Merge pull request #429 from iiab/master

Sync from iiab:master

roles/0-init/tasks/main.yml

@@ -96,46 +96,6 @@
     gui_port: 443
   when: adm_cons_force_ssl | bool
 
-- name: Turn on both vars for MySQL (mandatory in Stage 3!)
-  set_fact:
-    mysql_install: True
-    mysql_enabled: True
-
-# We decided to enable mysql unconditionally.
-#  when: elgg_enabled or rachel_enabled or owncloud_enabled or phpmyadmin_enabled or wordpress_enabled or iiab_menu_install
-
-- name: "Set python_path: /lib/python2.7/site-packages/ (redhat)"
-  set_fact:
-    python_path: /lib/python2.7/site-packages/
-  when: is_redhat | bool
-
-- name: "Set python_path: /usr/local/lib/python2.7/dist-packages/ (debuntu)"
-  set_fact:
-    python_path: /usr/local/lib/python2.7/dist-packages/
-  when: is_debuntu | bool
-
-# For various reasons the mysql service cannot be enabled on Fedora 20, but
-# 'mariadb', which is its real name can.  On Fedora 18 we need to use 'mysqld'.
-
-# BETTER TO USE /opt/iiab/iiab/vars/<OS>.yml
-#- name: "Set mysql_service: mariadb by default"
-#  set_fact:
-#    mysql_service: mariadb
-
-- name: "Set mysql_service: mysqld etc (Fedora 18)"
-  set_fact:
-    # BETTER TO USE /opt/iiab/iiab/vars/<OS>.yml
-    #mysql_service: mysqld
-    no_NM_reload: True
-    is_F18: True
-  when: (ansible_distribution_release == "based on Fedora 18" or ansible_distribution_version == "18") and ansible_distribution == "Fedora"
-
-# BETTER TO USE /opt/iiab/iiab/vars/<OS>.yml
-#- name: "Set mysql_service: mysql (debuntu)"
-#  set_fact:
-#    mysql_service: mysql
-#  when: is_debuntu | bool
-
 - name: "Set iiab_fqdn: {{ iiab_hostname }}.{{ iiab_domain }}"
   set_fact:
     iiab_fqdn: "{{ iiab_hostname }}.{{ iiab_domain }}"

roles/0-init/tasks/validate_vars.yml

@@ -42,7 +42,7 @@
 # are officially now UNMAINTAINED in default_vars.yml and
 # https://github.com/iiab/iiab/blob/master/unmaintained-roles.txt etc?
 
-- name: Set vars_checklist for 53 + 53 + up-to-53 vars ("XYZ_install" + "XYZ_enabled" + "XYZ_installed") to be checked
+- name: Set vars_checklist for 47 + 47 + up-to-47 vars ("XYZ_install" + "XYZ_enabled" + "XYZ_installed") to be checked
   set_fact:
     vars_checklist:
       - hostapd
@@ -55,12 +55,11 @@
       - sshd
       - openvpn
       - admin_console
-      - nginx
+      #- nginx     # MANDATORY
-      - apache
+      #- apache    # Dependency installed on demand, by other apps/services
-      - mysql
+      #- mysql     # MANDATORY
       - squid
       - dansguardian
-      - postgresql
       - cups
       - samba
       - usb_lib
@@ -76,7 +75,7 @@
       - lokole
       - mediawiki
       - mosquitto
-      - nodejs
+      #- nodejs    # Dependency installed on demand, by other apps/services
       - nodered
       - nextcloud
       - pbx
@@ -84,8 +83,9 @@
       - kalite
       - kolibri
       - kiwix
+      #- postgresql    # Dependency installed on demand, by other apps/services
       - moodle
-      - mongodb
+      #- mongodb    # Dependency installed on demand, by other apps/services
       - sugarizer
       - osm_vector_maps
       - transmission
@@ -94,6 +94,7 @@
       - munin
       - phpmyadmin
       - vnstat
+      #- yarn    # Dependency installed on demand, by other apps/services
       - internetarchive
       - minetest
       - calibre

roles/1-prep/tasks/main.yml

@@ -5,7 +5,7 @@
 
 - name: dnsmasq (install now, configure LATER in 'network', after Stage 9)
   include_tasks: roles/network/tasks/dnsmasq.yml
-  #when: dnsmasq_install | bool
+  #when: dnsmasq_install | bool    # Flag might be used in future?
 
