confirming online that the license key is valid?
+# 2022-04-07 FYI: connectd (below) never deletes /etc/remoteit/registration
 
 - name: Enable & Restart remote.it "parent" service connectd, which exits after spawning 2 "child" services/daemons below
   systemd:

From 1df563d2a99002f151302a922b7bc04cee1a0fbc Mon Sep 17 00:00:00 2001
From: root <holta@users.noreply.github.com>
Date: Thu, 7 Apr 2022 23:44:00 -0400
Subject: [PATCH 08/14] /usr/bin/iiab-remoteit tries license key first; claim
 code if nec

---
 roles/remoteit/README.md                   |  19 ++-
 roles/remoteit/tasks/enable-or-disable.yml |   5 +-
 roles/remoteit/templates/iiab-remoteit     | 143 ++++++++++++++-------
 3 files changed, 112 insertions(+), 55 deletions(-)

diff --git a/roles/remoteit/README.md b/roles/remoteit/README.md
index 8bba5ee40..681e25b29 100644
--- a/roles/remoteit/README.md
+++ b/roles/remoteit/README.md
@@ -8,25 +8,30 @@ For other approaches, please see http://FAQ.IIAB.IO -> "How can I remotely manag
 
 ## Getting Started
 
-### Create a remote.it account + install its desktop application
+### Create a remote.it account + consider its desktop application
 
 1. Browse to [https://remote.it](https://remote.it) (Web Portal) and sign up for an account.
 
-2. Download and install the remote.it [desktop application](https://remote.it/download/) (e.g. for Windows, macOS or Linux) on your own laptop/computer.  Their https://remote.it Web Portal and [mobile apps](https://docs.remote.it/introduction/get-started/readme#installation-packages) are also sometimes sufficient, but less functional.
+2. Consider downloading and installing the remote.it [desktop application](https://remote.it/download/) (e.g. for Windows, macOS or Linux) on your own laptop/computer.  Their https://remote.it Web Portal and [mobile apps](https://docs.remote.it/introduction/get-started/readme#installation-packages) are also sometimes sufficient, but less functional.
 
    COMPARISON: "The Desktop and [CLI](https://docs.remote.it/software/cli) can [each] support both peer to peer connections and proxy connections [whereas] the Web Portal and API can only support proxy connections" according to https://docs.remote.it/software/device-package/usage
 
 <!-- ### Install remote.it onto an IIAB + register it + authorize services/ports -->
 ### OPTION #1: Generate a remote.it claim code for your IIAB + register it + authorize services/ports
+<!-- ### OPTION #1: Run `sudo iiab-remoteit` to enable remote.it -->
 
-Prerequisite: Find any IIAB with `remoteit_installed: True` in `/etc/iiab/iiab_state.yml` (this is the default!)  It means that the remote.it [Device Package](https://docs.remote.it/software/device-package) is installed on your IIAB, most important.  It also means the _strictly optional_ `/usr/bin/remoteit` [command-line interface (CLI)](https://docs.remote.it/software/cli) is installed, offering [a few more features](https://support.remote.it/hc/en-us/articles/4412786750861-Install-the-remoteit-agent-on-your-device) than the Device Package.
+Prerequisite: Find any IIAB with `remoteit_installed: True` in `/etc/iiab/iiab_state.yml` (this is the default!)  This means that the remote.it [Device Package](https://docs.remote.it/software/device-package) is installed on your IIAB, most important.  It also means the _strictly optional_ `/usr/bin/remoteit` [command-line interface (CLI)](https://docs.remote.it/software/cli) is installed, offering [a few more features](https://support.remote.it/hc/en-us/articles/4412786750861-Install-the-remoteit-agent-on-your-device) than the Device Package.
 
 1. Run `sudo iiab-remoteit` to enable remote.it on your IIAB.
 
-   Hit `[Enter]` (repeatedly if necessary, to accept all defaults) if you want to quickly generate a new claim code for your IIAB.
+   Hit `[Enter]` <!-- (repeatedly if necessary, to accept all defaults) --> if this is a fresh install, to quickly generate a claim code for your IIAB.
 
    (The claim code is put in `/etc/remoteit/config.json` and must be used [within 24 hours](https://docs.remote.it/device-package/installation#2.-update-your-package-manager-and-install).)
 
