Merge pull request #1226 from holta/iiab-admin-cleaner

(1) iiab-admin role variables (2) alerts of pi & iiab-admin published passwords (3) introduce iiab_env_file (4) service_filelist | iiab_config_file -> iiab_ini_file

roles/0-init/defaults/main.yml

@@ -1,4 +1,4 @@
-# Use these to tag a release at a point in time, for /etc/iiab/iiab.env
+# Use these to tag a release at a point in time, for {{ iiab_env_file }}
 iiab_base_ver: 6.7
 iiab_revision: 0
 

roles/0-init/tasks/iiab_ini.yml

@@ -1,12 +1,12 @@
-# workaround for fact that auto create does not work on ini_file
+# workaround for fact that auto create does not work on iiab_ini_file (/etc/iiab/iiab.ini)
-- name: Create /etc/iiab/iiab.ini (iiab_config_file)
+- name: Create {{ iiab_ini_file }}
   file:
-    dest: "{{ iiab_config_file }}"
+    dest: "{{ iiab_ini_file }}"
     state: touch
 
 - name: Add location section to config file
   ini_file:
-    dest: "{{ iiab_config_file }}"
+    dest: "{{ iiab_ini_file }}"
     section: location
     option: "{{ item.option }}"
     value: "{{ item.value }}"
@@ -16,9 +16,9 @@
     - option: iiab_dir
       value: "{{ iiab_dir }}"
 
-- name: Add version section
+- name: Add 'version' variable values to {{ iiab_ini_file }}
   ini_file:
-    dest: "{{ iiab_config_file }}"
+    dest: "{{ iiab_ini_file }}"
     section: version
     option: "{{ item.option }}"
     value: "{{ item.value }}"

roles/0-init/tasks/main.yml

@@ -2,7 +2,7 @@
 
 - name: ...IS BEGINNING ============================================
   stat:
-    path: /etc/iiab/iiab.env
+    path: "{{ iiab_env_file }}"
   register: NewInstall
 
 - name: Setting first run flag
@@ -165,9 +165,9 @@
   include_tasks: hostname.yml
   when: FQDN_changed
 
-- name: Add 'runtime' section alongside list of services at /etc/iiab/iiab.ini
+- name: Add 'runtime' variable values to {{ iiab_ini_file }}
   ini_file:
-    dest: "{{ iiab_config_file }}"
+    dest: "{{ iiab_ini_file }}"
     section: runtime
     option: "{{ item.option }}"
     value: "{{ item.value }}"
@@ -209,13 +209,9 @@
     - option: FQDN_changed
       value:  "{{ FQDN_changed }}"
 
-#- name: Now changing FQDN
+- name: Add 'runtime' variable 'is_VM' value if defined, to {{ iiab_ini_file }}
-#  include_tasks: hostname.yml
-#  when: FQDN_changed
-
-- name: STAGE 0 HAS COMPLETED ======================================
   ini_file:
-    dest: "{{ iiab_config_file }}"
+    dest: "{{ iiab_ini_file }}"
     section: runtime
     option: "{{ item.option }}"
     value: "{{ item.value }}"
@@ -223,3 +219,6 @@
     - option: is_VM
       value:  "yes"
   when: is_VM is defined
+
+- name: STAGE 0 HAS COMPLETED ======================================
+  meta: noop

roles/1-prep/tasks/main.yml

@@ -111,7 +111,7 @@
 - name: Recording STAGE 1 HAS COMPLETED ============================
   template:
     src: roles/1-prep/templates/iiab.env.j2
-    dest: /etc/iiab/iiab.env
+    dest: "{{ iiab_env_file }}"
     owner: root
     group: root
     mode: 0644

roles/1-prep/templates/iiab-network-reset

@@ -38,8 +38,8 @@ echo "/etc/resolv.conf"
 cat /etc/resolv.conf
 echo
 echo "=========================================================="
-echo "cat /etc/iiab/iiab.ini"
+echo "cat {{ iiab_ini_file }}"
-cat /etc/iiab/iiab.ini
+cat {{ iiab_ini_file }}
 echo
 echo "=========================================================="
 echo "routing table"

roles/1-prep/templates/iiab_env.py.j2

@@ -4,7 +4,7 @@
 def get_iiab_env(name):
    """ read iiab.env file for a value, return "" if does not exist"""
    try:
-      fd = open("/etc/iiab/iiab.env","r")
+      fd = open("{{ iiab_env_file }}","r")
       for line in fd:
          line = line.lstrip()
          line = line.rstrip('\n')

roles/2-common/tasks/main.yml

@@ -89,7 +89,7 @@
 
 - name: Recording STAGE 2 HAS COMPLETED ==========================
   lineinfile:
-    dest: /etc/iiab/iiab.env
+    dest: "{{ iiab_env_file }}"
     regexp: '^STAGE=*'
     line: 'STAGE=2'
     state: present

roles/2-common/templates/iiab-startup.sh

@@ -15,7 +15,7 @@ fi
 if [[ $(grep -i raspbian /etc/*release) &&
         #($(grep "hostapd_enabled = False" /etc/iiab/config_vars.yml) ||
             #((! $(grep "hostapd_enabled = True" /etc/iiab/config_vars.yml)) &&
-                 ! $(grep "^HOSTAPD_ENABLED=True" /etc/iiab/iiab.env) ]];
+                 ! $(grep "^HOSTAPD_ENABLED=True" {{ iiab_env_file }}) ]];
                  # NEGATED LOGIC HELPS FORCE PROMISCUOUS MODE EARLY IN INSTALL
                  # (when network/tasks/main.yml hasn't yet populated iiab.env)
 

roles/3-base-server/tasks/main.yml

@@ -3,7 +3,7 @@
 - name: ...IS BEGINNING =====================================
   command: echo
 
-- name: HTTPD
+- name: HTTPD (APACHE)
   include_role:
     name: httpd
   # has no "when: XXXXX_install" flag
@@ -23,7 +23,7 @@
 
 - name: Recording STAGE 3 HAS COMPLETED =====================
   lineinfile:
-    dest: /etc/iiab/iiab.env
+    dest: "{{ iiab_env_file }}"
     regexp: '^STAGE=*'
     line: 'STAGE=3'
     state: present

roles/4-server-options/tasks/main.yml

@@ -78,7 +78,7 @@
 
 - name: Recording STAGE 4 HAS COMPLETED ==================
   lineinfile:
-    dest: /etc/iiab/iiab.env
+    dest: "{{ iiab_env_file }}"
     regexp: '^STAGE=*'
     line: 'STAGE=4'
     state: present

roles/5-xo-services/tasks/main.yml

@@ -23,7 +23,7 @@
 
 - name: Recording STAGE 5 HAS COMPLETED =====================
   lineinfile:
-    dest: /etc/iiab/iiab.env
+    dest: "{{ iiab_env_file }}"
     regexp: '^STAGE=*'
     line: 'STAGE=5'
     state: present

roles/6-generic-apps/tasks/main.yml

@@ -47,7 +47,7 @@
 
 - name: Recording STAGE 6 HAS COMPLETED ====================
   lineinfile:
-    dest: /etc/iiab/iiab.env
+    dest: "{{ iiab_env_file }}"
     regexp: '^STAGE=*'
     line: 'STAGE=6'
     state: present

roles/7-edu-apps/tasks/main.yml

@@ -47,7 +47,7 @@
 
 - name: Recording STAGE 7 HAS COMPLETED ========================
   lineinfile:
-    dest: /etc/iiab/iiab.env
+    dest: "{{ iiab_env_file }}"
     regexp: '^STAGE=*'
     line: 'STAGE=7'
     state: present

roles/8-mgmt-tools/tasks/main.yml

@@ -59,7 +59,7 @@
 
 - name: Recording STAGE 8 HAS COMPLETED ======================
   lineinfile:
-    dest: /etc/iiab/iiab.env
+    dest: "{{ iiab_env_file }}"
     regexp: '^STAGE=*'
     line: 'STAGE=8'
     state: present

roles/9-local-addons/tasks/main.yml

@@ -17,7 +17,7 @@
 
 - name: Recording STAGE 9 HAS COMPLETED ====================
   lineinfile:
-    dest: /etc/iiab/iiab.env
+    dest: "{{ iiab_env_file }}"
     regexp: '^STAGE=*'
     line: 'STAGE=9'
     state: present

roles/activity-server/tasks/main.yml

@@ -117,7 +117,7 @@
            state=restarted
 
 - name: add xs-activity-server to service list
-  ini_file: dest='{{ service_filelist }}'
+  ini_file: dest='{{ iiab_ini_file }}'
             section=activity-server
             option='{{ item.option }}'
             value='{{ item.value }}'