 - name: Install uuid-runtime package (debuntu)
   package:
@@ -75,10 +75,11 @@
   shell: apt -y remove "libgeos-*"
   when: grep_ubermix.rc == 0    # 1 if absent in file, 2 if file doesn't exist
 
+# Required by OpenVPN below.  Also run by roles/4-server-options/tasks/main.yml
 - name: SSHD
   include_role:
     name: sshd
-  #when: sshd_install | bool    # Flag might be created in future?
+  when: sshd_install | bool
 
 - name: IIAB-ADMIN
   include_role:

roles/2-common/tasks/packages.yml

@@ -40,7 +40,7 @@
       - htop
       - i2c-tools
       - logrotate
-      #- lynx    # Already installed by 1-prep's roles/iiab-admin/tasks/access.yml
+      #- lynx    # Installed by 1-prep's roles/iiab-admin/tasks/access.yml
       - make
       - mlocate
       - netmask
@@ -50,6 +50,7 @@
       - pandoc
       - pastebinit
       - rsync
+      #- screen    # Installed by 1-prep's roles/iiab-admin/tasks/access.yml
       - sqlite3
       - sudo
       - tar

roles/3-base-server/tasks/main.yml

@@ -6,7 +6,7 @@
 - name: MYSQL
   include_role:
     name: mysql
-  when: mysql_install | bool
+  #when: mysql_install | bool
 
 # 2020-05-21: Apache role 'httpd' is installed as nec by any of these 7 roles:
 #
@@ -22,7 +22,7 @@
 - name: NGINX
   include_role:
     name: nginx
-  when: nginx_install | bool
+  #when: nginx_install | bool
 
 - name: WWW_BASE (WWW_OPTIONS should be installed later)
   include_role:

roles/4-server-options/tasks/main.yml

@@ -18,6 +18,12 @@
     name: pylibs
   #when: pylibs_install | bool    # Flag might be created in future?
 
+# Also run by roles/1-prep/tasks/main.yml as required by OpenVPN.
+- name: SSHD
+  include_role:
+    name: sshd
+  when: sshd_install | bool
+
 - name: Install named / BIND
   include_tasks: roles/network/tasks/named.yml
   when: named_install | bool

roles/mediawiki/defaults/main.yml

@@ -5,7 +5,7 @@
 # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
 
 mediawiki_major_version: 1.34    # "1.34" also works
-mediawiki_minor_version: 3
+mediawiki_minor_version: 4
 mediawiki_version: "{{ mediawiki_major_version }}.{{ mediawiki_minor_version }}"
 
 mediawiki_download_base_url: "https://releases.wikimedia.org/mediawiki/{{ mediawiki_major_version }}"

roles/moodle/tasks/main.yml

@@ -40,8 +40,9 @@
 #     enabled: no
 #   when: not moodle_enabled and not (pathagar_enabled is defined and pathagar_enabled)
 
-- name: "Set 'postgresql_enabled: True' if moodle_enabled"
+- name: "Set 'postgresql_install: True' and 'postgresql_enabled: True' if moodle_enabled"
   set_fact:
+    postgresql_install: True
     postgresql_enabled: True
   when: moodle_enabled | bool
 

roles/network/tasks/avahi.yml

@@ -43,7 +43,7 @@
   lineinfile:
     dest: /etc/avahi/services/ssh.service
     regexp: '</port>$'
-    line: '    <port>{{ ssh_port }}</port>'
+    line: '    <port>{{ sshd_port }}</port>'
     state: present
     backrefs: yes
 

roles/network/templates/gateway/iiab-gen-iptables

@@ -46,7 +46,7 @@ echo -e "WAN: $wan\n"
 ports_externally_visible={{ ports_externally_visible }}
 #services_externally_visible= [deprecated]
 gw_block_https={{ gw_block_https }}
-ssh_port={{ ssh_port }}
+sshd_port={{ sshd_port }}
 #gui_wan= [no longer needed]
 gui_port={{ gui_port }}
 iiab_gateway_enabled={{ iiab_gateway_enabled }}
@@ -132,7 +132,7 @@ if [ "$wan" != "none" ]; then
 