+   NOTE: If a remote.it license key is found in `/etc/iiab/local_vars.yml` or `/etc/remoteit/registration`, that will be tried first (prior to generating a claim code).
+
+   *If the license key works, you will not get a claim code, as the IIAB device auto-registers to your remote.it account (skip to Step 3. below).*
+
 <!--
 1. Connect your IIAB device to the Internet.
 
@@ -103,14 +108,16 @@ Prerequisite: Find any IIAB with `remoteit_installed: True` in `/etc/iiab/iiab_s
 
 4. If your IIAB software is already installed, make sure your IIAB is online.
 
-   Now register your IIAB to your remote.it account (while enabling remote.it on your IIAB device) by running:
+   Now register the IIAB device to your remote.it account, by running `sudo iiab-remoteit` (this also enables remote.it on your IIAB).
+
+   Or, if you prefer the legacy approach, run:
 
    ```
    cd /opt/iiab/iiab
    sudo ./runrole remoteit
    ```
 
-   If you also want to reinstall the (latest) remote.it Device Package on your IIAB, you can instead run:
+   The legacy approach can also reinstall the (latest) remote.it Device Package on your IIAB, if you instead run:
 
    ```
    cd /opt/iiab/iiab
diff --git a/roles/remoteit/tasks/enable-or-disable.yml b/roles/remoteit/tasks/enable-or-disable.yml
index c32e79b9a..8854ffd44 100644
--- a/roles/remoteit/tasks/enable-or-disable.yml
+++ b/roles/remoteit/tasks/enable-or-disable.yml
@@ -3,7 +3,7 @@
   template:
     src: registration.j2
     dest: /etc/remoteit/registration
-  when: remoteit_enabled and remoteit_license_key is defined
+  when: remoteit_license_key is defined
 
 - name: Redact OPTIONAL remoteit_license_key from /etc/iiab/local_vars.yml, if remoteit_enabled and remoteit_license_key is defined
   # shell: sed -i '/^remoteit_license_key:/d' {{ iiab_local_vars_file }}
@@ -11,7 +11,8 @@
     path: "{{ iiab_local_vars_file }}"
     regexp: '^remoteit_license_key:.*'
     state: absent
-  when: remoteit_enabled and remoteit_license_key is defined
+  when: remoteit_license_key is defined
+
 
 # 2022-04-07 FYI: connectd (below) never deletes /etc/remoteit/registration
 
diff --git a/roles/remoteit/templates/iiab-remoteit b/roles/remoteit/templates/iiab-remoteit
index 816d43f6c..192a5c7da 100755
--- a/roles/remoteit/templates/iiab-remoteit
+++ b/roles/remoteit/templates/iiab-remoteit
@@ -1,79 +1,112 @@
 #!/bin/bash -e
 
-# Run 'sudo iiab-remoteit' to enable remote.it AND get a new claim code.  Also
-# lets you download + install the latest Device Package to IIAB.  GENERAL TIPS:
-# http://FAQ.IIAB.IO -> "How can I remotely manage my Internet-in-a-Box?"
-
 # 'remoteit' Device Package AND /usr/bin/remoteit CLI already installed by:
 # https://github.com/iiab/iiab/blob/master/roles/remoteit/tasks/install.yml
 
-# 2022-04-03: SEE ALSO roles/remoteit/templates/iiab-remote.old
+# http://FAQ.IIAB.IO -> "How can I remotely manage my Internet-in-a-Box?"
 
-echo -e "\nhttps://remote.it can help you remotely manage this IIAB.\n"
+iiab_var_value() {
+    v1=$(grep "^$1:\s" /opt/iiab/iiab/vars/default_vars.yml | tail -1 | sed "s/^$1:\s\+//; s/#.*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/")
+    v2=$(grep "^$1:\s" /etc/iiab/local_vars.yml | tail -1 | sed "s/^$1:\s\+//; s/#.*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/")
+    [[ $v2 != "" ]] && echo $v2 || echo $v1    # [ "$v2" ] ALSO WORKS
+}
 
-echo -e "Let's generate a claim code and enable it.  Documentation:\n"
+echo -e "\nLet's enable https://remote.it to help you remotely manage this IIAB:\n"
 
 echo -e "https://github.com/iiab/iiab/blob/master/roles/remoteit/README.md\n"
 
