diff --git a/roles/httpd/files/html/services/power_off.php b/roles/httpd/files/html/services/power_off.php
new file mode 100644
index 000000000..49a566b86
--- /dev/null
+++ b/roles/httpd/files/html/services/power_off.php
@@ -0,0 +1,5 @@
+<?php
+
+echo exec ( "sudo poweroff");
+
+?>
diff --git a/roles/httpd/tasks/html.yml b/roles/httpd/tasks/html.yml
index e08ede7a1..8678af22c 100644
--- a/roles/httpd/tasks/html.yml
+++ b/roles/httpd/tasks/html.yml
@@ -43,6 +43,16 @@
   with_fileglob:
         - html/assets/*
 
+# copy all services, even if not permissioned elsewhere
+- name: Copy services files
+  copy: src={{ item }}
+        dest={{ doc_root }}/common/services
+        mode=0644
+        owner=root
+        group=root
+  with_fileglob:
+        - html/services/*
+
 - name: Create symlink from assets to iiab.ini
   file: src=/etc/iiab/iiab.ini
         dest={{ doc_root }}/common/assets/iiab.ini
diff --git a/roles/httpd/tasks/main.yml b/roles/httpd/tasks/main.yml
index 4102bc168..ae6892ff8 100644
--- a/roles/httpd/tasks/main.yml
+++ b/roles/httpd/tasks/main.yml
@@ -161,3 +161,9 @@
   template: src=020_apache_poweroff.j2
             dest=/etc/sudoers.d/020_apache_poweroff
             mode=0755
+  when: allow_apache_sudo
+
+- name: Remove apache_user permission for poweroff
+  file: dest=/etc/sudoers.d/020_apache_poweroff
+        state=absent
+  when: not allow_apache_sudo
diff --git a/roles/httpd/templates/020_apache_poweroff.j2 b/roles/httpd/templates/020_apache_poweroff.j2
index 42ef87b9c..bf4e0093c 100644
--- a/roles/httpd/templates/020_apache_poweroff.j2
+++ b/roles/httpd/templates/020_apache_poweroff.j2
@@ -1 +1 @@
-{{ apache_user }} ALL=(ALL) NOPASSWD: /sbin/poweroff, /bin/systemctl poweroff
+{{ apache_user }} ALL =NOPASSWD: /sbin/poweroff, /bin/systemctl poweroff
diff --git a/vars/default_vars.yml b/vars/default_vars.yml
index 5a26660fd..e4608fb30 100644
--- a/vars/default_vars.yml
+++ b/vars/default_vars.yml
@@ -88,6 +88,9 @@ wan_nameserver:
 
 # 3-BASE
 
+# apache
+allow_apache_sudo: False
+
 # dhcpd
 dhcpd_install: True
 dhcpd_enabled: False
@@ -169,7 +172,7 @@ ejabberd_enabled: False
 
 # idmgr and activity-server
 idmgr_install: True
-activity-server_install: True
+activity_server_install: False
 xo_services_enabled: False
 
 # 6-GENERIC-APPS