     # 1 = ssh only
     if [ "$ports_externally_visible" -ge 1 ]; then
-        $IPTABLES -A INPUT -p tcp --dport $ssh_port -m state --state NEW -i $wan -j ACCEPT
+        $IPTABLES -A INPUT -p tcp --dport $sshd_port -m state --state NEW -i $wan -j ACCEPT
     fi
 
     # 2 = ssh + http-or-https (for Admin Console's box.lan/admin too)

roles/nginx/README.md

@@ -10,7 +10,7 @@
 
 2. Without PHP available via FastCGI, any function at all for PHP-based applications validates NGINX.
 
-3. Current state of IIAB App/Service migrations as of 2020-09-22:
+3. Current state of IIAB App/Service migrations as of 2020-09-24:
 
    1. These support "Native" NGINX but ***NOT*** Apache
       * Admin Console
@@ -20,7 +20,7 @@
       * OER2Go/RACHEL modules
       * usb_lib
 
-   2. These support "Native" NGINX ***AND*** Apache, a.k.a. "dual support" for legacy testing (if suitable "Shims" from *Section iii.* below are preserved!)  Both "Native" NGINX and "Shim" proxying from NGINX to Apache port 8090 *cannot be enabled simultaneously* for these IIAB Apps/Service.  But if you want to attempt their "Shim" proxying legacy testing mode, try setting your *primary web server* to Apache using `apache_install: True` and `apache_enabled: True` (and `nginx_enabled: False` to disable NGINX) in [/etc/iiab/local_vars.yml](http://wiki.laptop.org/go/IIAB/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F) before you install IIAB.  You may also need to run `cd /opt/iiab/iiab; ./runrole httpd` since this has been removed from [roles/3-base-server/tasks/main.yml](https://github.com/iiab/iiab/blob/master/roles/3-base-server/tasks/main.yml)
+   2. These support "Native" NGINX ***AND*** Apache, a.k.a. "dual support" for legacy testing (if suitable "Shims" from *Section iii.* below are preserved!)  Both "Native" NGINX and "Shim" proxying from NGINX to Apache port 8090 *cannot be enabled simultaneously* for these IIAB Apps/Service:<!--But if you want to attempt their "Shim" proxying legacy testing mode, try setting your *primary web server* to Apache using `apache_install: True` and `apache_enabled: True` (and `nginx_enabled: False` to disable NGINX) in [/etc/iiab/local_vars.yml](http://wiki.laptop.org/go/IIAB/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F) before you install IIAB.  You may also need to run `cd /opt/iiab/iiab; ./runrole httpd` since this has been removed from [roles/3-base-server/tasks/main.yml](https://github.com/iiab/iiab/blob/master/roles/3-base-server/tasks/main.yml)-->
       * awstats
       * calibre-web
       * gitea
@@ -48,9 +48,10 @@
       * mosquitto
       * openvpn
       * pbx [*, requires Apache for now, as in Section iii.]
-      * phpmyadmin [requires Apache for now, as in Section iii.]
+      * phpmyadmin [*, requires Apache for now, as in Section iii.]
       * samba
+      * sshd
       * transmission
       * vnstat
 
-[*] The 3 above starred roles could use improvement, as of 2020-09-22.
+[*] The 4 above starred roles could use improvement, as of 2020-09-24.