-if [ -f /etc/remoteit/config.json ]; then
-    echo -en "\e[1mTo proceed we will delete /etc/remoteit/config.json, Ok? [Y/n]\e[0m "
-    read ans < /dev/tty    # Strips outer whitespace, whether we like it or not!
-    echo
-    [[ $ans = "n" ]] || [[ $ans = "N" ]] && exit 1
+# If someone manually deleted the dir, that blocks generation of claim code,
+# and also license key extraction from /etc/iiab/local_vars.yml just below.
+[ ! -d /etc/remoteit ] &&
+    mkdir /etc/remoteit
+
+KEY1=$(iiab_var_value remoteit_license_key)
+if [[ $KEY1 != "" ]]; then
+    if [ -s /etc/remoteit/registration ]; then    # Non-zero size
+        KEY2=$(cat /etc/remoteit/registration)
+        if [[ $KEY1 != $KEY2 ]]; then
+            mv /etc/remoteit/registration /etc/remoteit/registration.$(date +%F_%T_%Z)
+            echo -e "Old /etc/remoteit/registration moved aside.\n"
+        fi
+    fi
+    echo $KEY1 > /etc/remoteit/registration
+    echo -e "Copied {{ remoteit_license_key }} to /etc/remoteit/registration"
+
+    sed -i '/^remoteit_license_key:/d' /etc/iiab/local_vars.yml
+    echo -e "Removed remoteit_license_key from /etc/iiab/local_vars.yml\n"
 fi
 
-# Explanation below, on lines 65-72
-if [ -f /etc/remoteit/registration ]; then
-    echo -en "\e[1mTo proceed we will delete /etc/remoteit/registration, Ok? [Y/n]\e[0m "
-    read ans < /dev/tty    # Strips outer whitespace, whether we like it or not!
-    echo
-    [[ $ans = "n" ]] || [[ $ans = "N" ]] && exit 1
+# /etc/remoteit/registration consequences summarized on lines 78-83
+if [ -s /etc/remoteit/registration ]; then    # Non-zero size
+    cp -p /etc/remoteit/registration /tmp/etc.remoteit.registration
+    echo -e "License key $(cat /etc/remoteit/registration) will be attempted."
+    echo -e "It's backed up from /etc/remoteit/registration to /tmp, in case of purge.\n"
+elif [ -f /etc/remoteit/registration ]; then    # Zero size, e.g. due to touch
+    rm /etc/remoteit/registration
+    echo -e "Empty /etc/remoteit/registration deleted, so claim code can be generated.\n"
 fi
 
 echo -e "\nThis IIAB must be online to begin!\n"
 
-echo -en "\e[1mOptionally download + install latest remote.it Device Package? [y/N]\e[0m "
+echo -en "\e[1mOptionally purge + install latest remote.it Device Package? [y/N]\e[0m "
 read ans < /dev/tty    # Strips outer whitespace, whether we like it or not!
 echo
 
 if [[ $ans = "y" ]] || [[ $ans = "Y" ]]; then
-    # 2022-04-02: Full Path Avoids problematic /usr/local/bin/apt on Linux Mint
+    # Full apt path avoids problematic /usr/local/bin/apt on Linux Mint
     /usr/bin/apt -y purge "remoteit*" || true
 
     # Why the brutal purge?  Even 'apt -y reinstall remoteit.*.deb' is stronger
     # than 'install -y' in install_agent.sh, but still sometimes insufficient!
+    # https://github.com/iiab/iiab/blob/master/roles/remoteit/tasks/install.yml#L18-L21
+
+    if [ -f /tmp/etc.remoteit.registration ]; then
+        # apt purge should rmdir /etc/remoteit but might be sloppy in future?
+        [ ! -d /etc/remoteit ] &&
+            mkdir /etc/remoteit
+
+        cp -p /tmp/etc.remoteit.registration /etc/remoteit/registration
+    fi
 
