Merge branch 'iiab:master' into less-apache

roles/1-prep/tasks/main.yml

@@ -66,8 +66,7 @@
   when: grep_ubermix.rc == 0    # 1 if absent in file, 2 if file doesn't exist
 
 
-# Required by OpenVPN below.  Also run by roles/4-server-options/tasks/main.yml
-- name: SSHD
+- name: SSHD -- required by OpenVPN below -- also run by roles/4-server-options/tasks/main.yml
   include_role:
     name: sshd
   when: sshd_install

roles/2-common/tasks/main.yml

@@ -6,15 +6,19 @@
 - name: Create IIAB directory structure ("file layout")
   include_tasks: fl.yml
 
+# UNMAINTAINED
 - include_tasks: centos.yml
   when: ansible_distribution == "CentOS"
 
+# UNMAINTAINED
 - include_tasks: fedora.yml
   when: ansible_distribution == "Fedora"
 
+# UNMAINTAINED
 - include_tasks: prep.yml
   when: not is_debuntu
 
+# UNMAINTAINED
 - include_tasks: xo.yml
   when: xo_model != "none" or osbuilder is defined
 
@@ -38,11 +42,13 @@
     #- { name: 'net.ipv6.conf.default.disable_ipv6', value: '1' }    # AUTO-SET
     #- { name: 'net.ipv6.conf.lo.disable_ipv6', value: '1' }         # BY ABOVE
 
+# UNMAINTAINED
 - name: Install /etc/profile.d/zzz_iiab.sh from template, to add sbin dirs to unprivileged users' $PATH
   template:
     dest: /etc/profile.d/zzz_iiab.sh
     src: zzz_iiab.sh
 
+# UNMAINTAINED
 - include_tasks: net_mods.yml
   when: not is_debuntu and not is_F18
 

roles/3-base-server/README.rst

@@ -10,6 +10,6 @@ This 3rd stage installs base server infra that Internet-in-a-Box requires, inclu
    - **php{{ php_version }}-fpm** — which forcibly installs **php{{ php_version }}-cli**, **php{{ php_version }}-common** and **libsodium23**
 - `www_base <https://github.com/iiab/iiab/blob/master/roles/www_base>`_ (similar to `www_options <https://github.com/iiab/iiab/blob/master/roles/www_options>`_ which runs later in 4-server-options)
 
-Recap: as with 2-common, 4-server-options and 5-xo-services: this 3rd stage installs core server infra, that is not user-facing.
+Recap: as with 2-common, 4-server-options and 5-xo-services, this 3rd stage installs core server infra (that is not user-facing).
 
 The next stage (4-server-options) brings more diverse/optional server infra functionality.

roles/4-server-options/tasks/main.yml

@@ -18,23 +18,25 @@
     name: pylibs
   #when: pylibs_install    # Flag might be created in future?
 
-# Also run by roles/1-prep/tasks/main.yml as required by OpenVPN.
-- name: SSHD
+- name: SSHD - also run by roles/1-prep/tasks/main.yml as required by OpenVPN
   include_role:
     name: sshd
   when: sshd_install
 
+# UNMAINTAINED
 - name: Install named / BIND
   include_tasks: roles/network/tasks/named.yml
-  when: named_install
+  when: named_install is defined and named_install
 
+# UNMAINTAINED
 - name: Install dhcpd
   include_tasks: roles/network/tasks/dhcpd.yml
-  when: dhcpd_install
+  when: dhcpd_install is defined and dhcpd_install
 
+# UNMAINTAINED
 - name: Install Squid (and DansGuardian if dansguardian_install)
   include_tasks: roles/network/tasks/squid.yml
-  when: squid_install
+  when: squid_install is defined and squid_install
 
 - name: Install Bluetooth - only on Raspberry Pi
   include_role:

roles/azuracast/defaults/main.yml

@@ -16,7 +16,7 @@
 # All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml
 # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
 
-docker_sh_url: https://raw.githubusercontent.com/AzuraCast/AzuraCast/master/docker.sh
-docker_compose_url: https://raw.githubusercontent.com/AzuraCast/AzuraCast/master/docker-compose.sample.yml 
+docker_sh_url: https://raw.githubusercontent.com/AzuraCast/AzuraCast/main/docker.sh
+docker_compose_url: https://raw.githubusercontent.com/AzuraCast/AzuraCast/main/docker-compose.sample.yml 
 docker_container_dir: /library/docker
 azuracast_host_dir: /opt/azuracast

roles/azuracast/tasks/install.yml

@@ -35,12 +35,12 @@
     mode: 0755
   when: internet_available
 
-- name: AzuraCast - Make changes to docker.sh script so it runs headless
-  lineinfile:
-    path: "{{ azuracast_host_dir }}/docker.sh"
-    regexp: "^(.*)read reply.*"
-    line: "\\1reply='Y'"
-    backrefs: yes
+#- name: AzuraCast - Make changes to docker.sh script so it runs headless
+#  lineinfile:
+#    path: "{{ azuracast_host_dir }}/docker.sh"
+#    regexp: "^(.*)read reply.*"
+#    line: "\\1reply='Y'"
+#    backrefs: yes
 
 - name: AzuraCast - Make directory {{ docker_container_dir }}
   file: 
@@ -59,8 +59,13 @@
     regexp: "^( *- \\')8([0-9]{3})\\:8([0-9]{3}\\'.*)$"
     replace: "\\g<1>{{ azuracast_port_range_prefix }}\\g<2>:{{ azuracast_port_range_prefix }}\\g<3>"
 
+- name: AzuraCast - Setup for stable channel install
+  shell: "yes 'Y' | /bin/bash docker.sh setup-release"
+  args:
+    chdir: "{{ azuracast_host_dir }}"
+
 - name: AzuraCast - Run the installer
-  shell: "/bin/bash docker.sh install"
+  shell: "yes '' | /bin/bash docker.sh install"
   args:
     chdir: "{{ azuracast_host_dir }}"
 

roles/azuracast/templates/docker-compose.override.yml.j2

@@ -9,10 +9,6 @@ services:
     networks:
       - azure
 
-  influxdb:
-    networks:
-      - azure
-
   redis:
     networks:
       - azure