roles/ajenti/tasks/main.yml

@@ -48,7 +48,7 @@
   when: ajenti_enabled
 
 - name: Add ajenti to service list
-  ini_file: dest='{{ service_filelist }}'
+  ini_file: dest='{{ iiab_ini_file }}'
             section=ajenti
             option='{{ item.option }}'
             value='{{ item.value }}'

roles/authserver/tasks/main.yml

@@ -51,7 +51,7 @@
   when: authserver_enabled
 
 - name: add xs-authserver to service list
-  ini_file: dest='{{ service_filelist }}'
+  ini_file: dest='{{ iiab_ini_file }}'
             section=xs-authserver
             option='{{ item.option }}'
             value='{{ item.value }}'

roles/awstats/tasks/main.yml

@@ -1,9 +1,9 @@
 - include_tasks: install.yml
   when: awstats_install
 
-- name: Add 'awstats' to list of services at /etc/iiab/iiab.ini
+- name: Add 'awstats' to list of services at {{ iiab_ini_file }}
   ini_file:
-    dest: "{{ service_filelist }}"
+    dest: "{{ iiab_ini_file }}"
     section: awstats
     option: "{{ item.option }}"
     value: "{{ item.value }}"

roles/calibre-web/tasks/main.yml

@@ -122,9 +122,9 @@
     name: "{{ apache_service }}"    # httpd or apache2
     state: restarted
 
-- name: Add 'calibre-web' to list of services at /etc/iiab/iiab.ini
+- name: Add 'calibre-web' to list of services at {{ iiab_ini_file }}
   ini_file:
-    dest: "{{ service_filelist }}"
+    dest: "{{ iiab_ini_file }}"
     section: calibre-web
     option: "{{ item.option }}"
     value: "{{ item.value }}"

roles/calibre/tasks/main.yml

@@ -132,9 +132,9 @@
     name: "{{ apache_service }}"
     state: reloaded
 
-- name: Add 'calibre' to list of services at /etc/iiab/iiab.ini
+- name: Add 'calibre' to list of services at {{ iiab_ini_file }}
   ini_file:
-    dest: "{{ service_filelist }}"
+    dest: "{{ iiab_ini_file }}"
     section: calibre
     option: "{{ item.option }}"
     value: "{{ item.value }}"

roles/cups/tasks/main.yml

@@ -64,9 +64,9 @@
     enabled: no
   when: not cups_enabled and is_F18
 
-- name: Add 'cups' to list of services at /etc/iiab/iiab.ini
+- name: Add 'cups' to list of services at {{ iiab_ini_file }}
   ini_file:
-    dest: "{{ service_filelist }}"
+    dest: "{{ iiab_ini_file }}"
     section: cups
     option: "{{ item.option }}"
     value: "{{ item.value }}"

roles/docker/tasks/main.yml

@@ -41,7 +41,7 @@
   when: not docker_enabled
 
 - name: add docker to service list
-  ini_file: dest='{{ service_filelist }}'
+  ini_file: dest='{{ iiab_ini_file }}'
             section=docker
             option='{{ item.option }}'
             value='{{ item.value }}'

roles/dokuwiki/tasks/main.yml

@@ -2,9 +2,9 @@
   include_tasks: install.yml
   when: dokuwiki_install
 
-- name: Add 'dokuwiki' to list of services at /etc/iiab/iiab.ini
+- name: Add 'dokuwiki' to list of services at {{ iiab_ini_file }}
   ini_file:
-    dest: "{{ service_filelist }}"
+    dest: "{{ iiab_ini_file }}"
     section: dokuwiki
     option: "{{ item.option }}"
     value: "{{ item.value }}"

roles/elgg/tasks/main.yml

@@ -138,9 +138,9 @@
     state: absent
   when: not elgg_enabled and is_redhat
 
-- name: Add 'elgg' to list of services at /etc/iiab/iiab.ini
+- name: Add 'elgg' to list of services at {{ iiab_ini_file }}
   ini_file:
-    dest: "{{ service_filelist }}"
+    dest: "{{ iiab_ini_file }}"
     section: elgg
     option: "{{ item.option }}"
     value: "{{ item.value }}"

roles/httpd/tasks/html.yml

@@ -59,9 +59,9 @@
   with_fileglob:
     - html/services/*
 
-- name: Create symlink from assets to /etc/iiab/iiab.ini
+- name: Create symlink from assets to {{ iiab_ini_file }}
   file:
-    src: "/etc/iiab/iiab.ini"
+    src: "{{ iiab_ini_file }}"
     dest: "{{ doc_root }}/common/assets/iiab.ini"
     owner: root
     group: root

roles/httpd/templates/refresh-wiki-docs.sh

@@ -3,7 +3,7 @@
 # Pull down repo's entire wiki (and similar) to create offline docs
 
 set -e
-source /etc/iiab/iiab.env
+source {{ iiab_env_file }}
 INPUT=/tmp/iiab-wiki
 OUTPUT=/tmp/iiab-wiki.out
 DESTPATH=/library/www/html/info

roles/idmgr/tasks/main.yml

@@ -80,7 +80,7 @@
              line=allowsftp
 
 - name: Add idmgr to service list
-  ini_file: dest='{{ service_filelist }}'
+  ini_file: dest='{{ iiab_ini_file }}'
             section=idmgr
             option='{{ item.option }}'
             value='{{ item.value }}'

roles/iiab-admin/defaults/main.yml

@@ -1,5 +1,21 @@
----
+# Must keep roles/0-init/defaults/main.yml sync'd ?  (Seems no longer true as of 2018-10-15)
-# must keep roles/0-once/defaults/main.yml sync'd
-# The values here are defaults.
 
+# Set iiab_admin_user_install: False if you don't want iiab_admin_user & wheel
+# group auto-created in roles/iiab-admin/tasks/main.yml (hence disabling sudo-
+# checks/warnings of published passwds like pi/raspberry & iiab-admin/g0adm1n).
+iiab_admin_user_install: True
+# If iiab_admin_user_install: False, set iiab_admin_user (below) to an existing
+# Linux user that has sudo access, for login to Admin Console http://box/admin
+
+# ODDLY THIS IS ALSO USED BY roles/usb-lib/tasks/main.yml TO SET GROUP PERM FOR /library/www/html/local_content (ISN'T {{ apache_user }} MORE APPROPRIATE?)
 iiab_admin_user: iiab-admin
+
+# For live checks/alerts of published pwds
+iiab_admin_published_pwd: g0adm1n
+
+# Password hash to override above, if Ansible creates above user:
+iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop.
+# Obtain a password hash - NEW MORE SECURE WAY:
+#    python3 -c 'import crypt; print(crypt.crypt("<plaintext>", crypt.mksalt(crypt.METHOD_SHA512)))'
+# Obtain a password hash - OLD WAY:
+#    python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")'

roles/iiab-admin/tasks/admin-user.yml

@@ -1,7 +1,7 @@
-- name: Create iiab-admin user and password
+- name: Create user {{ iiab_admin_user }} for Admin Console; set password from hardcoded hash if newly creating account
   user:
     name: "{{ iiab_admin_user }}"
-    password: "{{ iiab_admin_passw_hash }}"
+    password: "{{ iiab_admin_pwd_hash }}"
     update_password: on_create
     shell: /bin/bash
 
@@ -16,7 +16,7 @@
     state: present
   when: is_redhat
 
-- name: Add user to wheel group
+- name: 'Add user {{ iiab_admin_user }} to groups: wheel, sudo'
   user:
     name: "{{ iiab_admin_user }}"
     groups: wheel,sudo

roles/iiab-admin/tasks/main.yml

@@ -1,15 +1,15 @@
 - include_tasks: admin-user.yml
   tags:
     - base
-  when: admin_install
+  when: iiab_admin_user_install
 
