diff --git a/roles/1-prep/tasks/hw_platforms.yml b/roles/1-prep/tasks/hw_platforms.yml
new file mode 100644
index 000000000..2a5c5c2ba
--- /dev/null
+++ b/roles/1-prep/tasks/hw_platforms.yml
@@ -0,0 +1,17 @@
+##  DISCOVER PLATFORMS ######
+# Put conditional actions for hardware platforms here
+
+- include_tasks: raspberry_pi.yml
+  when: first_run and rpi_model != "none"
+
+- name: Check if the identifier for Intel's NUC6 built-in WiFi is present
+  shell: "lsusb | grep 8087:0a2b | wc | awk '{print $1}'"
+  register: usb_NUC6
+  ignore_errors: True
+
+- name: Download {{ iiab_download_url }}/iwlwifi-8000C-13.ucode to /lib/firmware for built-in WiFi on NUC6    # iiab_download_url is http://download.iiab.io/packages
+  get_url:
+    url: "{{ iiab_download_url }}/iwlwifi-8000C-13.ucode"
+    dest: /lib/firmware
+    timeout: "{{ download_timeout }}"
+  when: internet_available and usb_NUC6.stdout|int > 0
diff --git a/roles/1-prep/tasks/main.yml b/roles/1-prep/tasks/main.yml
index e7b950a3e..efaf78e54 100644
--- a/roles/1-prep/tasks/main.yml
+++ b/roles/1-prep/tasks/main.yml
@@ -1,85 +1,31 @@
-# Preparations (Hardware Level)
+# Preparations (low-level, hardware, basic security)
 
 - name: ...IS BEGINNING ============================================
   meta: noop
 
-- name: dnsmasq (install now, configure LATER in 'network', after Stage 9)
-  include_tasks: roles/network/tasks/dnsmasq.yml
-  #when: dnsmasq_install    # Flag might be used in future?
-
-
-- name: 'Install packages: sudo, uuid-runtime'
-  package:
-    name:
-      - sudo
-      - uuid-runtime
-    state: present
-
-- name: Does /etc/iiab/uuid exist?
-  stat:
-    path: /etc/iiab/uuid
-  register: uuid_file
-
-- name: If not, run 'uuidgen' to create a uuid, in register uuid_response
-  command: uuidgen
-  register: uuid_response
-  when: not uuid_file.stat.exists
-
-- name: Save it to /etc/iiab/uuid
-  shell: echo {{ uuid_response.stdout_lines[0] }} > /etc/iiab/uuid
-  when: not uuid_file.stat.exists
-
-- name: Load /etc/iiab/uuid, into register stored_uuid
-  command: cat /etc/iiab/uuid
-  register: stored_uuid
-
-- name: Store it in Ansible variable 'uuid'
-  set_fact:
-    uuid: "{{ stored_uuid.stdout_lines[0] }}"
-
-
-- name: Does 'ubermix' exist in /etc/lsb-release?
-  shell: grep -i ubermix /etc/lsb-release    # Pipe to cat to avoid red errors?
-  register: grep_ubermix
-  failed_when: False    # Universal way to hide alarmist red errors!
-  #ignore_errors: True
-  #check_mode: no
-
-- name: If so, install /etc/tmpfiles.d/iiab.conf to create /var/log subdirs on each boot, so {Apache, MongoDB, Munin} run on Ubermix
-  copy:
-    src: roles/1-prep/files/iiab.conf
-    dest: /etc/tmpfiles.d/
-    # owner: root
-    # group: root
-    # mode: '0644'
-    force: yes
-  when: grep_ubermix.rc == 0    # 1 if absent in file, 2 if file doesn't exist
-
-# 2020-03-19: for KA Lite, but moved from roles/kalite/tasks/install.yml
-# This effectively does nothing at all on Ubuntu & Raspbian, where libgeos-*
-# pkgs are not installed FWIW.  But it's included to safeguard us across all
-# OS's, in case others OS's like Ubermix later appear.  See #1382 for details.
-# Removing pkgs libgeos-3.6.2 & libgeos-c1v5 fixed the situation on Ubermix!
-- name: Remove libgeos-* pkgs, avoiding KA Lite Django failure on Ubermix
-  shell: apt -y remove "libgeos-*"
-  when: grep_ubermix.rc == 0    # 1 if absent in file, 2 if file doesn't exist
-
-
 - name: SSHD -- required by OpenVPN below -- also run by roles/4-server-options/tasks/main.yml
   include_role:
     name: sshd
   when: sshd_install
 