roles/cups/README.md

@@ -0,0 +1,67 @@
+# CUPS Printing README
+
+[CUPS](https://en.wikipedia.org/wiki/CUPS) (also known as the "Common UNIX Printing System") is the standards-based, open source printing system for Linux and macOS.
+
+It allows your [Internet-in-a-Box (IIAB)](http://internet-in-a-box.org) to act as a print server.
+
+This can be useful if a printer is attached to your IIAB — so student/teacher print jobs from client computers and phones can be processed — and then sent to the appropriate printer.
+
+## Using it
+
+Make sure your IIAB was installed with these 2 lines in [/etc/iiab/local_vars.yml](http://faq.iiab.io/#What_is_local_vars.yml_and_how_do_I_customize_it.3F) :
+
+```
+cups_install: True
+cups_enabled: True
+```
+
+Then visit your IIAB's http://box/print > **Administration** and log in using:
+
+- Username: `Admin`
+- Password: `changeme`
+
+Or use any Linux account that is a member of the Linux group: `lpadmin`
+
+_Browser pop-ups will try to scare you — click (and persist!) to log in despite these exaggerated warnings._
+
+## Security
+
+The above uses 'SystemGroup lpadmin' in `/etc/cups/cups-files.conf` — in coordination with about 15 '@SYSTEM' lines and 'DefaultAuthType Basic' in `/etc/cups/cupsd.conf`
+
+CUPS creates a 10-year ["self-signed" HTTPS certificate](https://www.cups.org/doc/encryption.html) during installation, that will be very confusing to non-technical users when they log in, as a result of modern browser warnings.
+
+## How it Works
+
+Understand how IIAB configures CUPS for all IP addresses and all hostnames (IIAB redirects to bypass the "since 2009" CUPS problem mentioned below!) by reading these in-line explanations:
+
+- [/opt/iiab/iiab/roles/cups/tasks/install.yml](tasks/install.yml)
+
+Modify these 2 files at your own risk:
+
+- [/etc/cups/cupsd.conf](https://www.cups.org/doc/man-cupsd.conf.html) (run `sudo cupsctl` and `sudo cupsd -t` to verify the file!)
+- [/etc/nginx/conf.d/cups.conf](templates/cups.conf.j2)
+
+If you make modifications to the above files, don't forget to restart systemd services: (run this as root)
+
+```
+systemctl restart cups cups-browsed nginx
+```
+
+## Troubleshooting
+
+Visit your IIAB's http://box/print > **Help** for printer configuration suggestions, Etc!
+
+http://localhost:631 is very useful if NGINX redirects or CUPS permissions are set wrong.
+
+Beware that http://box:631 and http://box.lan:631 _will not work,_ due to a [known issue](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=530027) with CUPS since 2009.
+
+Run `ps aux | grep cups` and `systemctl status cups` to verify the CUPS systemd service is running well.
+
+Finally, keep an eye on: `/var/log/cups/error_log`
+
+## Docs and Updates
+
+- https://www.cups.org/documentation.html
+  - https://github.com/apple/cups/releases
+- https://openprinting.github.io/cups/
+  - https://github.com/OpenPrinting/cups/releases/

roles/cups/tasks/enable-or-disable.yml

@@ -1,9 +1,6 @@
-- name: systemd daemon-reload
-  systemd:
-    daemon_reload: yes
-
-- name: Enable & (Re)Start 'cups' and 'cups-browsed' systemd services (OS's other than Fedora 18)
+- name: Enable & (Re)Start 'cups' and 'cups-browsed' systemd services (if cups_enabled)
   systemd:
+    #daemon_reload: yes
     name: "{{ item }}"
     enabled: yes
     state: restarted
@@ -11,21 +8,10 @@
     - cups
     - cups-browsed
   when: cups_enabled
-  #when: cups_enabled and not is_F18
 
-# - name: Enable & Start 'cups' systemd service (Fedora 18, for XO laptops)
-#   systemd:
-#     name: cups
-#     state: started
-#     enabled: yes
-#   when: cups_enabled and is_F18
-
-- name: Permit headless admin of CUPS -- only works when CUPS daemon is running (if cups_enabled)
-  shell: "cupsctl --remote-admin"
-  when: cups_enabled
-
-- name: Disable & Stop 'cups' & 'cups-browsed' systemd services (OS's other than Fedora 18)
+- name: Disable & Stop 'cups' & 'cups-browsed' systemd services (if not cups_enabled)
   systemd:
+    #daemon_reload: yes
     name: "{{ item }}"
     enabled: no
     state: stopped
@@ -33,11 +19,7 @@
     - cups
     - cups-browsed
   when: not cups_enabled
-  #when: not cups_enabled and not is_F18
 
-# - name: Disable & Stop 'cups' systemd service (Fedora 18, for XO laptops)
-#   systemd:
-#     name: cups
-#     enabled: no
-#     state: stopped
-#   when: not cups_enabled and is_F18
+
+- name: Enable/Disable/Restart NGINX
+  include_tasks: nginx.yml

roles/cups/tasks/install.yml

@@ -1,12 +1,125 @@
+# ADMINISTER CUPS AT http://box/print -- USERNAME 'Admin' & PASSWORD 'changeme'
+# (OR ANY MEMBER OF LINUX GROUP 'lpadmin') AS SET UP BELOW...
+
+
 - name: Install 'cups' package
   package:
     name: cups
     state: present
 