     # apt install & enable "latest" remote.it Device Package for your CPU/OS
     curl -L https://downloads.remote.it/remoteit/install_agent.sh | sh
 else
-    # 2022-04-04: Stop/Delete/Bounce sequence follows official suggestion here:
+    # 2022-04-07: Stop/Delete/Start sequence follows official suggestions here:
     # https://support.remote.it/hc/en-us/articles/360061228252-Oops-I-cloned-an-SD-card-
+    # https://docs.remote.it/oem-and-bulk-provisioning/registration-into-a-users-account
+    #
+    # FYI if /etc/remoteit/config.json DOESN'T EXIST:
+    #
+    # 1) If /etc/remoteit/registration exists and is EMPTY, bouncing connectd...          DOESN'T CREATE /etc/remoteit/config.json
+    # 2) If /etc/remoteit/registration DOESN'T EXIST, bouncing connectd...                CREATES /etc/remoteit/config.json WITH a claim code + WITHOUT an SSH service.
+    # 3) If /etc/remoteit/registration contains an INVALID license key, bouncing connectd CREATES /etc/remoteit/config.json WITH a claim code + WITHOUT an SSH service.
+    # 4) If /etc/remoteit/registration contains a VALID license key, bouncing connectd... CREATES /etc/remoteit/config.json WITHOUT a claim code + WITH an SSH service.
+    #
+    # FYI if /etc/remoteit/config.json EXISTS, bouncing connectd will update
+    # config.json's internal "timestamp" without changing anything else,
+    # regardless whether /etc/remoteit/registration exists and what it contains,
+    # and regardless whether /etc/remoteit/config.json contains a claim code.
 
     echo -e "In a few seconds, all 3 {connectd, schannel, remoteit@...} should be enabled!\n"
 
-    systemctl stop connectd      # "Safer" (though it's generally exited already!)
+    systemctl stop connectd    # "Safer" (though it's generally exited already!)
 
-    # If someone manually deleted the dir, this blocks generation of claim code
-    [ ! -d /etc/remoteit ] &&
-        mkdir /etc/remoteit
-
-    [ -f /etc/remoteit/config.json ] &&
+    #if [ ! -f /etc/remoteit/registration ] && [ -f /etc/remoteit/config.json ]; then
+    if [ -f /etc/remoteit/config.json ]; then
+        # echo -en "\n\e[1mMove /etc/remoteit/config.json, so registration can begin? [Y/n]\e[0m "
+        # read ans < /dev/tty    # Strips outer whitespace, whether we like it or not!
+        # echo
+        # [[ $ans = "n" ]] || [[ $ans = "N" ]] && exit 1
         mv /etc/remoteit/config.json /etc/remoteit/config.json.$(date +%F_%T_%Z)
-    [ -f /etc/remoteit/registration ] &&
-        mv /etc/remoteit/registration /etc/remoteit/registration.$(date +%F_%T_%Z)
+        #echo -e "/etc/remoteit/config.json moved aside, so claim code can be generated.\n"
+        #echo -e "/etc/remoteit/config.json moved aside, so device registration can begin.\n"
+        echo -e "/etc/remoteit/config.json moved aside, for fresh device registration.\n"
+    fi
 
-    # /etc/remoteit/registration is deleted above, but just FYI if it existed:
-    #
-    # 1) If /etc/remoteit/registration exists and is empty, connectd (below)
-    #    will not create /etc/remoteit/config.json
-    # 2) If /etc/remoteit/registration contains an invalid license key, connectd
-    #    (below) will create /etc/remoteit/config.json WITH a claim code.
-    # 3) If /etc/remoteit/registration contains a valid license key, connectd
-    #    (below) will create /etc/remoteit/config.json WITHOUT a claim code.
-
-    systemctl start connectd     # Claim Code logic + kickstarts 2 svcs below
-    # /usr/share/remoteit/refresh.sh does the same thing (or close) as per:
-    # https://docs.remote.it/oem-and-bulk-provisioning/registration-into-a-users-account
+    systemctl start connectd    # Registration logic (use license key or
+    # generate claim code) then kickstart 2 "child" services below.
+    # FYI running /usr/share/remoteit/refresh.sh appears to do the exact same
+    # thing (as bouncing service connectd).
 
     systemctl enable connectd    # 2 enable lines, like enable-or-disable.yml
 
@@ -94,11 +127,27 @@ else
     echo "remoteit_enabled: True" >> /etc/iiab/local_vars.yml
 fi
 
-claim_code=$(grep claim /etc/remoteit/config.json | rev | cut -d\" -f2 | rev)
-echo -e "\nYour new claim code is \e[44;1m${claim_code}\e[0m -- YOUR NEXT STEPS ARE...\n"
+if grep -q claim /etc/remoteit/config.json; then
+    claim_code=$(grep claim /etc/remoteit/config.json | rev | cut -d\" -f2 | rev)
+    echo -e "\nYour new claim code is \e[44;1m${claim_code}\e[0m -- YOUR NEXT STEPS ARE...\n"
 