-- name: IIAB-ADMIN
-  include_role:
-    name: iiab-admin
-  #when: iiab_admin_install    # Flag might be created in future?
-
 - name: OPENVPN
   include_role:
     name: openvpn
   when: openvpn_install
 
+- name: IIAB-ADMIN -- includes roles/iiab-admin/tasks/access.yml
+  include_role:
+    name: iiab-admin
+  #when: iiab_admin_install    # Flag might be created in future?
+
+- name: dnsmasq (install now, configure LATER in 'network', after Stage 9)
+  include_tasks: roles/network/tasks/dnsmasq.yml
+  #when: dnsmasq_install    # Flag might be used in future?
+
+- include_tasks: uuid.yml
+- include_tasks: ubermix.yml
+- include_tasks: hw_platforms.yml
+
 
 # Debian 10 "Buster" is apparently enabling AppArmor in 2019:
 # https://wiki.debian.org/AppArmor/Progress
@@ -109,25 +55,6 @@
 #  when: not is_debuntu and selinux_disabled is defined and selinux_disabled.changed
 
 
-##  DISCOVER PLATFORMS ######
-# Put conditional actions for hardware platforms here
-
-- include_tasks: raspberry_pi.yml
-  when: first_run and rpi_model != "none"
-
-- name: Check if the identifier for Intel's NUC6 built-in WiFi is present
-  shell: "lsusb | grep 8087:0a2b | wc | awk '{print $1}'"
-  register: usb_NUC6
-  ignore_errors: True
-
-- name: Download {{ iiab_download_url }}/iwlwifi-8000C-13.ucode to /lib/firmware for built-in WiFi on NUC6    # iiab_download_url is http://download.iiab.io/packages
-  get_url:
-    url: "{{ iiab_download_url }}/iwlwifi-8000C-13.ucode"
-    dest: /lib/firmware
-    timeout: "{{ download_timeout }}"
-  when: internet_available and usb_NUC6.stdout|int > 0
-
-
 - name: Recording STAGE 1 HAS COMPLETED ============================
   template:
     src: roles/1-prep/templates/iiab.env.j2
diff --git a/roles/1-prep/tasks/ubermix.yml b/roles/1-prep/tasks/ubermix.yml
new file mode 100644
index 000000000..fa9e1c891
--- /dev/null
+++ b/roles/1-prep/tasks/ubermix.yml
@@ -0,0 +1,25 @@
+- name: Does 'ubermix' exist in /etc/lsb-release?
+  shell: grep -i ubermix /etc/lsb-release    # Pipe to cat to avoid red errors?
+  register: grep_ubermix
+  failed_when: False    # Universal way to hide alarmist red errors!
+  #ignore_errors: True
+  #check_mode: no
+
+- name: If so, install /etc/tmpfiles.d/iiab.conf to create /var/log subdirs on each boot, so {Apache, MongoDB, Munin} run on Ubermix (root:root, 0644 by default)
+  copy:
+    src: roles/1-prep/files/iiab.conf
+    dest: /etc/tmpfiles.d/
+    # owner: root
+    # group: root
+    # mode: 0644
+    force: yes
+  when: grep_ubermix.rc == 0    # 1 if absent in file, 2 if file doesn't exist
+
+# 2020-03-19: for KA Lite, but moved from roles/kalite/tasks/install.yml
+# This effectively does nothing at all on Ubuntu & Raspbian, where libgeos-*
+# pkgs are not installed FWIW.  But it's included to safeguard us across all
+# OS's, in case others OS's like Ubermix later appear.  See #1382 for details.
+# Removing pkgs libgeos-3.6.2 & libgeos-c1v5 fixed the situation on Ubermix!
+- name: Remove libgeos-* pkgs, avoiding KA Lite Django failure on Ubermix
+  shell: apt -y remove "libgeos-*"
+  when: grep_ubermix.rc == 0    # 1 if absent in file, 2 if file doesn't exist
diff --git a/roles/1-prep/tasks/uuid.yml b/roles/1-prep/tasks/uuid.yml
new file mode 100644
index 000000000..28ab30340
--- /dev/null
+++ b/roles/1-prep/tasks/uuid.yml
@@ -0,0 +1,26 @@
+- name: "Install packages: uuid-runtime"
+  package:
+    name: uuid-runtime
+    state: present
+
+- name: Does /etc/iiab/uuid exist?
+  stat:
+    path: /etc/iiab/uuid
+  register: uuid_file
+
+- name: If not, run 'uuidgen' to create a uuid, in register uuid_response
+  command: uuidgen
+  register: uuid_response
+  when: not uuid_file.stat.exists
+
+- name: Save it to /etc/iiab/uuid
+  shell: echo {{ uuid_response.stdout_lines[0] }} > /etc/iiab/uuid
+  when: not uuid_file.stat.exists
+
+- name: Load /etc/iiab/uuid, into register stored_uuid
+  command: cat /etc/iiab/uuid
+  register: stored_uuid
+
+- name: Store it in Ansible variable 'uuid'
+  set_fact:
+    uuid: "{{ stored_uuid.stdout_lines[0] }}"
diff --git a/roles/2-common/tasks/main.yml b/roles/2-common/tasks/main.yml
index 21ae62a6a..0693fd50e 100644
--- a/roles/2-common/tasks/main.yml
+++ b/roles/2-common/tasks/main.yml
@@ -8,7 +8,7 @@
 