-- name: Install our own /etc/cups/cupsd.conf from template, to permit local LAN admin
-  template:
-    src: cupsd.conf
+# WARNING: 'apt install cups' AND 'apt install --reinstall cups'
+# UNFORTUNATELY DO *NOT* RECREATE /etc/cups/cupsd.conf IF A PRIOR
+# INSTALL OF CUPS EXISTED!  SO OPTION #1 OR #2 ARE NEEDED BELOW:
+
+# OPTION #1: OLD WAY (BRITTLE)
+#
+# - name: Install our own /etc/cups/cupsd.conf from template, to permit local LAN admin
+#   template:
+#     src: cupsd.conf.j2
+#     dest: /etc/cups/cupsd.conf
+
+# OPTION #2: NEW WAY (MORE FUTURE-PROOF, WE HOPE!)
+
+- name: PLEASE RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf IF YOU MODIFY IT!  The file will now be created -- by ~4 stanzas below.  Also keep an eye on /var/log/cups/error_log
+  meta: noop
+
+- name: Copy /usr/share/cups/cupsd.conf.default to /etc/cups/cupsd.conf (root:lp, 0640) -- a timestamped backup of the prior 'cupsd.conf' will be saved in /etc/cups
+  copy:
+    src: /usr/share/cups/cupsd.conf.default
     dest: /etc/cups/cupsd.conf
+    owner: root
+    group: lp
+    mode: 0640
+    backup: yes
+
+# 2021-07-12: lineinfile fails to insert the needed lines, as these same 2 lines
+# already appear throughout /etc/cups/cupsd.conf -- so we use blockinfile below.
+#
+# - name: "CUPS web administration: Insert 2 lines into /etc/cups/cupsd.conf to LOCK DOWN URL'S LIKE http://localhost:631/admin TO LINUX GROUP 'lpadmin' -- to avoid accidental damage to /etc/cups/cupsd.conf and other CUPS settings.  This uses 'SystemGroup lpadmin' in /etc/cups/cups-files.conf -- in coordination with ~14 -> ~15 '@SYSTEM' lines and 'DefaultAuthType Basic' in /etc/cups/cupsd.conf"
+#   lineinfile:
+#     path: /etc/cups/cupsd.conf
+#     #regexp:
+#     line: "{{ item }}"
+#     insertafter: '^<Location /admin>$'
+#   with_items:
+#     - "  Require user @SYSTEM"    # Will appear BELOW, in /etc/cups/cupsd.conf
+#     - "  AuthType Default"        # Will appear ABOVE, in /etc/cups/cupsd.conf
+
+- name: "CUPS web administration: Insert 2-line block into /etc/cups/cupsd.conf to LOCK DOWN URL'S LIKE http://localhost:631/admin TO LINUX GROUP 'lpadmin' -- to avoid accidental damage to /etc/cups/cupsd.conf and other CUPS settings.  This uses 'SystemGroup lpadmin' in /etc/cups/cups-files.conf -- in coordination with ~14 -> ~15 '@SYSTEM' lines and 'DefaultAuthType Basic' in /etc/cups/cupsd.conf"
+  blockinfile:
+    path: /etc/cups/cupsd.conf
+    insertafter: '^<Location /admin>$'
+    block: |2    # Indent with 2 spaces, and surround block with 2 comment lines: "# BEGIN ANSIBLE MANAGED BLOCK", "# END ANSIBLE MANAGED BLOCK"
+        AuthType Default
+        Require user @SYSTEM
+
+- name: "CUPS web administration: Create Linux username 'Admin' with password 'changeme' in Linux group 'lpadmin' (shell: /usr/sbin/nologin, create_home: no)"
+  user:
+    name: Admin
+    append: yes    # Don't clobber other groups, that other IIAB Apps might need.
+    groups: lpadmin
+    password: "{{ 'changeme' | password_hash('sha512') }}"    # Random salt.  Presumably runs 5000 rounds of SHA-512 per /etc/login.defs & /etc/pam.d/common-password -- https://docs.ansible.com/ansible/latest/user_guide/playbooks_filters.html#encrypting-and-checksumming-strings-and-passwords
+    create_home: no
+    shell: /usr/sbin/nologin    # Debian/Ubuntu norm -- instead of /sbin/nologin, /bin/false
+
+# - name: Add user '{{ iiab_admin_user }}' to Linux group 'lpadmin' -- for CUPS web administration (or modify default 'SystemGroup lpadmin' in /etc/cups/cups-files.conf -- in coordination with ~14 -> ~15 '@SYSTEM' lines in /etc/cups/cupsd.conf)
+#   #command: "gpasswd -a {{ iiab_admin_user | quote }} lpadmin"
+#   #command: "gpasswd -d {{ iiab_admin_user | quote }} lpadmin"
+#   user:
+#     name: "{{ iiab_admin_user }}"    # iiab-admin
+#     append: yes
+#     groups: lpadmin
+
+- name: Start 'cups' systemd service as nec -- CUPS DAEMON MUST BE RUNNING FOR 'cupsctl' COMMAND JUST BELOW
+  systemd:
+    #daemon_reload: yes
+    name: cups
+    state: started
+
+# - name: "Authorize Nearby IP Addresses: Run 'cupsctl --remote-admin --share-printers --user-cancel-any' to enable http://192.168.0.x:631 AND http://172.18.96.1:631 (if cups_enabled) -- REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) -- SO PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf"
+#   command: cupsctl --remote-admin --share-printers --user-cancel-any
+
+# 2021-07-11: BOTH FLAGS *CANNOT* BE USED TOGETHER -- CHOOSE ONE OR THE OTHER:
+# (1) '--remote-admin' AS ABOVE, OR (2) '--remote-any' AS BELOW.
+# (RUN 'cupsctl' WITHOUT PARAMETERS TO CONFIRM THIS!)
+
+- name: "Authorize All IP Addresses: Run 'cupsctl --remote-any --share-printers --user-cancel-any' to enable http://192.168.0.x:631 AND http://172.18.96.1:631 AND http://10.8.0.y:631 (if cups_enabled) -- REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) -- SO PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf"
+  command: cupsctl --remote-any --share-printers --user-cancel-any
+
+# 2021-07-11: In theory 'cupsctl' stanzas could be put in enable-or-disable.yml
+# BUT LET'S AVOID THAT -- AS REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE*
+# /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!)
+#
+# FYI repeated use of 'cupsctl' commands also removes comments and blank lines.
+#
+# - name: Run 'cupsctl --no-remote-admin --no-remote-any --no-share-printers --no-user-cancel-any --no-debug-logging' (if not cups_enabled) -- REPEATED USE OF 'cupsctl' COMMANDS CAN *DAMAGE* /etc/cups/cupsd.conf BY ADDING DUPLICATE LINES (AND WORSE!) -- SO PLEASE ALSO MANUALLY RUN 'sudo cupsctl' AND 'sudo cupsd -t' TO VERIFY /etc/cups/cupsd.conf
+#   command: cupsctl --no-remote-admin --no-remote-any --no-share-printers --no-user-cancel-any --no-debug-logging
+#   when: not cups_enabled
+
+# - name: "2021-07-14: EXPERIMENTALLY ADD DIRECTIVES TO /etc/cups/cupsd.conf followed by 'systemctl restart cups'.  As should no longer be nec thanks to NEW cups/templates/cups.conf for /etc/nginx/conf.d/cups.conf (followed by 'systemctl restart nginx').  Which FIXED URL'S LIKE: http://box/print, http://box.lan/print, http://192.168.0.x/print, http://172.18.96.1/print and http://10.8.0.x/print (WITH OR WITHOUT THE TRAILING SLASH!)  RECAP: (1) So be it that these 2 URL'S STILL DON'T WORK: http://box:631, http://box.lan:631 (due to CUPS' internal web server's overly stringent hostname checks, i.e. '400 Bad Request' and 'Request from \"localhost\" using invalid Host: field \"box[.lan]:631\".' in /var/log/cups/error_log) -- (2) While these 2 URL'S STILL DO WORK: http://localhost:631, http://127.0.0.1:631 -- (3) Whereas these 3 URL'S MAY WORK, DEPENDING ON 'cupsctl' COMMAND(S) ABOVE: http://192.168.0.x:631, http://172.18.96.1:631, http://10.8.0.x:631"
+#   lineinfile:
+#     path: /etc/cups/cupsd.conf
+#     line: "{{ item }}"
+#     insertbefore: '^Listen .*/run/cups/cups.sock$'    # Also matches old form: '^Listen /var/run/cups/cups.sock$'
+#   with_items:
+#     - "HostNameLookups On"    # More False Leads: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=530027
+#     - "ServerAlias *"
+#     - "#ServerName {{ iiab_hostname }}.{{ iiab_domain }}"    # box.lan
+#     - "#Listen {{ lan_ip }}:631"    # 172.18.96.1
+#     - "#Listen 127.0.0.1:631"
+#     - "#Listen 0.0.0.0:631"
+#     - "#Listen *:631"
+
+# - name: "OPTIONAL: Change 'MaxLogSize 0' (no log rotation) to 'MaxLogSize 1m' (log rotation at 1MB) in /etc/cups/cupsd.conf (EITHER WAY LOG BLOAT IS A RISK!)"
+#   lineinfile:
+#     path: /etc/cups/cupsd.conf
+#     regexp: '^MaxLogSize '
+#     insertbefore: 'Listen '
+#     firstmatch: yes
+#     line: "MaxLogSize 1m"    # CUPS Documentation (claims!) log rotation at "1m" is the default.  But In Practice: 'MaxLogSize 0' (no log rotation) is now part of /usr/share/cups/cupsd.conf.default
+
+# REMINDER: 3 SYSTEMD SERVICES WILL BE RESTARTED (cups, cups-browsed, nginx)
+# LATER IN enable-or-disable.yml, SO /etc/cups/cupsd.conf (ETC) TAKE EFFECT!
 