 - include_tasks: access.yml
   tags:
     - base
 
-- name: Add 'iiab-admin' to list at /etc/iiab/iiab.ini
+- name: Add 'iiab-admin' to list at {{ iiab_ini_file }}
   ini_file:
-    dest: "{{ service_filelist }}"
+    dest: "{{ iiab_ini_file }}"
     section: iiab-admin
     option: "{{ item.option }}"
     value: "{{ item.value }}"

roles/iiab-admin/templates/lxde_ssh_warn.sh

@@ -1,22 +1,32 @@
 #!/bin/bash
+
+function check_user_pwd() {
+    # $meth (hashing method) is typically '6' which implies 5000 rounds
+    # of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password
+    meth=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f2)
+    salt=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f3)
+    hash=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f4)
+    [ $(python3 -c "import crypt; print(crypt.crypt('$2', '\$$meth\$$salt'))") == "\$$meth\$$salt\$$hash" ]
+}
+
 # credit to the folks at raspberry pi foundatioon
-check_hash ()
+check_hash () {
-{
    if ! id -u iiab-admin > /dev/null 2>&1 ; then return 0 ; fi
    if grep -q "^PasswordAuthentication\s*no" /etc/ssh/sshd_config ; then return 0 ; fi
-   test -x /usr/bin/mkpasswd || return 0
+   #test -x /usr/bin/mkpasswd || return 0
-   SHADOW="$(sudo -n grep -E '^iiab-admin:' /etc/shadow 2>/dev/null)"
+   #SHADOW="$(sudo -n grep -E '^iiab-admin:' /etc/shadow 2>/dev/null)"
-   test -n "${SHADOW}" || return 0
+   #test -n "${SHADOW}" || return 0
-   if echo $SHADOW | grep -q "iiab-admin:!" ; then return 0 ; fi
+   #if echo $SHADOW | grep -q "iiab-admin:!" ; then return 0 ; fi
-   SHADOW_PW=$(echo $SHADOW | cut -d: -f2)
+   #SHADOW_PW=$(echo $SHADOW | cut -d: -f2)
-   if [ "$SHADOW_PW" != "\$6\$iiab51\$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop." ]; then return 0 ; fi
+   #if [ "$SHADOW_PW" != "\$6\$iiab51\$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop." ]; then return 0 ; fi
-
+   #if echo "${SHADOW}" | grep -q "${HASH}"; then
-   if echo "${SHADOW}" | grep -q "${HASH}"; then
+   if check_user_pwd "iiab-admin" "{{ iiab_admin_published_pwd }}"; then
-	zenity --warning --text="SSH is enabled and the default password for the 'iiab-admin' user has not been changed.\nThis is a security risk - please go to the iiab-console and use utilities-> change password   to set a new password."
+       zenity --warning --text="SSH is enabled and the published password for user 'iiab-admin' is in use.\nTHIS IS A SECURITY RISK - please change its password using IIAB's Admin Console (http://box/admin) -> Utilities -> Change Password."
    fi
 }
 
-if service ssh status | grep -q running; then
+#if service ssh status | grep -q running; then
-	check_hash
+#    check_hash
-fi
+#fi
+systemctl is-active {{ sshd_service }} > /dev/null && check_hash
 unset check_hash

roles/iiab-admin/templates/profile_ssh_warn.sh

@@ -1,19 +1,28 @@
 #!/bin/bash
-# credit to the folks at raspberry pi foundatioon
-check_hash ()
-{
-   if ! id -u iiab-admin > /dev/null 2>&1 ; then return 0 ; fi
-   if grep -q "^PasswordAuthentication\s*no" /etc/ssh/sshd_config ; then return 0 ; fi
-   SHADOW="$(sudo -n grep -E '^iiab-admin:' /etc/shadow 2>/dev/null)"
-   test -n "${SHADOW}" || return 0
-   if echo $SHADOW | grep -q "iiab-admin:!" ; then return 0 ; fi
-   SHADOW_PW=$(echo $SHADOW | cut -d: -f2)
-   if [ "$SHADOW_PW" != '{{ iiab_admin_passw_hash }}' ]; then return 0 ; fi
 
-		echo
+function check_user_pwd() {
-		echo "SSH is enabled and the default password for the 'iiab-admin' user is unchanged."
+    # $meth (hashing method) is typically '6' which implies 5000 rounds
-		echo "This is a security risk - please login as the 'iiab-admin' user and type 'passwd' to change password."
+    # of SHA-512 per /etc/login.defs -> /etc/pam.d/common-password
-		echo
+    meth=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f2)
+    salt=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f3)
+    hash=$(sudo grep "^$1:" /etc/shadow | cut -d: -f2 | cut -d$ -f4)
+    [ $(python3 -c "import crypt; print(crypt.crypt('$2', '\$$meth\$$salt'))") == "\$$meth\$$salt\$$hash" ]
+}
+
+# credit to the folks at raspberry pi foundatioon
+check_hash () {
+    if ! id -u iiab-admin > /dev/null 2>&1 ; then return 0 ; fi
+    if grep -q "^PasswordAuthentication\s*no" /etc/ssh/sshd_config ; then return 0 ; fi
+    #SHADOW="$(sudo -n grep -E '^iiab-admin:' /etc/shadow 2>/dev/null)"
+    #test -n "${SHADOW}" || return 0
+    #if echo $SHADOW | grep -q "iiab-admin:!" ; then return 0 ; fi
+    #SHADOW_PW=$(echo $SHADOW | cut -d: -f2)
+    #if [ "$SHADOW_PW" != '{{ iiab_admin_pwd_hash }}' ]; then return 0 ; fi
+    if check_user_pwd "iiab-admin" "{{ iiab_admin_published_pwd }}"; then
+        echo -e "\nSSH is enabled and the published password for user 'iiab-admin' is in use."
+        echo -e "THIS IS A SECURITY RISK - please log in as user 'iiab-admin' and run 'passwd'"
+        echo -e "to change its password.\n"
+    fi
 }
 
 systemctl is-active {{ sshd_service }} > /dev/null && check_hash

roles/kalite/tasks/main.yml

@@ -36,9 +36,9 @@
 
 - include_tasks: enable.yml
 
-- name: Add 'kalite' to list of services at /etc/iiab/iiab.ini
+- name: Add 'kalite' to list of services at {{ iiab_ini_file }}
   ini_file:
-    dest: "{{ service_filelist }}"
+    dest: "{{ iiab_ini_file }}"
     section: kalite
     option: "{{ item.option }}"
     value: "{{ item.value }}"

roles/kiwix/tasks/kiwix_install.yml

@@ -149,9 +149,9 @@
 
 # 5. FINALIZE
 
-- name: Add 'kiwix' to list of services at /etc/iiab/iiab.ini
+- name: Add 'kiwix' to list of services at {{ iiab_ini_file }}
   ini_file:
-    dest: "{{ service_filelist }}"
+    dest: "{{ iiab_ini_file }}"
     section: kiwix
     option: "{{ item.option }}"
     value: "{{ item.value }}"

roles/kiwix/templates/iiab-make-kiwix-lib.py

@@ -29,13 +29,13 @@ if not IIAB_PATH in sys.path:
 from iiab_env import get_iiab_env
 
 # Config Files
-# iiab_config_file should be in /etc/iiab/iiab.env
+# iiab_ini_file should be in {{ iiab_env_file }} (/etc/iiab/iiab.env) ?
-iiab_config_file = "{{ iiab_config_file }}" # nominally /etc/iiab/iiab.ini
+iiab_ini_file = "{{ iiab_ini_file }}" # nominally /etc/iiab/iiab.ini
-# iiab_config_file = "/etc/iiab/iiab.ini" # comment out after testing
+# iiab_ini_file = "/etc/iiab/iiab.ini" # comment out after testing
 
 IIAB_INI = get_iiab_env('IIAB_INI') # future
 if IIAB_INI:
-    iiab_config_file = IIAB_INI
+    iiab_ini_file = IIAB_INI
 
 # Variables that should be read from config file
 # All of these variables will be read from config files and recomputed in init()
@@ -187,7 +187,7 @@ def init():
     global kiwix_manage
 
     config = ConfigParser.SafeConfigParser()
-    config.read(iiab_config_file)
+    config.read(iiab_ini_file)
     iiab_base_path = config.get('location','iiab_base')
     zim_path = config.get('kiwix','iiab_zim_path')
     kiwix_library_xml = config.get('kiwix','kiwix_library_xml')

roles/kolibri/tasks/main.yml

@@ -80,9 +80,9 @@
     state: stopped
   when: not kolibri_enabled
 
-- name: Add 'kolibri' to list of services at /etc/iiab/iiab.ini
+- name: Add 'kolibri' to list of services at {{ iiab_ini_file }}
   ini_file:
-    dest: "{{ service_filelist }}"
+    dest: "{{ iiab_ini_file }}"
     section: kolibri
     option: "{{ item.option }}"
     value: "{{ item.value }}"

roles/mediawiki/tasks/install.yml

@@ -85,9 +85,9 @@
     name: "{{ apache_service }}"
     state: restarted
 
-- name: Add 'mediawiki' to list of services at /etc/iiab/iiab.ini
+- name: Add 'mediawiki' to list of services at {{ iiab_ini_file }}
   ini_file:
-    dest: "{{ service_filelist }}"
+    dest: "{{ iiab_ini_file }}"
     section: mediawiki
     option: "{{ item.option }}"
     value: "{{ item.value }}"

roles/mongodb/tasks/main.yml

@@ -60,9 +60,9 @@
 #    state: stopped
 #  when: not mongodb_enabled
 
-- name: Add 'mongodb' to list of services at /etc/iiab/iiab.ini
+- name: Add 'mongodb' to list of services at {{ iiab_ini_file }}
   ini_file:
-    dest: "{{ service_filelist }}"
+    dest: "{{ iiab_ini_file }}"
     section: mongodb
     option: "{{ item.option }}"
     value: "{{ item.value }}"

roles/monit/tasks/main.yml

@@ -45,9 +45,9 @@
 #- name: Restart monit service
 #  command: service monit restart
 