roles/sshd/tasks/enable-or-disable.yml

@@ -0,0 +1,15 @@
+- name: Enable & (Re)Start ssh daemon ({{ sshd_service }}) if sshd_enabled
+  systemd:
+    daemon_reload: yes
+    name: "{{ sshd_service }}"
+    enabled: yes
+    state: restarted
+  when: sshd_enabled | bool
+
+- name: Disable & Stop ssh daemon ({{ sshd_service }}) if not sshd_enabled
+  systemd:
+    daemon_reload: yes
+    name: "{{ sshd_service }}"
+    enabled: no
+    state: stopped
+  when: not sshd_enabled

roles/sshd/tasks/install.yml

@@ -0,0 +1,55 @@
+# TODO:
+#
+# 1) Implement sshd_port IF it's truly needed? Mentioned here as of 2020-09-24:
+#
+#    vars/default_vars.yml  Line 212
+#    roles/sshd/tasks/main.yml  Lines 41-42
+#    roles/network/tasks/avahi.yml  Line 46
+#    roles/network/templates/gateway/iiab-gen-iptables  Line 49 & 135
+#
+# 2) Use Ansible handler to reload ssh?
+
+- name: "Install ssh daemon using package: {{ sshd_package }}"
+  package:
+    name: "{{ sshd_package }}"
+    state: present
+
+- name: Disable password-based logins to root
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: '^PermitRootLogin'
+    line: 'PermitRootLogin without-password'
+    state: present
+  #when: sshd_enabled | bool
+
+- name: mkdir /root/.ssh
+  file:
+    state: directory
+    path: /root/.ssh
+    owner: root
+    group: root
+    mode: '0700'
+  #when: sshd_enabled | bool
+
+- name: Install dummy root keys as placeholder
+  copy:
+    src: dummy_authorized_keys
+    dest: /root/.ssh/authorized_keys
+    owner: root
+    group: root
+    mode: '0600'
+    force: no
+  #when: sshd_enabled | bool
+
+
+# RECORD sshd AS INSTALLED
+
+- name: "Set 'sshd_installed: True'"
+  set_fact:
+    sshd_installed: True
+
+- name: "Add 'sshd_installed: True' to {{ iiab_state_file }}"
+  lineinfile:
+    path: "{{ iiab_state_file }}"    # /etc/iiab/iiab_state.yml
+    regexp: '^sshd_installed'
+    line: 'sshd_installed: True'

roles/sshd/tasks/main.yml

@@ -1,61 +1,44 @@
-- name: "Install ssh daemon using package: {{ sshd_package }}"
+# "How do i fail a task in Ansible if the variable contains a boolean value?
-  package:
+# I want to perform input validation for Ansible playbooks"
-    name: "{{ sshd_package }}"
+# https://stackoverflow.com/questions/46664127/how-do-i-fail-a-task-in-ansible-if-the-variable-contains-a-boolean-value-i-want/46667499#46667499
-    state: present
 
-- name: Disable password-based logins to root
+# We assume 0-init/tasks/validate_vars.yml has DEFINITELY been run, so no need
-  lineinfile:
+# to re-check whether vars are defined here.  As Ansible vars cannot be unset:
-    dest: /etc/ssh/sshd_config
+# https://serverfault.com/questions/856729/how-to-destroy-delete-unset-a-variable-value-in-ansible
-    regexp: '^PermitRootLogin'
-    line: 'PermitRootLogin without-password'
-    state: present
-  #when: sshd_enabled | bool
-#TODO: use handler to reload ssh
 
-- name: mkdir /root/.ssh
+- name: Assert that "sshd_install is sameas true" (boolean not string etc)
-  file:
+  assert:
-    state: directory
+    that: sshd_install is sameas true
-    path: /root/.ssh
+    fail_msg: "PLEASE SET 'sshd_install: True' e.g. IN: /etc/iiab/local_vars.yml"
-    owner: root
+    quiet: yes
-    group: root
-    mode: '0700'
-  #when: sshd_enabled | bool
 
-- name: Install dummy root keys as placeholder
+- name: Assert that "sshd_enabled | type_debug == 'bool'" (boolean not string etc)
-  copy:
+  assert:
-    src: dummy_authorized_keys
+    that: sshd_enabled | type_debug == 'bool'
-    dest: /root/.ssh/authorized_keys
+    fail_msg: "PLEASE GIVE VARIABLE 'sshd_enabled' A PROPER (UNQUOTED) ANSIBLE BOOLEAN VALUE e.g. IN: /etc/iiab/local_vars.yml"
-    owner: root
+    quiet: yes
-    group: root
-    mode: '0600'
-    force: no
-  #when: sshd_enabled | bool
 