 
 # RECORD CUPS AS INSTALLED

roles/cups/tasks/main.yml

@@ -1,10 +1,5 @@
-# Administer CUPS at http://box:631
-# Above URL does NOT work over OpenVPN (ANYONE KNOW WHY?)
-
-# TO DO:
-#
-# - CREATE /etc/nginx/conf.d/cups-nginx.conf as SHIM to Apache on port 8090.
-#   SEE OTHERS @ https://github.com/iiab/iiab/blob/master/roles/nginx/README.md
+# ADMINISTER CUPS AT http://box/print -- USERNAME 'Admin' & PASSWORD 'changeme'
+# (OR ANY MEMBER OF LINUX GROUP 'lpadmin') PER cups/tasks/install.yml
 
 
 # "How do i fail a task in Ansible if the variable contains a boolean value?

roles/cups/tasks/nginx.yml

@@ -0,0 +1,16 @@
+- name: Enable http://box/print via NGINX, by installing {{ nginx_conf_dir }}/cups.conf from template
+  template:
+    src: cups.conf.j2
+    dest: "{{ nginx_conf_dir }}/cups.conf"    # /etc/nginx/conf.d
+  when: cups_enabled
+
+- name: Disable http://box/print via NGINX, by removing {{ nginx_conf_dir }}/cups.conf
+  file:
+    path: "{{ nginx_conf_dir }}/cups.conf"
+    state: absent
+  when: not cups_enabled
+
+- name: Restart 'nginx' systemd service
+  systemd:
+    name: nginx
+    state: restarted

roles/cups/templates/cups.conf

@@ -1,2 +0,0 @@
-ProxyPass /cups http://localhost:631
-ProxyPassReverse /cups http://localhost:631

roles/cups/templates/cups.conf.j2

@@ -0,0 +1,73 @@
+# ADMINISTER CUPS AT http://box/print -- USERNAME 'Admin' & PASSWORD 'changeme'
+# (OR ANY MEMBER OF LINUX GROUP 'lpadmin') PER cups/tasks/install.yml
+
+
+# 2021-07-13: Let's redirect to CUPS' own web server for now, as proxying
+# (commented out below) has many glitches, e.g. CUPS' https connections etc.
+
+location ~ ^/print(|/.*)$ {    # '~' -> '~*' for case-insensitive regex
+
+    # 2021-07-13: Work around CUPS failure to serve http://box[.lan]:631 "since
+    # 2009" -- e.g. '400 Bad Request' error 'Request from "localhost" using
+    # invalid Host: field "box[.lan]:631".' in /var/log/cups/error_log, DESPITE
+    # adding 'HostNameLookups On', 'ServerAlias *' etc to /etc/cups/cupsd.conf
+    # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=530027
+
+    if ($host ~ '{{ iiab_hostname }}(|.{{ iiab_domain }})') {
+        return 301 http://localhost:631;    # Or http://127.0.0.1:631
+    }
+
+    if ($host ~ 'box(|.lan)') {    # /etc/hosts may have BOTH above AND box.lan
+        return 301 http://localhost:631;
+    }
+
+    return 301 http://$host:631;   # For 192.168.0.x, 172.18.96.1, 10.8.0.y ETC
+}
+
+
+# https://anthe.studio/blog/en/cups-nginx-reverse-proxy
+# https://toggen.com.au/it-tips/reverse-proxy-cups-in-nginx/
+# https://www.robpeck.com/2020/09/proxying-cups-ipp-using-nginx/
+
+# location = /print {
+#     return 301 /print/;    # "Moved Permanently" redirect
+#     #rewrite /print /print/;    # Faster, if links are fixed!
+# }
+
+## location ~ ^/print(|/.*)$ {
+##     proxy_pass https://127.0.0.1:631$1;    # Fails: trailing slash nec here
+# location ~ ^/print/(.*) {
+#     proxy_pass https://127.0.0.1:631/$1;
+#
+#     #proxy_http_version 1.1;
+#     #proxy_set_header Accept-Encoding "";
+#     #proxy_set_header Upgrade $http_upgrade;
+#     #proxy_set_header Connection 'upgrade';
+#     proxy_set_header Host '127.0.0.1';
+#     proxy_cache_bypass $http_upgrade;
+#
+#     proxy_set_header X-Real-IP $remote_addr;
+#     #proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
+#     #proxy_set_header X-Forwarded-Host $server_name;
+#
+#     sub_filter ' href="/' ' href="/print/';
+#     sub_filter ' action="/' ' action="/print/';
+#     sub_filter ' src="/' ' src="/print/';
+#     #sub_filter 'ACTION="/' 'ACTION="/print/';
+#     #sub_filter 'URL=/' 'URL=/print/';
+#     sub_filter_types *;
+#     sub_filter_once off;
+# }
+
+# location ~ /cups/(.*) {
+#     proxy_pass http://127.0.0.1:631/$1;
+#     proxy_set_header Host '127.0.0.1';
+#     proxy_cache_bypass $http_upgrade;
+#     proxy_set_header X-Real-IP $remote_addr;
+#
+#     sub_filter ' href="/' ' href="/cups/';
+#     sub_filter ' action="/' ' action="/cups/';
+#     sub_filter ' src="/' ' src="/cups/';
+#     sub_filter_types *;
+#     sub_filter_once off;
+# }

roles/cups/templates/cupsd.conf.j2.unused

@@ -1,8 +1,8 @@
 ServerAlias *
 LogLevel warn
 MaxLogSize 1m
-Listen {{ lan_ip }}:631
-Listen localhost:631
+#Listen {{ lan_ip }}:631
+Listen 127.0.0.1:631
 Listen /var/run/cups/cups.sock
 Browsing On
 BrowseLocalProtocols dnssd

roles/gitea/templates/gitea-nginx.conf.j2

@@ -1,3 +1,3 @@
 location {{ gitea_url }}/ {
-  proxy_pass http://127.0.0.1:{{ gitea_port }}/;
+    proxy_pass http://127.0.0.1:{{ gitea_port }}/;
 }

roles/kalite/tasks/install.yml

@@ -35,7 +35,7 @@
   pip:
     name: ka-lite-static
     version: "{{ kalite_version }}"
-    virtualenv: "{{ kalite_venv }}"    # /usr/local/kalite/venv
+    virtualenv: "{{ kalite_venv }}"
     virtualenv_site_packages: no
     virtualenv_command: /usr/bin/virtualenv
     virtualenv_python: python2.7
@@ -59,23 +59,23 @@
 #     dest: "/etc/{{ apache_conf_dir }}"    # apache2/sites-available on debuntu
 #   when: apache_installed is defined
 