-- name: Add 'monit' to list of services at /etc/iiab/iiab.ini
+- name: Add 'monit' to list of services at {{ iiab_ini_file }}
   ini_file:
-    dest: "{{ service_filelist }}"
+    dest: "{{ iiab_ini_file }}"
     section: monit
     option: "{{ item.option }}"
     value: "{{ item.value }}"

roles/moodle-1.9/moodle/tasks/main.yml

@@ -76,7 +76,7 @@
   register: moodlepw
 
 - name: add moodle to service list
-  ini_file: dest='{{ service_filelist }}'
+  ini_file: dest='{{ iiab_ini_file }}'
             section=moodle
             option='{{ item.option }}'
             value='{{ item.value }}'

roles/moodle/tasks/main.yml

@@ -155,9 +155,9 @@
     path: "{{ moodle_base }}/config.php"
     mode: 0644
 
-- name: Add 'moodle' to list of services at /etc/iiab/iiab.ini
+- name: Add 'moodle' to list of services at {{ iiab_ini_file }}
   ini_file:
-    dest: "{{ service_filelist }}"
+    dest: "{{ iiab_ini_file }}"
     section: moodle
     option: "{{ item.option }}"
     value: "{{ item.value }}"

roles/munin/tasks/main.yml

@@ -84,9 +84,9 @@
     - /usr/share/munin/plugins/mysql_threads
   when: mysql_enabled
 
-- name: Add 'munin' to list of services at /etc/iiab/iiab.ini
+- name: Add 'munin' to list of services at {{ iiab_ini_file }}
   ini_file:
-    dest: "{{ service_filelist }}"
+    dest: "{{ iiab_ini_file }}"
     section: munin
     option: "{{ item.option }}"
     value: "{{ item.value }}"

roles/mysql/tasks/main.yml

@@ -133,9 +133,9 @@
         state: stopped
       when: not mysql_enabled
 
-    - name: Add 'mysql' to list of services at /etc/iiab/iiab.ini
+    - name: Add 'mysql' to list of services at {{ iiab_ini_file }}
       ini_file:
-        dest: "{{ service_filelist }}"
+        dest: "{{ iiab_ini_file }}"
         section: mysql
         option: "{{ item.option }}"
         value: "{{ item.value }}"

roles/network/tasks/computed_network.yml

@@ -172,9 +172,9 @@
     iiab_wan_iface: "none"
   when: adapter_count.stdout|int >= "5" and device_gw == "none" and gui_wan_iface == "unset" and gui_static_wan is defined
 
-- name: Record IIAB_WAN_DEVICE to /etc/iiab/iiab.env
+- name: Record IIAB_WAN_DEVICE to {{ iiab_env_file }}
   lineinfile:
-    dest: /etc/iiab/iiab.env
+    dest: "{{ iiab_env_file }}"
     regexp: '^IIAB_WAN_DEVICE=*'
     line: 'IIAB_WAN_DEVICE="{{ iiab_wan_iface }}"'
     state: present
@@ -182,9 +182,9 @@
   tags:
     - network
 
-- name: Record IIAB_LAN_DEVICE to /etc/iiab/iiab.env
+- name: Record IIAB_LAN_DEVICE to {{ iiab_env_file }}
   lineinfile:
-    dest: /etc/iiab/iiab.env
+    dest: "{{ iiab_env_file }}"
     regexp: '^IIAB_LAN_DEVICE=*'
     line: 'IIAB_LAN_DEVICE="{{ iiab_lan_iface }}"'
     state: present
@@ -192,9 +192,9 @@
   tags:
     - network
 
-- name: Add 'computed_network' variable values to /etc/iiab/iiab.ini
+- name: Add 'computed_network' variable values to {{ iiab_ini_file }}
   ini_file:
-    dest: "{{ iiab_config_file }}"
+    dest: "{{ iiab_ini_file }}"
     section: computed_network
     option: "{{ item.option }}"
     value: "{{ item.value }}"

roles/network/tasks/computed_services.yml

@@ -49,9 +49,9 @@
     dhcp_service2: "dnsmasq disabled"
   when: dnsmasq_install and iiab_network_mode == "Appliance"
 
-- name: Add 'network' variable values (from computed_services.yml) to /etc/iiab/iiab.ini
+- name: Add 'network' variable values (from computed_services.yml) to {{ iiab_ini_file }}
   ini_file:
-    dest: "{{ iiab_config_file }}"
+    dest: "{{ iiab_ini_file }}"
     section: network
     option: "{{ item.option }}"
     value: "{{ item.value }}"

roles/network/tasks/detected_network.yml

@@ -1,5 +1,5 @@
 - name: iiab_wan_device
-  shell: grep IIAB_WAN_DEVICE /etc/iiab/iiab.env | awk -F "=" '{print $2}'
+  shell: grep IIAB_WAN_DEVICE {{ iiab_env_file }} | awk -F "=" '{print $2}'
   when: iiab_stage|int > 4
   register: prior_gw
 
@@ -188,9 +188,9 @@
     gui_wan_iface: "{{ device_gw }}"
   when: user_wan_iface == "auto" and device_gw != "none" and discovered_wan_iface == "none"
 
-- name: Add 'detected_network' variable values to /etc/iiab/iiab.ini
+- name: Add 'detected_network' variable values to {{ iiab_ini_file }}
   ini_file:
-    dest: "{{ iiab_config_file }}"
+    dest: "{{ iiab_ini_file }}"
     section: detected_network
     option: "{{ item.option }}"
     value: "{{ item.value }}"

roles/network/tasks/enable_services.yml

@@ -79,7 +79,7 @@
 
 - name: Create xs_httpcache flag
   lineinfile:
-    dest: /etc/iiab/iiab.env
+    dest: "{{ iiab_env_file }}"
     regexp: '^HTTPCACHE_ON=*'
     line: 'HTTPCACHE_ON=True'
     state: present
@@ -121,7 +121,7 @@
 
 - name: Remove xs_httpcache flag
   lineinfile:
-    dest: /etc/iiab/iiab.env
+    dest: "{{ iiab_env_file }}"
     regexp: '^HTTPCACHE_ON=*'
     line: 'HTTPCACHE_ON=False'
     state: present
@@ -150,9 +150,9 @@
   with_items:
    - { 0: 'gateway/iiab-gen-iptables', 1: '/usr/bin/iiab-gen-iptables' }
 
-- name: Add 'squid' to list of services at /etc/iiab/iiab.ini
+- name: Add 'squid' to list of services at {{ iiab_ini_file }}
   ini_file:
-    dest: "{{ service_filelist }}"
+    dest: "{{ iiab_ini_file }}"
     section: squid
     option: "{{ item.option }}"
     value: "{{ item.value }}"
@@ -160,9 +160,9 @@
     - option: enabled
       value: "{{ squid_enabled }}"
 
-- name: Add 'dansguardian' to list of services at /etc/iiab/iiab.ini
+- name: Add 'dansguardian' to list of services at {{ iiab_ini_file }}
   ini_file:
-    dest: "{{ service_filelist }}"
+    dest: "{{ iiab_ini_file }}"
     section: dansguardian
     option: "{{ item.option }}"
     value: "{{ item.value }}"
@@ -170,9 +170,9 @@
     - option: enabled
       value: "{{ dansguardian_enabled }}"
 