 
-# RECORD sshd AS INSTALLED
+- name: Install sshd if 'sshd_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
-
+  include_tasks: install.yml
-- name: "Set 'sshd_installed: True'"
+  when: sshd_installed is undefined
-  set_fact:
-    sshd_installed: True
-
-- name: "Add 'sshd_installed: True' to {{ iiab_state_file }}"
-  lineinfile:
-    path: "{{ iiab_state_file }}"    # /etc/iiab/iiab_state.yml
-    regexp: '^sshd_installed'
-    line: 'sshd_installed: True'
 
 
-- name: Enable & Start ssh daemon ({{ sshd_service }}) if sshd_enabled
+- include_tasks: enable-or-disable.yml
-  systemd:
-    name: "{{ sshd_service }}"
-    daemon_reload: yes
-    enabled: yes
-    state: started
-  when: sshd_enabled | bool
 
-- name: Disable & Stop ssh daemon ({{ sshd_service }}) if not sshd_enabled
+
-  systemd:
+- name: Add 'sshd' variable values to {{ iiab_ini_file }}
-    name: "{{ sshd_service }}"
+  ini_file:
-    enabled: no
+    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
-    state: stopped
+    section: sshd
-  when: not sshd_enabled
+    option: "{{ item.option }}"
+    value: "{{ item.value | string }}"
+  with_items:
+  - option: name
+    value: sshd
+  - option: description
+    value: '"Secure Shell daemon (typically implemented by openssh-server) for remote login using the ''ssh'' low-level protocol."'
+  - option: sshd_port
+    value: "{{ sshd_port }}"
+  - option: sshd_enabled
+    value: "{{ sshd_enabled }}"

scripts/iiab-diagnostics

@@ -211,8 +211,9 @@ cat_cmd 'sudo iptables-save' 'Firewall rules'
 echo -e "\n  6. Log Files: (last 100 lines of each)\n"
 echo -e "\n\n\n\n6. LOG FILES (LAST 100 LINES OF EACH)\n" >> $outfile
 cat_tail /opt/iiab/iiab/iiab-install.log 100
-cat_tail /opt/iiab/iiab/iiab-network.log 100
+cat_tail /opt/iiab/iiab/iiab-configure.log 100
 cat_tail /opt/iiab/iiab/iiab-debug.log 100
+cat_tail /opt/iiab/iiab/iiab-network.log 100
 cat_tail /opt/iiab/iiab-admin-console/admin-install.log 100
 cat_tail /var/log/messages 100
 cat_tail /var/log/syslog 100

scripts/iiab-diagnostics.README.md

@@ -62,4 +62,4 @@ But first off, the file is compiled by harvesting 1 + 6 kinds of things:
 
 ## Source Code
 
-Please look over the bottom of [iiab-diagnostics](iiab-diagnostics) (lines 106-218 especially) to learn more about which common IIAB files and commands make this rapid troubleshooting possible.
+Please look over the bottom of [iiab-diagnostics](iiab-diagnostics) (lines 106-219 especially) to learn more about which common IIAB files and commands make this rapid troubleshooting possible.

vars/default_vars.yml

@@ -113,7 +113,6 @@ wifi_up_down: True    # Creates a 2nd virtual WiFi adapter for upstream WiFi
 # Gateway mode
 iiab_lan_enabled: True
 iiab_wan_enabled: True
-ssh_port: 22    # SEE sshd_* vars below.
 # Ties in what the user populated in the GUI for static WAN IP address info:
 gui_wan: True
 adm_cons_force_ssl: False
@@ -207,13 +206,13 @@ wan_try_dhcp_before_static_ip: True   # Facilitate field updates w/ cablemodems
 