-echo -e "\e[1m1) Install the remote.it Desktop Application on your own laptop/computer:\e[0m"
-echo -e "   https://remote.it/download/\n"
+    echo -e "\e[1m1) Log in to https://remote.it or its Desktop Application on your own PC:\e[0m"
+    echo -e "   https://remote.it/download/\n"
 
-echo -e "\e[1m2) Use the above 8-character claim code WITHIN 24H as shown here:\e[0m"
-echo -e "   https://docs.remote.it/software/device-package/installation#3.-claim-and-register-the-device\n"
+    echo -e "\e[1m2) Use the above 8-character claim code WITHIN 24H as shown here:\e[0m"
+    echo -e "   https://docs.remote.it/software/device-package/installation#3.-claim-and-register-the-device\n"
+
+    echo -e "\e[1m3) Authorize services/ports (e.g. SSH, HTTP, etc) for your IIAB device:\e[0m"
+    echo -e "   https://docs.remote.it/software/device-package/installation#4.-set-up-services-on-your-device\n"
+else
+    echo -e "\nLicense key (if valid!) hopefully worked -- YOUR NEXT STEPS ARE...\n"
+
+    echo -e "\e[1m1) Log in to https://remote.it or its Desktop Application on your own PC:\e[0m"
+    echo -e "   https://remote.it/download/\n"
+
+    echo -e '\e[1m2) In the "Devices" section on the left, check that your IIAB is now present:\e[0m'
+    echo -e "   https://docs.remote.it/software/device-package/installation#3.-claim-and-register-the-device\n"
+
+    echo -e "\e[1m3) Authorize services/ports (e.g. SSH, HTTP, etc) for your IIAB device:\e[0m"
+    echo -e "   https://docs.remote.it/software/device-package/installation#4.-set-up-services-on-your-device\n"
+fi

From 97e82e44e526d06c750faf0a66d1aa07ea9cf731 Mon Sep 17 00:00:00 2001
From: root <holta@users.noreply.github.com>
Date: Fri, 8 Apr 2022 00:02:47 -0400
Subject: [PATCH 09/14] remoteit/README.md: iiab-remoteit sometimes bypasses
 claim code

---
 roles/remoteit/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/remoteit/README.md b/roles/remoteit/README.md
index 681e25b29..30e039014 100644
--- a/roles/remoteit/README.md
+++ b/roles/remoteit/README.md
@@ -30,7 +30,7 @@ Prerequisite: Find any IIAB with `remoteit_installed: True` in `/etc/iiab/iiab_s
 
    NOTE: If a remote.it license key is found in `/etc/iiab/local_vars.yml` or `/etc/remoteit/registration`, that will be tried first (prior to generating a claim code).
 
-   *If the license key works, you will not get a claim code, as the IIAB device auto-registers to your remote.it account (skip to Step 3. below).*
+   *If the license key works, you will not get a claim code (as the IIAB device auto-registers to your remote.it account) and you can skip to Step 3.*
 
 <!--
 1. Connect your IIAB device to the Internet.

From 1dd525dfe4408dfb32316d7173cd999dfbe76c32 Mon Sep 17 00:00:00 2001
From: root <holta@users.noreply.github.com>
Date: Fri, 8 Apr 2022 00:34:41 -0400
Subject: [PATCH 10/14] Express saving of remoteit_license_key to
 /etc/remoteit/registration

---
 roles/remoteit/tasks/enable-or-disable.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/roles/remoteit/tasks/enable-or-disable.yml b/roles/remoteit/tasks/enable-or-disable.yml
index 8854ffd44..dadca7d9d 100644
--- a/roles/remoteit/tasks/enable-or-disable.yml
+++ b/roles/remoteit/tasks/enable-or-disable.yml
@@ -1,11 +1,11 @@
-- name: Copy OPTIONAL remoteit_license_key, e.g. from /etc/iiab/local_vars.yml to /etc/remoteit/registration, if remoteit_enabled and remoteit_license_key is defined
+- name: Copy OPTIONAL remoteit_license_key, e.g. from /etc/iiab/local_vars.yml to /etc/remoteit/registration, if remoteit_license_key is defined
   # shell: echo {{ remoteit_license_key }} > /etc/remoteit/registration
   template:
     src: registration.j2
     dest: /etc/remoteit/registration
   when: remoteit_license_key is defined
 