 - include_tasks: packages.yml
 
-- name: 'Network prep, including partial setup of iptables (firewall) -- SEE ALSO: 1-prep/tasks/raspberry_pi.yml'
+- name: "Network prep, including partial setup of iptables (firewall) -- SEE ALSO: 1-prep/tasks/raspberry_pi.yml"
   include_tasks: network.yml
 
 - include_tasks: iiab-startup.yml
diff --git a/roles/2-common/tasks/packages.yml b/roles/2-common/tasks/packages.yml
index 3362c0ce5..26c061b52 100644
--- a/roles/2-common/tasks/packages.yml
+++ b/roles/2-common/tasks/packages.yml
@@ -4,7 +4,7 @@
 - name: '2021-07-27: SEE ALSO 4-5 networking packages LATER installed by https://github.com/iiab/iiab/blob/master/roles/2-common/tasks/network.yml'
   meta: noop
 
-- name: "Install 20 common packages: acpid, avahi-daemon, bzip2, curl, gawk, htop, i2c-tools, libnss-mdns, logrotate, mlocate, net-tools, pandoc, pastebinit, rsync, sqlite3, tar, unzip, usbutils, wget, wpasupplicant"
+- name: "Install 21 common packages: acpid, avahi-daemon, bzip2, curl, gawk, htop, i2c-tools, libnss-mdns, logrotate, mlocate, net-tools, pandoc, pastebinit, rsync, sqlite3, sudo, tar, unzip, usbutils, wget, wpasupplicant"
   package:
     name:
       - acpid              # Daemon for ACPI (power mgmt) events
@@ -33,7 +33,7 @@
       - rsync
       #- screen            # Installed by 1-prep's roles/iiab-admin/tasks/access.yml
       - sqlite3
-      #- sudo              # Installed by 1-prep's roles/iiab-admin/tasks/sudo-prereqs.yml
+      - sudo
       - tar
       - unzip
       #- usbmount          # Moved to roles/usb_lib/tasks/install.yml