 # 1-PREP
 
-# SEE ssh_port var above.
+# SSHD runs here & also below in 4-SERVER-OPTIONS
-sshd_install: True    # 2020-01-21: do not rely on this var for now (might be implemented in future)
+sshd_install: True    # Required by OpenVPN
 sshd_enabled: True
+sshd_port: 22    # Not fully functional.  SEE: roles/sshd/tasks/install.yml
 
-# roles/iiab-admin runs here
+# IIAB-ADMIN runs here - see its vars near top of this file:
-# SEE IIAB-ADMIN VARIABLES NEAR TOP OF THIS FILE: e.g. iiab_admin_user_install,
+# e.g. iiab_admin_user_install, iiab_admin_user, iiab_admin_pwd_hash
-# iiab_admin_user, iiab_admin_published_pwd, iiab_admin_pwd_hash
 
 openvpn_install: True
 openvpn_enabled: False
@@ -244,12 +243,17 @@ pi_swap_file_size: 1024
 admin_console_install: True
 admin_console_enabled: True
 
-# MySQL MANDATORY - THESE 2 VARS HAVE NO EFFECT - SEE roles/0-init/tasks/main.yml & roles/mysql/tasks/main.yml
+# 2020-09-24: MySQL / MariaDB is MANDATORY but still evolving - please see:
+# https://github.com/iiab/iiab/blob/master/roles/mysql/tasks/install.yml
+# https://github.com/iiab/iiab/blob/master/roles/3-base-server/tasks/main.yml
+# THESE 2 LEGACY VARS ARE PRESERVED BUT HAVE NO EFFECT:
 mysql_install: True
 mysql_enabled: True
 
-# 2019-01-13: IIAB's use of NGINX is still evolving -- please review this
+# 2020-09-24: NGINX is MANDATORY but still evolving - please see:
-# evolving doc: https://github.com/iiab/iiab/blob/master/roles/nginx/README.md
+# https://github.com/iiab/iiab/blob/master/roles/nginx/README.md
+# https://github.com/iiab/iiab/blob/master/roles/3-base-server/tasks/main.yml
+# THESE 2 LEGACY VARS ARE PRESERVED BUT HAVE NO EFFECT:
 nginx_install: True
 nginx_enabled: True
 nginx_port: 80
@@ -269,12 +273,9 @@ apache_allow_sudo: True
 
 # See also Apache vars {default_language, language_priority} @ top of this file
 #
-# 2020-05-21: apache_install is completely ignored as Apache is installed on
+# 2020-09-24: BOTH VALUES BELOW ARE IGNORED as Apache is installed on demand as
-# demand as a dependency -- by CUPS, Elgg, Lokole, Moodle, Node-RED and/or
+# a dependency -- by CUPS, Elgg, Lokole, Moodle, Node-RED, PBX &/or phpMyAdmin
-# phpMyAdmin -- but for now we set fake value 'apache_install: True' so that
+apache_install: False
-# 'apache_installed is defined' input validation works, e.g. in
-# 0-init/tasks/validate_vars.yml
-apache_install: True
 apache_enabled: False
 #
 # NGINX proxies to Apache for legacy IIAB services, using:
@@ -284,6 +285,8 @@ apache_interface: 127.0.0.1    # 2020-01-13: Var unused
 
 # 4-SERVER-OPTIONS
 
+# SSHD runs here & also above in 1-PREP
+
 # DNS prep (dnsmasq, named &/or dhcpd) run here.  The full network stage runs
 # after 9-LOCAL-ADDONS (or manually run "cd /opt/iiab/iiab; ./iiab-network")
 
@@ -295,14 +298,6 @@ squid_enabled: False
 dansguardian_install: False
 dansguardian_enabled: False
 
-# 2020-02-04: postgresql_install is completely ignored as PostgreSQL is
-# installed on demand as a dependency -- by Moodle &/or Pathagar -- but for now
-# we set fake value 'postgresql_install: True' so that
-# 'postgresql_installed is defined' input validation works, e.g. in
-# 0-init/tasks/validate_vars.yml
-postgresql_install: True
-postgresql_enabled: False
-
 # Common UNIX Printing System (CUPS)
 cups_install: False
 cups_enabled: False
@@ -351,7 +346,7 @@ idmgr_enabled: False    # 2020-01-23: UNUSED
 