-- name: Fix KA Lite bug in regex parsing ifconfig output (ifcfg/parser.py) for @m-anish's network names that contain dashes, if Raspbian/Debian < 11 or Ubuntu < 20
-  replace:
-    path: /usr/local/kalite/venv/local/lib/python2.7/site-packages/kalite/packages/dist/ifcfg/parser.py
-    regexp: 'a-zA-Z0-9'
-    replace: 'a-zA-Z0-9\-'
-  when: is_debian_9 or is_debian_10 or is_ubuntu_16 or is_ubuntu_17 or is_ubuntu_18 or is_ubuntu_19
-  # 2020-03-31: Testing for {is_raspbian_9, is_raspbian_10} is not currently nec, as testing for {is_debian_9, is_debian_10} covers that already.
-
 - name: Fix KA Lite bug in regex parsing ifconfig output (ifcfg/parser.py) for @m-anish's network names that contain dashes, if Raspbian/Debian > 10 or Ubuntu > 19
   replace:
-    path: /usr/local/kalite/venv/lib/python2.7/site-packages/kalite/packages/dist/ifcfg/parser.py
+    path: "{{ kalite_venv }}/lib/python2.7/site-packages/kalite/packages/dist/ifcfg/parser.py"    # /usr/local/kalite/venv
     regexp: 'a-zA-Z0-9'
     replace: 'a-zA-Z0-9\-'
   when: not (is_debian_9 or is_debian_10 or is_ubuntu_16 or is_ubuntu_17 or is_ubuntu_18 or is_ubuntu_19)
   # 2020-03-31: Testing for {is_raspbian_9, is_raspbian_10} is not currently nec, as testing for {is_debian_9, is_debian_10} covers that already.
   # JV: why not just is_ubuntu_20? AH: to make this work on Ubuntu 21+ and ideally Debian/RaspiOS 11+ too?
 
+- name: Fix KA Lite bug in regex parsing ifconfig output (ifcfg/parser.py) for @m-anish's network names that contain dashes, if Raspbian/Debian < 11 or Ubuntu < 20
+  replace:
+    path: "{{ kalite_venv }}/local/lib/python2.7/site-packages/kalite/packages/dist/ifcfg/parser.py"
+    regexp: 'a-zA-Z0-9'
+    replace: 'a-zA-Z0-9\-'
+  when: is_debian_9 or is_debian_10 or is_ubuntu_16 or is_ubuntu_17 or is_ubuntu_18 or is_ubuntu_19
+  # 2020-03-31: Testing for {is_raspbian_9, is_raspbian_10} is not currently nec, as testing for {is_debian_9, is_debian_10} covers that already.
+
 - name: Create dir {{ kalite_root }}
   file:
     state: directory

roles/kiwix/templates/kiwix-nginx.conf.j2

@@ -1,11 +1,11 @@
 location {{ kiwix_url }} {
-  proxy_set_header   X-Real-IP $remote_addr;
-  proxy_set_header   Host      $http_host;
-  proxy_http_version 1.1;
-  proxy_set_header Connection "";
-  proxy_connect_timeout {{ kiwix_nginx_timeout }};
-  proxy_send_timeout {{ kiwix_nginx_timeout }};
-  proxy_read_timeout {{ kiwix_nginx_timeout }};
-  send_timeout {{ kiwix_nginx_timeout }};
-  proxy_pass http://127.0.0.1:3000;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header Host      $http_host;
+    proxy_http_version 1.1;
+    proxy_set_header Connection "";
+    proxy_connect_timeout {{ kiwix_nginx_timeout }};
+    proxy_send_timeout {{ kiwix_nginx_timeout }};
+    proxy_read_timeout {{ kiwix_nginx_timeout }};
+    send_timeout {{ kiwix_nginx_timeout }};
+    proxy_pass http://127.0.0.1:3000;
 }

roles/kolibri/templates/kolibri-nginx.conf.j2

@@ -1,8 +1,8 @@
 location {{ kolibri_url }} {
-    proxy_set_header        Host            $http_host;
-    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header        X-Scheme        $scheme;
-    proxy_set_header        X-Script-Name   {{ kolibri_url_without_slash }};
+    proxy_set_header Host            $http_host;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Scheme        $scheme;
+    proxy_set_header X-Script-Name   {{ kolibri_url_without_slash }};
     proxy_pass http://127.0.0.1:8009;
 }
 

roles/lokole/templates/lokole-nginx.conf.j2

@@ -1,14 +1,14 @@
 location = {{ lokole_url }}/favicon.ico {
-  alias {{ lokole_venv }}/lib/python{{ python_ver }}/site-packages/opwen_email_client/webapp/static/favicon.ico;
+    alias {{ lokole_venv }}/lib/python{{ python_ver }}/site-packages/opwen_email_client/webapp/static/favicon.ico;
 }
 
 location ~ ^{{ lokole_url }}/static/(.*)$ {
-  alias {{ lokole_venv }}/lib/python{{ python_ver }}/site-packages/opwen_email_client/webapp/static/$1;
+    alias {{ lokole_venv }}/lib/python{{ python_ver }}/site-packages/opwen_email_client/webapp/static/$1;
 }
 
 location {{ lokole_url }}/ {
-  proxy_set_header Host $http_host;
-  proxy_set_header X-Real-IP $remote_addr;
-  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-  proxy_pass http://unix:/{{ lokole_domain_socket }};
+    proxy_set_header Host $http_host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_pass http://unix:/{{ lokole_domain_socket }};
 }

roles/mediawiki/templates/mediawiki-nginx.conf.j2

@@ -5,25 +5,28 @@
 # $wgUsePathInfo = true;
 
 location ~ ^/{{ mediawiki_symlink }}/(index|load|api|thumb|opensearch_desc)\.php$ {
-		include fastcgi_params;
-		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-		fastcgi_pass php; # or whatever port your PHP-FPM listens on
+    include fastcgi_params;
+    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    fastcgi_pass php; # or whatever port your PHP-FPM listens on
 }
 
 # Images
 location /{{ mediawiki_symlink }}/images {
     # Separate location for images/ so .php execution won't apply
 }
+
 location /{{ mediawiki_symlink }}/images/deleted {
     # Deny access to deleted images folder
     deny all;
 }
+
 # MediaWiki assets (usually images)
 location ~ ^/{{ mediawiki_symlink }}/resources/(assets|lib|src) {
     try_files $uri 404;
     add_header Cache-Control "public";
     expires 7d;
 }
+
 # Assets, scripts and styles from skins and extensions
 location ~ ^/{{ mediawiki_symlink }}/(skins|extensions)/.+\.(css|js|gif|jpg|jpeg|png|svg|ttf|woff|woff2)$ {
     try_files $uri 404;
@@ -31,16 +34,15 @@ location ~ ^/{{ mediawiki_symlink }}/(skins|extensions)/.+\.(css|js|gif|jpg|jpeg
     expires 7d;
 }
 