-- name: Redact OPTIONAL remoteit_license_key from /etc/iiab/local_vars.yml, if remoteit_enabled and remoteit_license_key is defined
+- name: Redact OPTIONAL remoteit_license_key from /etc/iiab/local_vars.yml, if remoteit_license_key is defined
   # shell: sed -i '/^remoteit_license_key:/d' {{ iiab_local_vars_file }}
   lineinfile:
     path: "{{ iiab_local_vars_file }}"

From 95243d12ed4a4d6e09ea58854cf36be8f9ff0b02 Mon Sep 17 00:00:00 2001
From: root <holta@users.noreply.github.com>
Date: Fri, 8 Apr 2022 01:16:57 -0400
Subject: [PATCH 11/14] iiab-remoteit: Fix remoteit_license_key explanations

---
 roles/remoteit/templates/iiab-remoteit | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/roles/remoteit/templates/iiab-remoteit b/roles/remoteit/templates/iiab-remoteit
index 192a5c7da..8e46684fa 100755
--- a/roles/remoteit/templates/iiab-remoteit
+++ b/roles/remoteit/templates/iiab-remoteit
@@ -30,10 +30,10 @@ if [[ $KEY1 != "" ]]; then
         fi
     fi
     echo $KEY1 > /etc/remoteit/registration
-    echo -e "Copied {{ remoteit_license_key }} to /etc/remoteit/registration"
+    echo -e "Copied remoteit_license_key value to /etc/remoteit/registration"
 
     sed -i '/^remoteit_license_key:/d' /etc/iiab/local_vars.yml
-    echo -e "Removed remoteit_license_key from /etc/iiab/local_vars.yml\n"
+    echo -e "Removed remoteit_license_key line from /etc/iiab/local_vars.yml\n"
 fi
 
 # /etc/remoteit/registration consequences summarized on lines 78-83

From 8580c8e45ee4df4d1bc4597b4cb0f871ccbe2081 Mon Sep 17 00:00:00 2001
From: A Holt <holta@users.noreply.github.com>
Date: Fri, 8 Apr 2022 08:54:20 -0400
Subject: [PATCH 12/14] In future let's try to keep credentials in their own
 apps

---
 roles/remoteit/templates/iiab-remoteit | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/roles/remoteit/templates/iiab-remoteit b/roles/remoteit/templates/iiab-remoteit
index 8e46684fa..0d6695ff7 100755
--- a/roles/remoteit/templates/iiab-remoteit
+++ b/roles/remoteit/templates/iiab-remoteit
@@ -20,6 +20,8 @@ echo -e "https://github.com/iiab/iiab/blob/master/roles/remoteit/README.md\n"
 [ ! -d /etc/remoteit ] &&
     mkdir /etc/remoteit
 
+# Passwords and license keys in /etc/iiab/local_vars.yml are not a healthy
+# precedent :/  (Going forward let's try to keep such fully in their own apps.)
 KEY1=$(iiab_var_value remoteit_license_key)
 if [[ $KEY1 != "" ]]; then
     if [ -s /etc/remoteit/registration ]; then    # Non-zero size
@@ -36,7 +38,7 @@ if [[ $KEY1 != "" ]]; then
     echo -e "Removed remoteit_license_key line from /etc/iiab/local_vars.yml\n"
 fi
 
-# /etc/remoteit/registration consequences summarized on lines 78-83
+# /etc/remoteit/registration consequences summarized on lines 80-85
 if [ -s /etc/remoteit/registration ]; then    # Non-zero size
     cp -p /etc/remoteit/registration /tmp/etc.remoteit.registration
     echo -e "License key $(cat /etc/remoteit/registration) will be attempted."