 # UNMAINTAINED as of September 2020
 azuracast_install: False
-azuracast_enabled: False    # This var is currently IGNORED.
+azuracast_enabled: False    # This var is currently IGNORED
 azuracast_http_port: 10080
 azuracast_https_port: 10443
 #
@@ -393,12 +388,9 @@ mosquitto_install: False
 mosquitto_enabled: False
 mosquitto_port: 1883
 
-# 2020-02-04: nodejs_install is completely ignored as Node.js is installed on
+# 2020-09-24: BOTH VALUES BELOW ARE IGNORED as Node.js is installed on demand
-# demand as a dependency -- by Node-RED, Sugarizer and/or Internet Archive --
+# as a dependency -- by Node-RED, Sugarizer &/or Internet Archive
-# but for now we set fake value 'nodejs_install: True' so that
+nodejs_install: False
-# 'nodejs_installed is defined' input validation works, e.g. in
-# 0-init/tasks/validate_vars.yml
-nodejs_install: True
 nodejs_enabled: False
 # Node.js version used by roles/nodejs/tasks/main.yml for 3 roles:
 # nodered (Node-RED), pbx (Asterix, FreePBX) & sugarizer (Sugarizer)
@@ -463,25 +455,15 @@ kiwix_incl_apk: False
 kiwix_apk_url: /software/kiwix
 kiwix_apk_src: https://download.kiwix.org/release/kiwix-android/kiwix.apk
 
+# 2020-09-24: BOTH VALUES BELOW ARE IGNORED as PostgreSQL is installed on
+# demand as a dependency -- by Moodle &/or Pathagar
+postgresql_install: False
+postgresql_enabled: False
+
 moodle_install: False
 moodle_enabled: False
 # If using Moodle intensively, set nginx_high_php_limits further above.
 
-# MongoDB (/library/dbdata/mongodb) greatly enhances the Sugarizer experience.
-# This role was formerly installed by roles/sugarizer/meta/main.yml
-#
-# 2020-02-04: mongodb_install is completely ignored as MongoDB is installed on
-# demand as a dependency -- by Sugarizer -- but for now we set fake value
-# 'mongodb_install: True' so that 'mongodb_installed is defined' input
-# validation works, e.g. in 0-init/tasks/validate_vars.yml
-mongodb_install: True
-# FYI 'mongodb_enabled: False' works when Sugarizer is disabled.  Required by
-# mongodb/tasks/enable.yml to shut down the service and log status, but that is
-# misleading as Sugarizer starts mongodb's systemd service on its own, due to
-# 'Requires=mongodb.service' within /etc/systemd/system/sugarizer.service
-mongodb_enabled: False
-mongodb_port: 27018
-
 # Regional OSM vector maps use far less disk space than bitmap/raster versions.
 # Instructions: https://github.com/iiab/iiab/wiki/IIAB-Maps
 osm_vector_maps_install: True
@@ -489,6 +471,19 @@ osm_vector_maps_enabled: False
 iiab_map_url : http://download.iiab.io/content/OSM/vector-tiles/maplist/hidden
 vector_map_path: "{{ content_base }}/www/osm-vector-maps"    # /library/www/osm-vector-maps
 
+# MongoDB (/library/dbdata/mongodb) greatly enhances the Sugarizer experience.
+# This role was formerly installed by roles/sugarizer/meta/main.yml
+#
+# 2020-09-24: BOTH VALUES BELOW ARE IGNORED as MongoDB is installed on demand
+# as a dependency -- by Sugarizer
+mongodb_install: False
+# 'mongodb_enabled: False' MAY work when Sugarizer is disabled.  Required by
+# mongodb/tasks/enable.yml to shut down the service and log status, but that is
+# misleading as Sugarizer starts mongodb's systemd service on its own, due to
+# 'Requires=mongodb.service' within /etc/systemd/system/sugarizer.service
+mongodb_enabled: False
+mongodb_port: 27018
+
 # roles/sugarizer/meta/main.yml auto-invokes 2 above prereqs: mongodb & nodejs
 # Might stall MongoDB on Power Failure: github.com/xsce/xsce/issues/879
 # Sugarizer 1.0.1+ strategies to solve? github.com/iiab/iiab/pull/957
@@ -564,11 +559,9 @@ vnstat_enabled: False
 