-- name: Add 'wondershaper' to list of services at /etc/iiab/iiab.ini
+- name: Add 'wondershaper' to list of services at {{ iiab_ini_file }}
   ini_file:
-    dest: "{{ service_filelist }}"
+    dest: "{{ iiab_ini_file }}"
     section: wondershaper
     option: "{{ item.option }}"
     value: "{{ item.value }}"

roles/network/tasks/hostapd.yml

@@ -55,9 +55,9 @@
     enabled: yes
   when: hostapd_enabled and iiab_wireless_lan_iface is defined and iiab_network_mode != "Appliance"
 
-- name: Record HOSTAPD_ENABLED to /etc/iiab/iiab.env
+- name: Record HOSTAPD_ENABLED to {{ iiab_env_file }}
   lineinfile:
-    dest: /etc/iiab/iiab.env
+    dest: "{{ iiab_env_file }}"
     regexp: '^HOSTAPD_ENABLED=*'
     line: 'HOSTAPD_ENABLED={{ hostapd_enabled }}'
     state: present

roles/network/tasks/main.yml

@@ -11,7 +11,7 @@
     no_net_restart: True      # used below in (1) sysd-netd-debian.yml,
                               # (2) debian.yml, (3) rpi_debian.yml
   when: discovered_wireless_iface == iiab_wan_iface and not reboot_to_AP
-# EITHER WAY: hostapd_enabled's state is RECORDED into /etc/iiab/iiab.env
+# EITHER WAY: hostapd_enabled's state is RECORDED into {{ iiab_env_file }}
 # in hostapd.yml for later use by...
 # /usr/libexec/iiab-startup.sh, iiab-hotspot-off & iiab-hotspot-on
 #

roles/network/tasks/squid.yml

@@ -83,9 +83,9 @@
   when: dansguardian_install
 
 # {{ proxy }} is normally "squid", but is "squid3" on raspbian-8 & debian-8
-- name: Add '{{ proxy }}' to list of services at /etc/iiab/iiab.ini
+- name: Add '{{ proxy }}' to list of services at {{ iiab_ini_file }}
   ini_file:
-    dest: "{{ service_filelist }}"
+    dest: "{{ iiab_ini_file }}"
     section: "{{ proxy }}"
     option: "{{ item.option }}"
     value: "{{ item.value }}"
@@ -97,9 +97,9 @@
     - option: enabled
       value: "{{ squid_enabled }}"
 
-- name: Add 'dansguardian' variable values to /etc/iiab/iiab.ini
+- name: Add 'dansguardian' variable values to {{ iiab_ini_file }}
   ini_file:
-    dest: "{{ service_filelist }}"
+    dest: "{{ iiab_ini_file }}"
     section: dansguardian
     option: "{{ item.option }}"
     value: "{{ item.value }}"

roles/network/tasks/wondershaper.yml

@@ -38,9 +38,9 @@
     group: root
     state: link
 
-- name: Add 'wondershaper' variable values to /etc/iiab/iiab.ini
+- name: Add 'wondershaper' variable values to {{ iiab_ini_file }}
   ini_file:
-    dest: "{{ service_filelist }}"
+    dest: "{{ iiab_ini_file }}"
     section: wondershaper
     option: "{{ item.option }}"
     value: "{{ item.value }}"

roles/network/templates/gateway/iiab-gen-iptables

@@ -1,5 +1,5 @@
 #!/bin/bash -x
-source /etc/iiab/iiab.env
+source {{ iiab_env_file }}
 {% if is_debuntu %}
 IPTABLES=/sbin/iptables
 IPTABLES_DATA=/etc/iptables.up.rules
@@ -9,7 +9,7 @@ IPTABLES_DATA=/etc/sysconfig/iptables
 {% endif %}
 LANIF=$IIAB_LAN_DEVICE
 WANIF=$IIAB_WAN_DEVICE
-MODE=`grep iiab_network_mode_applied /etc/iiab/iiab.ini | gawk '{print $3}'`
+MODE=`grep iiab_network_mode_applied {{ iiab_ini_file }} | gawk '{print $3}'`
 
 clear_fw() {
 $IPTABLES -F

roles/network/templates/network/iiab-hotspot-off

@@ -16,4 +16,4 @@ if grep -qi raspbian /etc/*release; then
     ip link set dev wlan0 promisc on
 fi
 
-sed -i -e "s/^HOSTAPD_ENABLED.*/HOSTAPD_ENABLED=False/" /etc/iiab/iiab.env
+sed -i -e "s/^HOSTAPD_ENABLED.*/HOSTAPD_ENABLED=False/" {{ iiab_env_file }}

roles/network/templates/network/iiab-hotspot-on

@@ -17,6 +17,6 @@ if grep -qi raspbian /etc/*release; then
     ip link set dev wlan0 promisc off
 fi
 
-sed -i -e "s/^HOSTAPD_ENABLED.*/HOSTAPD_ENABLED=True/" /etc/iiab/iiab.env
+sed -i -e "s/^HOSTAPD_ENABLED.*/HOSTAPD_ENABLED=True/" {{ iiab_env_file }}
 
 echo -e "\nPlease consider rebooting now.\n"

roles/nextcloud/tasks/main.yml

@@ -162,9 +162,9 @@
 # following enables and disables
 - include_tasks: nextcloud_enabled.yml
 
-- name: Add 'nextcloud' to list of services at /etc/iiab/iiab.ini
+- name: Add 'nextcloud' to list of services at {{ iiab_ini_file }}
   ini_file:
-    dest: "{{ service_filelist }}"
+    dest: "{{ iiab_ini_file }}"
     section: Nextcloud
     option: "{{ item.option }}"
     value: "{{ item.value }}"

roles/nodogsplash/tasks/rpi.yml

@@ -52,9 +52,9 @@
     state: stopped
   when: not nodogsplash_enabled
 
-- name: Add 'nodogsplash' to list of services at /etc/iiab/iiab.ini
+- name: Add 'nodogsplash' to list of services at {{ iiab_ini_file }}
   ini_file:
-    dest: "{{ service_filelist }}"
+    dest: "{{ iiab_ini_file }}"
     section: nodogsplash
     option: "{{ item.option }}"
     value: "{{ item.value }}"

roles/openvpn/tasks/main.yml

@@ -206,9 +206,9 @@
 #  when: not openvpn_enabled and not installing
 
 
-- name: Add 'openvpn' to list of services at /etc/iiab/iiab.ini
+- name: Add 'openvpn' to list of services at {{ iiab_ini_file }}
   ini_file:
-    dest: "{{ service_filelist }}"
+    dest: "{{ iiab_ini_file }}"
     section: openvpn
     option: "{{ item.option }}"
     value: "{{ item.value }}"

roles/openvpn/templates/announcer.j2

@@ -19,10 +19,10 @@ if [ -f /etc/iiab/openvpn_handle ]; then
 
 #else
 #    # Option #3: Dangerous to invoke hypothetical variables :(
-#    source /etc/iiab/iiab.env
+#    source {{ iiab_env_file }}
-#    # Option #4: CAUSED FAILURES IN AUGUST 2018, invoking stale variable from /etc/iiab/iiab.ini, but safer now that relegated to #4 ?
+#    # Option #4: CAUSED FAILURES IN AUGUST 2018, invoking stale variable from {{ iiab_ini_file }}, but safer now that relegated to #4 ?
 #    if [ -z "$HANDLE" ]; then
-#        HANDLE=`cat /etc/iiab/iiab.ini | gawk \
+#        HANDLE=`cat {{ iiab_ini_file }} | gawk \
 #        '{ if((toupper($1) == "HANDLE") && ($2 == "=")) { print $3;}}'`
 #    fi
 fi

roles/osm/tasks/main.yml

@@ -174,9 +174,9 @@
     name: "{{ apache_service }}"
     state: restarted
 
-- name: Add 'osm' to list of services at /etc/iiab/iiab.ini
+- name: Add 'osm' to list of services at {{ iiab_ini_file }}
   ini_file:
-    dest: "{{ service_filelist }}"
+    dest: "{{ iiab_ini_file }}"
     section: osm
     option: "{{ item.option }}"
     value: "{{ item.value }}"

roles/owncloud/tasks/main.yml

@@ -106,7 +106,7 @@
   when: owncloud_enabled
 
 - name: Add owncloud to service list
-  ini_file: dest='{{ service_filelist }}'
+  ini_file: dest='{{ iiab_ini_file }}'
             section=owncloud
             option='{{ item.option }}'
             value='{{ item.value }}'

roles/pathagar/tasks/main.yml

@@ -193,9 +193,9 @@
     name: "{{ apache_service }}"
     state: reloaded
 
-- name: Add 'pathagar' to list of services at /etc/iiab/iiab.ini
+- name: Add 'pathagar' to list of services at {{ iiab_ini_file }}
   ini_file:
-    dest: "{{ service_filelist }}"
+    dest: "{{ iiab_ini_file }}"
     section: pathagar
     option: "{{ item.option }}"
     value: "{{ item.value }}"

roles/phpmyadmin/tasks/main.yml

@@ -65,9 +65,9 @@
     state: absent
   when: not phpmyadmin_enabled and is_debuntu
 