-
 ## Uncomment the following code if you wish to use the installer/updater
 ## installer/updater
 #location /{{ mediawiki_symlink }}/mw-config/ {
-#	# Do this inside of a location so it can be negated
-#	location ~ \.php$ {
-#		include /etc/nginx/fastcgi_params;
-#		fastcgi_param SCRIPT_FILENAME $document_root/{{ mediawiki_symlink }}/mw-config/$fastcgi_script_name;
-#		fastcgi_pass 127.0.0.1:9000; # or whatever port your PHP-FPM listens on
-#	}
+#    # Do this inside of a location so it can be negated
+#    location ~ \.php$ {
+#        include /etc/nginx/fastcgi_params;
+#        fastcgi_param SCRIPT_FILENAME $document_root/{{ mediawiki_symlink }}/mw-config/$fastcgi_script_name;
+#        fastcgi_pass 127.0.0.1:9000; # or whatever port your PHP-FPM listens on
+#    }
 #}
 
 # Handling for the article path (pretty URLs)

roles/moodle/defaults/main.yml

@@ -10,6 +10,10 @@
 moodle_version: 311
 moodle_repo_url: https://github.com/moodle/moodle
 #moodle_repo_url: git://git.moodle.org/moodle.git    # 2020-10-16: VERY Slow!
+
 moodle_base: "{{ iiab_base }}/moodle"    # /opt/iiab
 moodle_data: "{{ content_base }}/moodle"    # /library
-moodle_database_name: moodle
+
+moodle_db_name: moodle
+moodle_db_user: Admin
+moodle_db_pass: changeme

roles/moodle/tasks/install.yml

@@ -20,12 +20,13 @@
 # 2021-07-02: Let's monitor & learn from these 2 pages year-by-year:
 # https://docs.moodle.org/19/en/PHP_settings_by_Moodle_version#PHP_Extensions_and_libraries
 # https://github.com/moodlebox/moodlebox/blob/master/roles/packages/vars/main.yml
-- name: Install ghostscript + libsodium23 + 8 PHP packages (run 'php -m' or 'php -i' to verify)
+- name: Install ghostscript + libsodium23 + poppler-utils + 8 PHP packages (run 'php -m' or 'php -i' to verify)
   package:
     name:
       #- php-apcu                        # 2021-07-02: Experiment with fewer dependencies
       - ghostscript                      # 2021-07-02: OPTIONAL -- but useful for annotation of PDF's / assignments
       - libsodium23                      # 2021-06-28: Likewise installed in nginx/tasks/install.yml via php{{ php_version }}-fpm AND httpd/tasks/install.yml via libapache2-mod-php{{ php_version }} AND wordpress/tasks/install.yml -- it can ALSO be auto-installed by phpX.Y-cgi OR phpX.Y-cli as confirmed by 'apt rdepends libsodium23' -- Recommended by Moodle 3.11+ at https://docs.moodle.org/311/en/Environment_-_PHP_extension_sodium -- whereas https://www.php.net/manual/en/sodium.installation.php says it's always bundled with PHP 7.2+ -- VERIFY USING 'php -i | grep sodium' AND 'apt list "*sodium*"'
+      - poppler-utils                    # 2021-07-20: Convert PDF to PNG, with pathtopdftoppm set below (#2854)
       #- php{{ php_version }}-common     # 2021-06-27: Auto-installed as an apt dependency.  REGARDLESS: php{{ php_version }}-common superset php{{ php_version }}-cli is auto-installed by php{{ php_version }}-fpm in nginx/tasks/install.yml
       #- php{{ php_version }}-cli        # 2021-06-27: Compare to php{{ php_version }}-common just above!  2020-06-15: In the past this included (below) mbstring?  However this is not true on Ubuntu Server 20.04 LTS.
       - php{{ php_version }}-curl        # 2021-06-27: Likewise installed in nextcloud/tasks/install.yml, pbx/tasks/freepbx_dependencies.yml, wordpress/tasks/install.yml
@@ -72,21 +73,21 @@
     name: postgresql-iiab
     state: started
 
-- name: Create PostgreSQL db user Admin/changeme
+- name: Create PostgreSQL db user {{ moodle_db_user }}/{{ moodle_db_pass }}
   postgresql_user:
-    name: Admin
-    password: changeme
-    encrypted: yes   # Required by PostgreSQL 10+ e.g. Ubuntu 18.04's PostgreSQL 10.3+, see https://github.com/iiab/iiab/issues/759
+    name: "{{ moodle_db_user }}"    # Admin
+    password: "{{ moodle_db_pass }}"    # changeme
+    encrypted: yes    # Required by PostgreSQL 10+ e.g. Ubuntu 18.04's PostgreSQL 10.3+, see https://github.com/iiab/iiab/issues/759
     role_attr_flags: NOSUPERUSER,NOCREATEROLE,NOCREATEDB
     state: present
   become: yes
   become_user: postgres
 
-- name: 'Create database: {{ moodle_database_name }}'
+- name: 'Create database: {{ moodle_db_name }}'
   postgresql_db:
-    name: "{{ moodle_database_name }}"
+    name: "{{ moodle_db_name }}"
     encoding: utf8
-    owner: Admin
+    owner: "{{ moodle_db_user }}"
     template: template1
     state: present
   become: yes
@@ -140,6 +141,9 @@
 
 - include_tasks: mathjax.yml
 
+- name: Run 'php {{ moodle_base }}/admin/cli/cfg.php --name=pathtopdftoppm --set=/usr/bin/pdftoppm' for converting PDF files to PNG (faster than Ghostscript, particularly for large files) -- works with apt package 'poppler-utils' installed above (#2854)
+  command: php "{{ moodle_base }}/admin/cli/cfg.php" --name=pathtopdftoppm --set=/usr/bin/pdftoppm
+
 
 # RECORD Moodle AS INSTALLED
 

roles/moodle/templates/moodle_installer

@@ -10,7 +10,7 @@ sudo -u {{ apache_user }} \
     --wwwroot=http://{{ iiab_hostname }}.{{ iiab_domain }}/moodle \
     --dataroot={{ moodle_data }} \
     --dbtype=pgsql \
-    --dbname={{ moodle_database_name }} \
+    --dbname={{ moodle_db_name }} \
     --dbuser=Admin --dbpass=changeme \
     --fullname=Your_School \
     --shortname=School \

roles/munin/templates/munin24-nginx.conf.j2

@@ -1,4 +1,4 @@
-location  /munin {
-  alias /var/cache/munin/www/ ;
-  try_files $uri $uri/ /index.html;
+location /munin {
+    alias /var/cache/munin/www/ ;
+    try_files $uri $uri/ /index.html;
 }

roles/network/tasks/rpi_debian.yml

@@ -60,6 +60,9 @@
   systemd:
     name: clone-wifi
     state: started
+  when: discovered_wireless_iface != "none"
+  # Whereas sysd-netd-debian.yml uses...
+  # when: wifi_up_down and discovered_wireless_iface != "none"
 
 - name: Restart the networking service if appropriate
   systemd:

roles/network/templates/network/dhcpcd.conf.j2

@@ -38,7 +38,9 @@ require dhcp_server_identifier
 slaac private
 
 # IIAB
+{% if iiab_wireless_lan_iface is defined %}
 denyinterfaces {{ iiab_wireless_lan_iface }}
+{% endif %}
 
 # Setting iiab_wired_lan_iface would install the device as a slave under
 # br0 so we need to turn off the dhcp client in that network layout.