 # 9-LOCAL-ADDONS
 
-# 2020-02-04: yarn_install is completely ignored as the Yarn package manager is
+# 2020-09-24: BOTH VALUES BELOW ARE IGNORED as Yarn is installed on demand as a
-# installed on demand as a dependency -- by Internet Archive -- but for now we
+# dependency -- by Internet Archive
-# set fake value 'yarn_install: True' so that 'yarn_installed is defined' input
+yarn_install: False
-# validation works, e.g. in 0-init/tasks/validate_vars.yml
-yarn_install: True
 yarn_enabled: False
 
 # Internet Archive Offline / Decentralized Web - create your own offline

vars/local_vars_big.yml

@@ -130,8 +130,11 @@ js_menu_install: True
 
 # 1-PREP
 
-# roles/sshd & roles/iiab-admin run here
+# SSHD runs here & also below in 4-SERVER-OPTIONS
-# SEE IIAB-ADMIN VARIABLES NEAR TOP OF THIS FILE:
+sshd_install: True    # Required by OpenVPN
+sshd_enabled: True
+
+# IIAB-ADMIN runs here - see its vars near top of this file:
 # e.g. iiab_admin_user_install, iiab_admin_user, iiab_admin_pwd_hash
 
 # SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security
@@ -170,6 +173,8 @@ apache_allow_sudo: True
 
 # 4-SERVER-OPTIONS
 
+# SSHD runs here & also above in 1-PREP
+
 # DNS prep (dnsmasq, named &/or dhcpd) run here.  The full network stage runs
 # after 9-LOCAL-ADDONS (or manually run "cd /opt/iiab/iiab; ./iiab-network")
 

vars/local_vars_medium.yml

@@ -130,8 +130,11 @@ js_menu_install: True
 
 # 1-PREP
 
-# roles/sshd & roles/iiab-admin run here
+# SSHD runs here & also below in 4-SERVER-OPTIONS
-# SEE IIAB-ADMIN VARIABLES NEAR TOP OF THIS FILE:
+sshd_install: True    # Required by OpenVPN
+sshd_enabled: True
+
+# IIAB-ADMIN runs here - see its vars near top of this file:
 # e.g. iiab_admin_user_install, iiab_admin_user, iiab_admin_pwd_hash
 
 # SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security
@@ -170,6 +173,8 @@ apache_allow_sudo: True
 
 # 4-SERVER-OPTIONS
 
+# SSHD runs here & also above in 1-PREP
+
 # DNS prep (dnsmasq, named &/or dhcpd) run here.  The full network stage runs
 # after 9-LOCAL-ADDONS (or manually run "cd /opt/iiab/iiab; ./iiab-network")
 

vars/local_vars_min.yml

@@ -130,8 +130,11 @@ js_menu_install: True
 
 # 1-PREP
 
-# roles/sshd & roles/iiab-admin run here
+# SSHD runs here & also below in 4-SERVER-OPTIONS
-# SEE IIAB-ADMIN VARIABLES NEAR TOP OF THIS FILE:
+sshd_install: True    # Required by OpenVPN
+sshd_enabled: True
+
+# IIAB-ADMIN runs here - see its vars near top of this file:
 # e.g. iiab_admin_user_install, iiab_admin_user, iiab_admin_pwd_hash
 
 # SECURITY WARNING: See http://wiki.laptop.org/go/IIAB/Security
@@ -170,6 +173,8 @@ apache_allow_sudo: True
 
 # 4-SERVER-OPTIONS
 
+# SSHD runs here & also above in 1-PREP
+
 # DNS prep (dnsmasq, named &/or dhcpd) run here.  The full network stage runs
 # after 9-LOCAL-ADDONS (or manually run "cd /opt/iiab/iiab; ./iiab-network")