-- name: Add 'phpmyadmin' to list of services at /etc/iiab/iiab.ini
+- name: Add 'phpmyadmin' to list of services at {{ iiab_ini_file }}
   ini_file:
-    dest: "{{ service_filelist }}"
+    dest: "{{ iiab_ini_file }}"
     section: phpmyadmin
     option: "{{ item.option }}"
     value: "{{ item.value }}"

roles/postgresql/tasks/main.yml

@@ -93,9 +93,9 @@
     enabled: no
   when: not postgresql_enabled
 
-- name: Add 'postgresql' to list of services at /etc/iiab/iiab.ini
+- name: Add 'postgresql' to list of services at {{ iiab_ini_file }}
   ini_file:
-    dest: "{{ service_filelist }}"
+    dest: "{{ iiab_ini_file }}"
     section: postgresql
     option: "{{ item.option }}"
     value: "{{ item.value }}"

roles/rachel/tasks/main.yml

@@ -24,7 +24,7 @@
   when: rachel_enabled and rachel_content_found
 
 - name: Add rachel to service list
-  ini_file: dest='{{ service_filelist }}'
+  ini_file: dest='{{ iiab_ini_file }}'
             section=rachel
             option='{{ item.option }}'
             value='{{ item.value }}'

roles/samba/tasks/main.yml

@@ -71,9 +71,9 @@
     - samba
   when : not samba_enabled
 
-- name: Add 'samba' to list of services at /etc/iiab/iiab.ini
+- name: Add 'samba' to list of services at {{ iiab_ini_file }}
   ini_file:
-    dest: "{{ service_filelist }}"
+    dest: "{{ iiab_ini_file }}"
     section: samba
     option: "{{ item.option }}"
     value: "{{ item.value }}"

roles/schooltool/tasks/main.yml

@@ -56,7 +56,7 @@
   when: not schooltool_enabled
 
 - name: add schooltool to service list
-  ini_file: dest='{{ service_filelist }}'
+  ini_file: dest='{{ iiab_ini_file }}'
             section=schooltool
             option='{{ item.option }}'
             value='{{ item.value }}'

roles/sugar-stats/tasks/main.yml

@@ -41,7 +41,7 @@
 - include_tasks: statistics-consolidation.yml
 
 - name: Add sugar-stats to service list
-  ini_file: dest='{{ service_filelist }}'
+  ini_file: dest='{{ iiab_ini_file }}'
             section=sugar_stats
             option='{{ item.option }}'
             value='{{ item.value }}'

roles/sugarizer/tasks/main.yml

@@ -228,9 +228,9 @@
 #    state: stopped
 #  when: not sugarizer_enabled
 
-- name: Add 'sugarizer' to list of services at /etc/iiab/iiab.ini
+- name: Add 'sugarizer' to list of services at {{ iiab_ini_file }}
   ini_file:
-    dest: "{{ service_filelist }}"
+    dest: "{{ iiab_ini_file }}"
     section: sugarizer
     option: "{{ item.option }}"
     value: "{{ item.value }}"

roles/teamviewer/tasks/main.yml

@@ -9,7 +9,7 @@
   when: teamviewer_install
 
 - name: Add teamviewer to service list
-  ini_file: dest='{{ service_filelist }}'
+  ini_file: dest='{{ iiab_ini_file }}'
             section=teamviewer
             option='{{ item.option }}'
             value='{{ item.value }}'

roles/transmission/tasks/main.yml

@@ -54,9 +54,9 @@
     state: stopped
   when: not transmission_enabled
 
-- name: Add transmission to list of services at /etc/iiab/iiab.ini
+- name: Add transmission to list of services at {{ iiab_ini_file }}
   ini_file:
-    dest: "{{ service_filelist }}"
+    dest: "{{ iiab_ini_file }}"
     section: transmission
     option: "{{ item.option }}"
     value: "{{ item.value }}"

roles/usb-lib/tasks/main.yml

@@ -3,7 +3,7 @@
     dest: "{{ doc_root }}/local_content"
     state: directory
     owner: "{{ apache_user }}"
-    group: "{{ iiab_admin_user }}"
+    group: "{{ iiab_admin_user }}"    # ISN'T "{{ apache_user }}" MORE APPROPRIATE?
     mode: 0775
 
 - name: Copy mount file to usbmount when enabled
@@ -55,7 +55,7 @@
 
 - name: Put variable in iiab.env that enables display of content at root of USB
   lineinfile:
-    dest: /etc/iiab/iiab.env
+    dest: "{{ iiab_env_file }}"
     regexp: "^IIAB_USB_LIB_SHOW_ALL.*"
     line: "IIAB_USB_LIB_SHOW_ALL={{ iiab_usb_lib_show_all }}"
 
@@ -87,7 +87,7 @@
 
 - name: Add usb-lib to service list
   ini_file:
-    dest: "{{ service_filelist }}"
+    dest: "{{ iiab_ini_file }}"
     section: usb-lib
     option: "{{ item.option }}"
     value: "{{ item.value }}"

roles/usb-lib/templates/iiab-usb-lib-show-all-off

@@ -1,5 +1,5 @@
 #!/bin/bash
 # turn on the flag which registers new USB sticks at root directory
 
-sed -i -e's/^IIAB_USB_LIB_SHOW_ALL.*/IIAB_USB_LIB_SHOW_ALL=False/' /etc/iiab/iiab.env
+sed -i -e's/^IIAB_USB_LIB_SHOW_ALL.*/IIAB_USB_LIB_SHOW_ALL=False/' {{ iiab_env_file }}
 

roles/usb-lib/templates/iiab-usb-lib-show-all-on

@@ -1,5 +1,5 @@
 #!/bin/bash
 # turn on the flag which registers new USB sticks at root directory
 
-sed -i -e's/^IIAB_USB_LIB_SHOW_ALL.*/IIAB_USB_LIB_SHOW_ALL=True/' /etc/iiab/iiab.env
+sed -i -e's/^IIAB_USB_LIB_SHOW_ALL.*/IIAB_USB_LIB_SHOW_ALL=True/' {{ iiab_env_file }}
 

roles/usb-lib/templates/mount.d/70-usb-library

@@ -9,7 +9,7 @@
 #
 # by Tim Moody tim@timmoody.com
 
-source /etc/iiab/iiab.env
+source {{ iiab_env_file }}
 case $IIAB_USB_LIB_SHOW_ALL in
 'True'|'true'|'TRUE')
    logger -p user.notice -t "70-usb-library" -- "Displaying root directory on $UM_MOUNTPOINT."

roles/vnstat/tasks/main.yml

@@ -29,9 +29,9 @@
     enabled: yes
     state: started
 
-- name: Add 'vnstat' to list of services at /etc/iiab/iiab.ini
+- name: Add 'vnstat' to list of services at {{ iiab_ini_file }}
   ini_file:
-    dest: "{{ service_filelist }}"
+    dest: "{{ iiab_ini_file }}"
     section: vnstat
     option: "{{ item.option }}"
     value: "{{ item.value }}"

roles/wordpress/tasks/install.yml

@@ -135,9 +135,9 @@
     name: "{{ apache_service }}"
     state: restarted
 
-- name: Add 'wordpress' to list of services at /etc/iiab/iiab.ini
+- name: Add 'wordpress' to list of services at {{ iiab_ini_file }}
   ini_file:
-    dest: "{{ service_filelist }}"
+    dest: "{{ iiab_ini_file }}"
     section: wordpress
     option: "{{ item.option }}"
     value: "{{ item.value }}"

roles/xovis/tasks/main.yml

@@ -82,7 +82,7 @@
   when: xovis_enabled
 
 - name: Add xovis to service list
-  ini_file: dest='{{ service_filelist }}'
+  ini_file: dest='{{ iiab_ini_file }}'
             section=xovis
             option='{{ item.option }}'
             value='{{ item.value }}'

vars/default_vars.yml

@@ -5,11 +5,12 @@
 
 # By convention we use True/False to indicate boolean constants.
 
-# Installation Constants
+# Configuration Files
-content_base: "/library"
+iiab_local_vars_file: /etc/iiab/local_vars.yml
-#doc_base: "/var"
+iiab_env_file: /etc/iiab/iiab.env
-doc_base: "{{ content_base }}/www"
+iiab_ini_file: /etc/iiab/iiab.ini
-doc_root: "{{ doc_base }}/html"
+#iiab_config_file: "{{ iiab_ini_file }}"    # Legacy support / let's phase this out eventually
+#service_filelist: "{{ iiab_ini_file }}"    # Legacy support / let's phase this out eventually
 
 iiab_base: /opt/iiab
 iiab_dir: "{{ iiab_base }}/iiab"
@@ -17,35 +18,32 @@ pip_packages_dir: "{{ iiab_base }}/pip-packages"
 yum_packages_dir: "{{ iiab_base }}/yum-packages"
 downloads_dir: "{{ iiab_base }}/downloads"
 iiab_download_url: http://download.iiab.io/packages
+
+content_base: "/library"
+doc_base: "{{ content_base }}/www"
+doc_root: "{{ doc_base }}/html"
+
 # Ansible's default timeout for "get_url:" downloads (10 seconds) often fails
 download_timeout: 200
 