roles/nginx/README.md

@@ -10,7 +10,7 @@
 
 2. Without PHP available via FastCGI, any function at all for PHP-based applications validates NGINX.
 
-3. Current state of IIAB App/Service migrations as of 2021-07-06: *(SEE ALSO [#2762](https://github.com/iiab/iiab/issues/2762))*
+3. Current state of IIAB App/Service migrations as of 2021-07-24: *(SEE ALSO [#2762](https://github.com/iiab/iiab/issues/2762))*
 
    1. These support "Native" NGINX but ***NOT*** Apache
 
@@ -37,27 +37,27 @@
 
    2. These support "Native" NGINX ***AND*** Apache, a.k.a. "dual support" for legacy testing (if suitable "Shims" from *Section iii.* below are preserved!)  Both "Native" NGINX and "Shim" proxying from NGINX to Apache port 8090 *cannot be enabled simultaneously* for these IIAB Apps/Service:<!--But if you want to attempt their "Shim" proxying legacy testing mode, try setting your *primary web server* to Apache using `apache_install: True` and `apache_enabled: True` (and `nginx_enabled: False` to disable NGINX) in [/etc/iiab/local_vars.yml](http://wiki.laptop.org/go/IIAB/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F) before you install IIAB.  You may also need to run `cd /opt/iiab/iiab; ./runrole httpd` since this has been removed from [roles/3-base-server/tasks/main.yml](https://github.com/iiab/iiab/blob/master/roles/3-base-server/tasks/main.yml)-->
 
-      * NONE: Apache support is being fully removed starting 2021-07-06.
+      * NONE: Apache support is being fully removed starting 2021-07-06 ([PR #2850](https://github.com/iiab/iiab/pull/2850))
 
    3. These support Apache but ***NOT*** "Native" NGINX.  They use a "Shim" to [proxy_pass](https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/) from NGINX to Apache on port 8090.  See [roles/3-base-server/tasks/main.yml#L11](../3-base-server/tasks/main.yml#L11) for a list of ~6 IIAB Apps/Services that auto-enable Apache.
 
-      * elgg
+      * elgg [*, should be deprecated, or considered for a complete overhaul from ancient Elgg 2.x to 4.x?]
 
    4. These each run their own web server or non-web / backend services, e.g. off of their own [unique port(s)](https://github.com/iiab/iiab/wiki/IIAB-Networking#list-of-ports--services) (IIAB home pages link directly to these destinations).  In future we'd like mnemonic URL's for all of these: (e.g. http://box/calibre, http://box/archive, http://box/kalite)
 
       * bluetooth
       * calibre (menu goes directly to port 8080)
-      * cups (menu goes directly to port 631) [*, shim not yet in place, [PR #2775](https://github.com/iiab/iiab/pull/2775)]
+      * cups (NGINX redirects http://box/print to port 631, changing URL hostname to localhost when necessary, per [PR #2858](https://github.com/iiab/iiab/pull/2858))
       * internetarchive (menu goes directly to port 4244) [*, [PR #2120](https://github.com/iiab/iiab/pull/2120)]
       * kalite (menu goes directly to ports 8006-8008)
       * minetest
       * mosquitto
       * openvpn
-      * pbx [*, requires Apache for now, as in Section iii.]
+      * pbx [*, requires Apache for now, as in Section iii., [PR #2862](https://github.com/iiab/iiab/pull/2862)]
       * phpmyadmin [*, requires Apache for now, as in Section iii.]
       * samba
       * sshd
       * transmission
       * vnstat
 
-[*] The 4 above starred roles could use improvement, as of 2021-07-06.
+[*] The 4 above starred roles could use improvement, as of 2021-07-24.

roles/nginx/templates/iiab.conf.j2

@@ -30,11 +30,11 @@ location /js-menu/ {
 location /software/ {
     fancyindex on;              # Enable fancy indexes.
     fancyindex_exact_size off;  # Output human-readable file sizes.
-     location ~* \.(apk)$ {
+    location ~* \.(apk)$ {
         add_header Content-Type application/vnd.android.package-archive;
-        }
+    }
 
-      location ~* \.(zim)$ {
+    location ~* \.(zim)$ {
         add_header Content-Type application/zip;
-        }
+    }
 }

roles/nodejs/defaults/main.yml

@@ -1,6 +1,6 @@
-# 2021-06-17: BOTH VALUES BELOW ARE INITIALLY IGNORED as Node.js is installed
-# on demand as a dependency by 4 roles -- internetarchive (Internet Archive),
-# nodered (Node-RED), pbx (Asterix, FreePBX) &/or Sugarizer:
+# 2021-07-21: BOTH VALUES BELOW ARE INITIALLY IGNORED as Node.js is installed
+# on demand as a dependency by 5 roles -- internetarchive (Internet Archive),
+# JupyterHub, nodered (Node-RED), pbx (Asterix, FreePBX) &/or Sugarizer:
 
 # nodejs_install: False
 # nodejs_enabled: False

roles/osm-vector-maps/templates/osm-vector-maps-nginx.conf.j2

@@ -1,7 +1,8 @@
 # For downloadable regional vector tilesets
 location ~ ^/maps {
-   rewrite ^/maps(.*)$ /osm-vector-maps/viewer$1;
+    rewrite ^/maps(.*)$ /osm-vector-maps/viewer$1;
 }
+
 location ~ ^/osm-vector-maps(.*)\.php(.*)$ {
     alias /library/www/osm-vector-maps$1.php$2;    # /library/www/osm-vector-maps
     proxy_set_header X-Real-IP  $remote_addr;
@@ -11,10 +12,11 @@ location ~ ^/osm-vector-maps(.*)\.php(.*)$ {
     fastcgi_index index.html;
     include fastcgi_params;
     fastcgi_split_path_info ^(.+\.php)(.*)$;
-    fastcgi_param   SCRIPT_FILENAME    $document_root$fastcgi_script_name;
-    fastcgi_param   SCRIPT_NAME        $fastcgi_script_name;
-    fastcgi_param   PATH_INFO          $2;
+    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    fastcgi_param SCRIPT_NAME     $fastcgi_script_name;
+    fastcgi_param PATH_INFO       $2;
 }
+
 location ~ ^/osm-vector-maps/ {
-   root /library/www;
+    root /library/www;
 }

roles/pbx/tasks/freepbx.yml

@@ -116,7 +116,7 @@
 - name: FreePBX - Patch FreePBX source - disable get_magic_quotes_gpc()
   patch:
     src: "roles/pbx/templates/pbx2.patch"
-    dest: "{{ freepbx_install_dir }}/freepbx/admin/libraries/view.functions.php"
+    dest: "{{ freepbx_install_dir }}/admin/libraries/view.functions.php"
 