From f6f6f427c5376f1da7ec010b919513cbde965157 Mon Sep 17 00:00:00 2001
From: A Holt <holta@users.noreply.github.com>
Date: Fri, 8 Apr 2022 09:25:36 -0400
Subject: [PATCH 13/14] In future let's try to keep credentials in their own
 apps

---
 roles/remoteit/tasks/enable-or-disable.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/roles/remoteit/tasks/enable-or-disable.yml b/roles/remoteit/tasks/enable-or-disable.yml
index dadca7d9d..2d5570767 100644
--- a/roles/remoteit/tasks/enable-or-disable.yml
+++ b/roles/remoteit/tasks/enable-or-disable.yml
@@ -1,3 +1,6 @@
+# Passwords and license keys in /etc/iiab/local_vars.yml are not a healthy
+# precedent :/  (Going forward let's try to keep credentials in their own apps)
+
 - name: Copy OPTIONAL remoteit_license_key, e.g. from /etc/iiab/local_vars.yml to /etc/remoteit/registration, if remoteit_license_key is defined
   # shell: echo {{ remoteit_license_key }} > /etc/remoteit/registration
   template:

From 4ee5664d0e8d199f5d81dea29140c33d2e62ab4a Mon Sep 17 00:00:00 2001
From: A Holt <holta@users.noreply.github.com>
Date: Fri, 8 Apr 2022 10:07:07 -0400
Subject: [PATCH 14/14] Clarify redacting of remoteit_license_key from
 local_vars.yml

---
 roles/remoteit/README.md | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/roles/remoteit/README.md b/roles/remoteit/README.md
index 30e039014..444e60d91 100644
--- a/roles/remoteit/README.md
+++ b/roles/remoteit/README.md
@@ -20,7 +20,7 @@ For other approaches, please see http://FAQ.IIAB.IO -> "How can I remotely manag
 ### OPTION #1: Generate a remote.it claim code for your IIAB + register it + authorize services/ports
 <!-- ### OPTION #1: Run `sudo iiab-remoteit` to enable remote.it -->
 
-Prerequisite: Find any IIAB with `remoteit_installed: True` in `/etc/iiab/iiab_state.yml` (this is the default!)  This means that the remote.it [Device Package](https://docs.remote.it/software/device-package) is installed on your IIAB, most important.  It also means the _strictly optional_ `/usr/bin/remoteit` [command-line interface (CLI)](https://docs.remote.it/software/cli) is installed, offering [a few more features](https://support.remote.it/hc/en-us/articles/4412786750861-Install-the-remoteit-agent-on-your-device) than the Device Package.
+Prerequisite: Find any IIAB with `remoteit_installed: True` in `/etc/iiab/iiab_state.yml` (this is the default!)  This means that the remote.it [Device Package](https://docs.remote.it/software/device-package) is already installed on your IIAB, most important.  It also means the _strictly optional_ `/usr/bin/remoteit` [command-line interface (CLI)](https://docs.remote.it/software/cli) is installed, offering [a few more features](https://support.remote.it/hc/en-us/articles/4412786750861-Install-the-remoteit-agent-on-your-device) than the Device Package.
 
 1. Run `sudo iiab-remoteit` to enable remote.it on your IIAB.
 
@@ -98,15 +98,17 @@ Prerequisite: Find any IIAB with `remoteit_installed: True` in `/etc/iiab/iiab_s
    remoteit_license_key: 592AA9BB-XXXX-YYYY-ZZZZ-6E27654C3DF6
    ```
 
+   _FYI to protect your credential, the above line will promptly be redacted (removed) from your /etc/iiab/local_vars.yml — after the key is copied to_ `/etc/remoteit/registration` _in Step 3. or 4. below._
+
 2. Also set `remoteit_enabled: True` in /etc/iiab/local_vars.yml
 
    (And verify that `remoteit_install: True` is set.)
 
-3. If your [IIAB software](https://download.iiab.io/) is not yet installed, do that e.g. by running `sudo iiab` and following any on-screen instructions &mdash; until "INTERNET-IN-A-BOX (IIAB) SOFTWARE INSTALL IS COMPLETE" eventually appears on screen.
+3. If your [IIAB software](https://download.iiab.io/) is _not_ yet installed, do that e.g. by running `sudo iiab` and following any on-screen instructions &mdash; until "INTERNET-IN-A-BOX (IIAB) SOFTWARE INSTALL IS COMPLETE" eventually appears on screen.
 
    When that's complete, skip to Step 5.
 
-4. If your IIAB software is already installed, make sure your IIAB is online.
+4. If your IIAB software _is_ already installed, make sure your IIAB is online.
 
    Now register the IIAB device to your remote.it account, by running `sudo iiab-remoteit` (this also enables remote.it on your IIAB).