-# Configuration File(s)
+# Languages (for Apache)
-iiab_config_file: /etc/iiab/iiab.ini
-iiab_local_vars_file: /etc/iiab/local_vars.yml
-service_filelist: "{{ iiab_config_file }}"
-
-# The following variable may be useful in debugging
-disregard_network: False  # use cache or error out if cache does not exist
-
-# Users and Passwords
-
-iiab_admin_user: iiab-admin
-# Obtain a password hash with:
-#    python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")'
-iiab_admin_passw_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop.
-admin_install: True
-
-# Set admin_install: False if you don't want iiab_admin_user & wheel group
-# auto-created in roles/iiab-admin/tasks/main.yml, thereby disabling sudo-based
-# warnings on use of published passwords like pi/raspberry & iiab-admin/g0adm1n
-
-# If admin_install: False, set iiab_admin_user (above) to an existing Linux
-# user that has sudo access, so you can login to Admin Console http://box/admin
-
-# Languages
 default_language: en
-language_priority: en es
+language_priority: en es fr
+
+# Set iiab_admin_user_install: False if you don't want iiab_admin_user & wheel
+# group auto-created in roles/iiab-admin/tasks/main.yml (hence disabling sudo-
+# checks/warnings of published passwds like pi/raspberry & iiab-admin/g0adm1n).
+iiab_admin_user_install: True
+# If iiab_admin_user_install: False, set iiab_admin_user (below) to an existing
+# Linux user that has sudo access, for login to Admin Console http://box/admin
+iiab_admin_user: iiab-admin
+iiab_admin_published_pwd: g0adm1n    # For live checks/alerts of published pwds
+# Password hash to override above, if Ansible creates above user:
+iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop.
+# Obtain a password hash - NEW MORE SECURE WAY:
+#    python3 -c 'import crypt; print(crypt.crypt("<plaintext>", crypt.mksalt(crypt.METHOD_SHA512)))'
+# Obtain a password hash - OLD WAY:
+#    python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")'
 
 # Time Zone (php needs timezone to be set)
 local_tz: "{{ ansible_date_time.tz }}"
@@ -53,10 +51,13 @@ local_tz: "{{ ansible_date_time.tz }}"
 # Read https://github.com/iiab/iiab/wiki/IIAB-Networking
 # Also readable offline @ http://box/info/IIAB-Networking.html
 
-# NETWORK PARAMETERS FOLLOW ACROSS THE NEXT 65 LINES, as enabled by Ansible's
+# NETWORK PARAMETERS FOLLOW ACROSS THE NEXT 100 LINES, as enabled by Ansible's
 # NETWORK role (/opt/iiab/iiab/roles/network/*) in 4-SERVER-OPTIONS below.
 # SEE ALSO: /opt/iiab/iiab/roles/network/defaults/main.yml
 
+# The following variable may be useful in debugging
+disregard_network: False  # use cache or error out if cache does not exist
+
 iiab_hostname: box
 iiab_domain: lan
 lan_ip: 172.18.96.1
@@ -149,17 +150,36 @@ wan_nameserver:
 # exFAT is auto-enabled for all "debuntu" OS's as of Nov 2017, in roles/2-common/tasks/packages.yml#L35-L36
 # exFAT_enabled: True
 
-# Parameters by Aggregate Roles
+# Parameters for Aggregate Roles
-# Each Role must have the following variables which are either True or False:
+# Each Role should have the following variables which are either True or False:
 #   <role-name>_install
 #   <role-name>_enabled
 
-# Our past convention was to install everything in all aggregates
+# Past convention had been to install everything in all aggregate roles (stages)
 # And to enable everything in 1-PREP, 2-COMMON, and 3-BASE-SERVER
 
 
 # 1-PREP
 
+# sshd
+sshd_enabled: True
+
+# roles/iiab-admin runs here
+# SEE IIAB-ADMIN VARIABLES NEAR TOP OF THIS FILE: e.g. iiab_admin_user_install,
+# iiab_admin_user, iiab_admin_published_pwd, iiab_admin_pwd_hash
+
+# OpenVPN
+openvpn_install: True
+openvpn_enabled: False
+# For /etc/iiab/openvpn_handle
+openvpn_handle: ""
+# cron seems necessary on CentOS:
+openvpn_cron_enabled: False
+# General OpenVPN settings
+openvpn_server: xscenet.net
+openvpn_server_virtual_ip: 10.8.0.1
+openvpn_server_port: 1194
+
 # 2-COMMON
 
 # 3-BASE-SERVER
@@ -168,12 +188,10 @@ wan_nameserver:
 
 # Make this False to disable http://box/common/services/power_off.php button:
 apache_allow_sudo: True
-
+# For schools that use WordPress and/or Moodle intensively, see iiab/iiab #1147
-# For schools that use WordPress and/or Moodle intensively. See iiab/iiab #1147
 # WARNING: Enabling this (might) cause excess use of RAM or other resources?
 apache_high_php_limits: False
-
+# SEE ALSO VARIABLES NEAR TOP OF THIS FILE: default_language, language_priority
-# roles/iiab-admin runs here
 
 # MySQL MANDATORY - THESE SETTINGS HAVE NO EFFECT - SEE roles/1-prep/tasks/computed_vars.yml, roles/mysql/tasks/main.yml
 mysql_install: True
@@ -184,23 +202,6 @@ mysql_root_password: fixmysql
 
 # 4-SERVER-OPTIONS
 
-# sshd
-sshd_enabled: True
-
-# OpenVPN
-openvpn_install: True
-openvpn_enabled: False
-
-# For /etc/iiab/openvpn_handle
-openvpn_handle: ""
-
-# cron seems necessary on CentOS:
-openvpn_cron_enabled: False
-
-openvpn_server: xscenet.net
-openvpn_server_virtual_ip: 10.8.0.1
-openvpn_server_port: 1194
-
 # roles/network runs here (MANY SETTINGS ABOVE)
 
 # Homepage

vars/local_vars_big.yml

@@ -8,20 +8,23 @@
 # Ansible's default timeout for "get_url:" downloads (10 seconds) often fails
 download_timeout: 200
 
-# Users and Passwords
+# Languages (for Apache)
+default_language: en
+language_priority: en es fr
 
+# Set iiab_admin_user_install: False if you don't want iiab_admin_user & wheel
+# group auto-created in roles/iiab-admin/tasks/main.yml (hence disabling sudo-
+# checks/warnings of published passwds like pi/raspberry & iiab-admin/g0adm1n).
+iiab_admin_user_install: True
+# If iiab_admin_user_install: False, set iiab_admin_user (below) to an existing
+# Linux user that has sudo access, for login to Admin Console http://box/admin
 iiab_admin_user: iiab-admin
-# Obtain a password hash with:
+# Password hash to be used if Ansible creates the above user:
+iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop.
+# Obtain a password hash - NEW MORE SECURE WAY:
+#    python3 -c 'import crypt; print(crypt.crypt("<plaintext>", crypt.mksalt(crypt.METHOD_SHA512)))'
+# Obtain a password hash - OLD WAY:
 #    python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")'
-# iiab_admin_passw_hash:
-admin_install: True
-
-# Set admin_install: False if you don't want iiab_admin_user & wheel group
-# auto-created in roles/iiab-admin/tasks/main.yml, thereby disabling sudo-based
-# warnings on use of published passwords like pi/raspberry & iiab-admin/g0adm1n
-
-# If admin_install: False, set iiab_admin_user (above) to an existing Linux
-# user that has sudo access, so you can login to Admin Console http://box/admin
 
 iiab_hostname: box
 iiab_domain: lan
@@ -73,32 +76,34 @@ dansguardian_enabled: True
 