 - name: FreePBX - Create /etc/odbc.ini
   template:

roles/sugarizer/templates/sugarizer-nginx.conf.j2

@@ -2,9 +2,9 @@
 # If you need to change this, edit /etc/iiab/local_vars.yml prior to installing
 
 location /sugarizer {
-   proxy_set_header Host            $http_host;
-   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-   proxy_set_header X-Scheme        $scheme;
-   proxy_set_header X-Script-Name   /sugarizer;
-   proxy_pass http://127.0.0.1:{{ sugarizer_port }};
+    proxy_set_header Host            $http_host;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Scheme        $scheme;
+    proxy_set_header X-Script-Name   /sugarizer;
+    proxy_pass http://127.0.0.1:{{ sugarizer_port }};
 }

roles/wordpress/templates/wordpress-nginx.conf.j2

@@ -1,20 +1,19 @@
-location {{ wp_url }} { 
+location {{ wp_url }} {
     #rewrite_log on;
     root {{ content_base }};
     try_files $uri $uri/ /wordpress/index.php$is_args$args;
-    
+
     location ~ .*\.php$ {
-          
-          include fastcgi_params;
-          fastcgi_pass php;
-          fastcgi_index index.php;         
-          fastcgi_param   SCRIPT_FILENAME    $document_root$fastcgi_script_name;          
-       }
-    
-    location ~ ^({{ wp_url }})(/.*)/$ {           
-          include fastcgi_params;
-          fastcgi_pass php;
-          fastcgi_index index.php;          
-          fastcgi_param   SCRIPT_FILENAME    {{ wp_abs_path }}/index.php;          
-       }         
+        include fastcgi_params;
+        fastcgi_pass php;
+        fastcgi_index index.php;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    }
+
+    location ~ ^({{ wp_url }})(/.*)/$ {
+        include fastcgi_params;
+        fastcgi_pass php;
+        fastcgi_index index.php;
+        fastcgi_param SCRIPT_FILENAME {{ wp_abs_path }}/index.php;
+    }
 }

roles/www_base/tasks/php-stem.yml

@@ -26,7 +26,7 @@
     group: root
     #mode: ????
     remote_src: yes
-  when: ansible_machine == "armv7l" and stem_available is defined
+  when: (ansible_machine == "armv7l" or ansible_machine == "armv6l") and stem_available is defined
 
 - name: Unarchive http://download.iiab.io/packages/php{{ php_version }}-stem.aarch64.tar to / (rpi)
   unarchive:

scripts/ansible

@@ -9,7 +9,7 @@
 
 APT_PATH=/usr/bin     # Avoids problematic /usr/local/bin/apt on Linux Mint
 CURR_VER=undefined    # Ansible version you currently have installed
-GOOD_VER=2.11.2       # Orig for 'yum install [rpm]' & XO laptops (pip install)
+GOOD_VER=2.11.3       # Orig for 'yum install [rpm]' & XO laptops (pip install)
 
 # 2021-06-22: The apt approach (with PPA source in /etc/apt/sources.list.d/ and
 # .gpg key etc) are commented out with ### below.  Associated guidance/comments
@@ -59,13 +59,13 @@ GOOD_VER=2.11.2       # Orig for 'yum install [rpm]' & XO laptops (pip install)
 #pip3 install --upgrade ansible-core    # Then start a new shell, so /usr/local/bin works
 #ansible-galaxy collection install -r collections.yml
 
-# TEMPORARILY USE ansible-base 2.10.11 (REMOVE W/ "pip3 uninstall ansible-base")
+# TEMPORARILY USE ansible-base 2.10.12 (REMOVE W/ "pip3 uninstall ansible-base")
 #apt install python3-pip
-#pip3 install ansible-base==2.10.11   # Start new shell, so /usr/local/bin works
+#pip3 install ansible-base==2.10.12   # Start new shell, so /usr/local/bin works
 
-# TEMPORARILY USE ANSIBLE 2.9.23 (REMOVE IT WITH "pip3 uninstall ansible")
+# TEMPORARILY USE ANSIBLE 2.9.24 (REMOVE IT WITH "pip3 uninstall ansible")
 #apt install python3-pip
-#pip3 install ansible==2.9.23
+#pip3 install ansible==2.9.24
 
 # TEMPORARILY USE ANSIBLE 2.4.2 DUE TO 2.4.3 MEMORY BUG. Details: iiab/iiab#669
 #echo "Install http://download.iiab.io/packages/ansible_2.4.2.0-1ppa~xenial_all.deb"
@@ -181,7 +181,7 @@ ansible-galaxy collection install --force-with-deps \
 
 echo -e "\n\nSUCCESS!  PLEASE VERIFY ANSIBLE WITH COMMANDS LIKE:\n"
 echo -e "    ansible --version"
-echo -e "    pip show ansible-core"
+echo -e "    pip3 show ansible-core"
 echo -e '    apt -a list "ansible*"'
 echo -e "    ansible-galaxy collection list\n"
 echo -e "WARNING: Start a new Linux shell, if it changed from /usr/bin to /usr/local/bin\n\n"

test.yml

@@ -0,0 +1,35 @@
+# TEST ANSIBLE COMMANDS/MODULES IN SECONDS -- BY RUNNING:
+# ansible-playbook -i ansible_hosts test.yml --connection=local
+
+- hosts: all
+  become: yes    # Optional privilege escalation
+
+  #vars_files:
+  #- roles/0-init/defaults/main.yml
+  #- vars/default_vars.yml
+  #- vars/{{ ansible_local.local_facts.os_ver }}.yml
+  #- /etc/iiab/local_vars.yml
+  #- /etc/iiab/iiab_state.yml
+
+  #roles:
+  #  - { role: 0-init }
+
+  tasks:
+
+  #- include_role:
+  #    name: 0-init
+
+  - debug:
+      msg: "{{ 'changeme' | password_hash('sha512') }}"
+
+  #- pause:
+
+  - name: DOUBLE UP to escape single quotes... '"''"' e.g. iiab.ini Munin description
+    debug:
+      msg: '"''"'    # FAILS: '"\'"'
+
+  - name: BACKSLASH to escape double quotes... "'\"'" e.g. cups/tasks/install.yml
+    debug:
+      msg: "'\"'"    # FAILS: "'""'"
+
+  # TEST ANSIBLE COMMANDS/MODULES HERE!

vars/default_vars.yml

@@ -388,9 +388,9 @@ mosquitto_install: False
 mosquitto_enabled: False
 mosquitto_port: 1883
 
-# 2021-06-17: BOTH VALUES BELOW ARE INITIALLY IGNORED as Node.js is installed
-# on demand as a dependency by 4 roles -- internetarchive (Internet Archive),
-# nodered (Node-RED), pbx (Asterix, FreePBX) &/or Sugarizer:
+# 2021-07-21: BOTH VALUES BELOW ARE INITIALLY IGNORED as Node.js is installed
+# on demand as a dependency by 5 roles -- internetarchive (Internet Archive),
+# JupyterHub, nodered (Node-RED), pbx (Asterix, FreePBX) &/or Sugarizer:
 nodejs_install: False
 nodejs_enabled: False
 nodejs_version: 16.x    # was 8.x til 2019-02-02, 10.x til 2019-12-21, 12.x til 2020-10-29, 14.x til 2021-06-17