 # 1-PREP
 
+# roles/sshd & roles/iiab-admin run here
+# SEE IIAB-ADMIN VARIABLES NEAR TOP OF THIS FILE:
+# e.g. iiab_admin_user_install, iiab_admin_user, iiab_admin_pwd_hash
+
+# SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security
+openvpn_install: True
+openvpn_enabled: False
+# Set /etc/iiab/openvpn_handle in advance here:
+openvpn_handle: ""
+# The following seems necessary on CentOS:
+# openvpn_cron_enabled: True
+
 # 2-COMMON
 
 # 3-BASE-SERVER
 
 # Make this False to disable http://box/common/services/power_off.php button:
 apache_allow_sudo: True
-
+# For schools that use WordPress and/or Moodle intensively, see iiab/iiab #1147
-# For schools that use WordPress and/or Moodle intensively. See iiab/iiab #1147
 # WARNING: Enabling this (might) cause excess use of RAM or other resources?
 apache_high_php_limits: False
+# SEE ALSO VARIABLES NEAR TOP OF THIS FILE: default_language, language_priority
 
 # roles/mysql runs here (mandatory)
 
 
 # 4-SERVER-OPTIONS
 
-# SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security
-openvpn_install: True
-openvpn_enabled: False
-
-# Set /etc/iiab/openvpn_handle in advance here:
-openvpn_handle: ""
-
-# The following seems necessary on CentOS:
-# openvpn_cron_enabled: True
-
 # roles/network runs here (MANY SETTINGS ABOVE)
 
 # PostgreSQL - auto-installed by Moodle and/or Pathagar - no need to touch!

vars/local_vars_medium.yml

@@ -8,20 +8,23 @@
 # Ansible's default timeout for "get_url:" downloads (10 seconds) often fails
 download_timeout: 200
 
-# Users and Passwords
+# Languages (for Apache)
+default_language: en
+language_priority: en es fr
 
+# Set iiab_admin_user_install: False if you don't want iiab_admin_user & wheel
+# group auto-created in roles/iiab-admin/tasks/main.yml (hence disabling sudo-
+# checks/warnings of published passwds like pi/raspberry & iiab-admin/g0adm1n).
+iiab_admin_user_install: True
+# If iiab_admin_user_install: False, set iiab_admin_user (below) to an existing
+# Linux user that has sudo access, for login to Admin Console http://box/admin
 iiab_admin_user: iiab-admin
-# Obtain a password hash with:
+# Password hash to be used if Ansible creates the above user:
+iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop.
+# Obtain a password hash - NEW MORE SECURE WAY:
+#    python3 -c 'import crypt; print(crypt.crypt("<plaintext>", crypt.mksalt(crypt.METHOD_SHA512)))'
+# Obtain a password hash - OLD WAY:
 #    python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")'
-# iiab_admin_passw_hash:
-admin_install: True
-
-# Set admin_install: False if you don't want iiab_admin_user & wheel group
-# auto-created in roles/iiab-admin/tasks/main.yml, thereby disabling sudo-based
-# warnings on use of published passwords like pi/raspberry & iiab-admin/g0adm1n
-
-# If admin_install: False, set iiab_admin_user (above) to an existing Linux
-# user that has sudo access, so you can login to Admin Console http://box/admin
 
 iiab_hostname: box
 iiab_domain: lan
@@ -73,32 +76,34 @@ dansguardian_enabled: False
 
 # 1-PREP
 
+# roles/sshd & roles/iiab-admin run here
+# SEE IIAB-ADMIN VARIABLES NEAR TOP OF THIS FILE:
+# e.g. iiab_admin_user_install, iiab_admin_user, iiab_admin_pwd_hash
+
+# SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security
+openvpn_install: True
+openvpn_enabled: False
+# Set /etc/iiab/openvpn_handle in advance here:
+openvpn_handle: ""
+# The following seems necessary on CentOS:
+# openvpn_cron_enabled: True
+
 # 2-COMMON
 
 # 3-BASE-SERVER
 
 # Make this False to disable http://box/common/services/power_off.php button:
 apache_allow_sudo: True
-
+# For schools that use WordPress and/or Moodle intensively, see iiab/iiab #1147
-# For schools that use WordPress and/or Moodle intensively. See iiab/iiab #1147
 # WARNING: Enabling this (might) cause excess use of RAM or other resources?
 apache_high_php_limits: False
+# SEE ALSO VARIABLES NEAR TOP OF THIS FILE: default_language, language_priority
 
 # roles/mysql runs here (mandatory)
 
 
 # 4-SERVER-OPTIONS
 
-# SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security
-openvpn_install: True
-openvpn_enabled: False
-
-# Set /etc/iiab/openvpn_handle in advance here:
-openvpn_handle: ""
-
-# The following seems necessary on CentOS:
-# openvpn_cron_enabled: True
-
 # roles/network runs here (MANY SETTINGS ABOVE)
 
 # PostgreSQL - auto-installed by Moodle and/or Pathagar - no need to touch!

vars/local_vars_min.yml

@@ -8,20 +8,23 @@
 # Ansible's default timeout for "get_url:" downloads (10 seconds) often fails
 download_timeout: 200
 
-# Users and Passwords
+# Languages (for Apache)
+default_language: en
+language_priority: en es fr
 
+# Set iiab_admin_user_install: False if you don't want iiab_admin_user & wheel
+# group auto-created in roles/iiab-admin/tasks/main.yml (hence disabling sudo-
+# checks/warnings of published passwds like pi/raspberry & iiab-admin/g0adm1n).
+iiab_admin_user_install: True
+# If iiab_admin_user_install: False, set iiab_admin_user (below) to an existing
+# Linux user that has sudo access, for login to Admin Console http://box/admin
 iiab_admin_user: iiab-admin
-# Obtain a password hash with:
+# Password hash to be used if Ansible creates the above user:
+iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop.
+# Obtain a password hash - NEW MORE SECURE WAY:
+#    python3 -c 'import crypt; print(crypt.crypt("<plaintext>", crypt.mksalt(crypt.METHOD_SHA512)))'
+# Obtain a password hash - OLD WAY:
 #    python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")'
-# iiab_admin_passw_hash:
-admin_install: True
-
-# Set admin_install: False if you don't want iiab_admin_user & wheel group
-# auto-created in roles/iiab-admin/tasks/main.yml, thereby disabling sudo-based
-# warnings on use of published passwords like pi/raspberry & iiab-admin/g0adm1n
-
-# If admin_install: False, set iiab_admin_user (above) to an existing Linux
-# user that has sudo access, so you can login to Admin Console http://box/admin
 
 iiab_hostname: box
 iiab_domain: lan
@@ -73,32 +76,34 @@ dansguardian_enabled: False
 
 # 1-PREP
 
+# roles/sshd & roles/iiab-admin run here
+# SEE IIAB-ADMIN VARIABLES NEAR TOP OF THIS FILE:
+# e.g. iiab_admin_user_install, iiab_admin_user, iiab_admin_pwd_hash
+
+# SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security
+openvpn_install: True
+openvpn_enabled: False
+# Set /etc/iiab/openvpn_handle in advance here:
+openvpn_handle: ""
+# The following seems necessary on CentOS:
+# openvpn_cron_enabled: True
+
 # 2-COMMON
 
 # 3-BASE-SERVER
 
 # Make this False to disable http://box/common/services/power_off.php button:
 apache_allow_sudo: True
-
+# For schools that use WordPress and/or Moodle intensively, see iiab/iiab #1147
-# For schools that use WordPress and/or Moodle intensively. See iiab/iiab #1147
 # WARNING: Enabling this (might) cause excess use of RAM or other resources?
 apache_high_php_limits: False
+# SEE ALSO VARIABLES NEAR TOP OF THIS FILE: default_language, language_priority
 
 # roles/mysql runs here (mandatory)
 
 
 # 4-SERVER-OPTIONS
 
-# SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security
-openvpn_install: True
-openvpn_enabled: False
-
-# Set /etc/iiab/openvpn_handle in advance here:
-openvpn_handle: ""
-
-# The following seems necessary on CentOS:
-# openvpn_cron_enabled: True
-
 # roles/network runs here (MANY SETTINGS ABOVE)
 
 # PostgreSQL - auto-installed by Moodle and/or Pathagar - no need to touch!