Merge branch 'iiab:master' into gitea-1.15

install-support.yml

@@ -9,5 +9,4 @@
   roles:
     - { role: 0-init }
     - { role: sshd }
-    - { role: iiab-admin }
     - { role: openvpn }

roles/0-DEPRECATED-ROLES/elgg/defaults/main.yml

@@ -21,7 +21,7 @@ dbname: elggdb
 dbhost: localhost
 dbprefix: elgg_
 
-# The following variables must be in sync with template/elggdb.sql.j2
+# The following variables must be in sync with templates/elggdb.sql.j2
 # If you change them, you will probably have to rebuild the database.
 # They can be changed from the administrative interface once Elgg is installed.
 

roles/0-DEPRECATED-ROLES/elgg/tasks/install.yml

@@ -1,11 +1,12 @@
-- name: "Set 'apache_install: True' and 'apache_enabled: True'"
+# - name: "Set 'apache_install: True' and 'apache_enabled: True'"
-  set_fact:
+#   set_fact:
-    apache_install: True
+#     apache_install: True
-    apache_enabled: True
+#     apache_enabled: True
+#
+# - name: APACHE - run 'httpd' role
+#   include_role:
+#     name: httpd
 
-- name: APACHE - run 'httpd' role
-  include_role:
-    name: httpd
 
 # 2020-06-15: roles/httpd/tasks/install.yml now takes care of this.
 # # 2020-05-21: Required now that mysql/tasks/install.yml installs
@@ -32,7 +33,7 @@
   #  creates: "{{ downloads_dir }}/elgg-{{ elgg_version }}.zip"
   get_url:
     url: "{{ iiab_download_url }}/elgg-{{ elgg_version }}.zip"
-    dest: "{{ downloads_dir }}"
+    dest: "{{ downloads_dir }}"    # /opt/iiab/downloads
     timeout: "{{ download_timeout }}"
   when: internet_available
 
@@ -41,7 +42,7 @@
     path: "/opt/elgg-{{ elgg_version }}/index.php"
   register: elgg
 
-- name: Unpack (unarchive) .zip to /opt, if above index.php doesn't exist
+- name: Unpack (unarchive) .zip to /opt, if above index.php doesn't exist ({{ apache_user }}:{{ apache_user }})
   #shell: "/usr/bin/unzip -o {{ downloads_dir }}/elgg-{{ elgg_version }}.zip -d /opt"
   unarchive:
     #remote_src: yes
@@ -52,7 +53,7 @@
     group: "{{ apache_user }}"
   when: elgg.stat.exists is defined and not elgg.stat.exists
 
-- name: Create softlink from /opt/elgg to /opt/elgg-{{ elgg_version }}
+- name: Symlink /opt/elgg -> /opt/elgg-{{ elgg_version }}
   file:
     src: "./elgg-{{ elgg_version }}"
     path: /opt/elgg
@@ -69,13 +70,13 @@
     group: "{{ apache_user }}"
 
 # The name of this file changed from 1.9 to 1.10.
-- name: Copy default .htaccess into /opt/{{ elgg_xx }}, root of Elgg tree
+- name: Copy default .htaccess into /opt/{{ elgg_xx }}, root of Elgg tree (0644)
   copy:
     src: "/opt/{{ elgg_xx }}/vendor/elgg/elgg/install/config/htaccess.dist"
     dest: "/opt/{{ elgg_xx }}/.htaccess"
     owner: "{{ apache_user }}"
     group: "{{ apache_user }}"
-    mode: '0644'
+    mode: 0644
 
 #regexp='^#RewriteBase'
 - name: Change .htaccess to include RewriteBase for http://box{{ elgg_url }}    # http://box/elgg
@@ -86,12 +87,12 @@
     insertafter: '^#RewriteBase'
     line: "RewriteBase {{ elgg_url }}/"
 
-- name: Set /opt/elgg/engine directory permissions to 0755 so Apache can write there
+- name: Set /opt/elgg/engine directory permissions to 0755 (owner {{ apache_user }}) so Apache can write there
   file:
     state: directory
     path: /opt/elgg/engine/
     owner: "{{ apache_user }}"
-    mode: '0755'
+    mode: 0755
 
 - name: Change /opt/elgg-{{ elgg_version }} ownership to {{ apache_user }}:{{ apache_user }} (likely not nec, as unarchive & all do this above)
   file:
@@ -103,14 +104,14 @@
 
 - name: Create upload directory {{ elgg_upload_path }} that Apache (and Elgg) can write to
   file:
-    path: "{{ elgg_upload_path }}"
+    path: "{{ elgg_upload_path }}"    # /library/elgg
     state: directory
     owner: "{{ apache_user }}"
 
-- name: Install /etc/{{ apache_conf_dir }}/elgg.conf from template, for http://box{{ elgg_url }}    # http://box/elgg
+# - name: Install /etc/{{ apache_conf_dir }}/elgg.conf from template, for http://box{{ elgg_url }}    # http://box/elgg
-  template:
+#   template:
-    src: elgg.conf
+#     src: elgg.conf
-    dest: "/etc/{{ apache_conf_dir }}/elgg.conf"
+#     dest: "/etc/{{ apache_conf_dir }}/elgg.conf"
 
 
 - name: Set up Elgg's MySQL database

roles/0-DEPRECATED-ROLES/elgg/tasks/main.yml

@@ -24,14 +24,13 @@
   when: elgg_installed is undefined
 
 
-#- name: Enable/Disable/Restart Apache if primary
+# #- name: Enable/Disable/Restart Apache if primary
-- name: SHIM FOR NOW SO ALWAYS DO THE...Enable/Disable/Restart Apache
+# - name: SHIM FOR NOW SO ALWAYS DO THE...Enable/Disable/Restart Apache
-  include_tasks: apache.yml
+#   include_tasks: apache.yml
-  #when: not nginx_enabled
+#   #when: not nginx_enabled
 
 - name: Enable/Disable/Restart NGINX if primary
   include_tasks: nginx.yml
-  when: nginx_enabled
 
 
 - name: Add 'elgg' variable values to {{ iiab_ini_file }}

roles/0-DEPRECATED-ROLES/httpd/tasks/install.yml

@@ -4,7 +4,7 @@
     #name: ['apache2', 'php{{ php_version }}', 'php{{ php_version }}-curl']       # WORKS?
     name:
       - "{{ apache_service }}"    # apache2 on Debuntu
-      - libapache2-mod-php{{ php_version }}    # 2020-06-15: Required (e.g. for Elgg, Moodle & possibly others) now that mysql/tasks/install.yml installs "php{{ php_version }}-common" rather than the full "php{{ php_version }}" -- 2021-06-28 FYI: this also drags in libsodium23 (likewise installed via nginx/tasks/install.yml AND moodle/tasks/install.yml)
+      - libapache2-mod-php{{ php_version }}    # 2020-06-15: Required (e.g. for Elgg, Moodle, roles/pbx's FreePBX & possibly others) now that mysql/tasks/install.yml installs "php{{ php_version }}-common" rather than the full "php{{ php_version }}" -- 2021-06-28 FYI: this also drags in libsodium23 (likewise installed via nginx/tasks/install.yml AND moodle/tasks/install.yml)
       #- "php{{ php_version }}"
       #- "php{{ php_version }}-curl"
     state: present

roles/0-init/README.rst

@@ -2,8 +2,10 @@
 0-init README
 =============
 
-For a higher-level view, please see `IIAB Installation <https://github.com/iiab/iiab/wiki/IIAB-Installation>`_ and http://FAQ.IIAB.IO
+For a higher-level view of `Internet-in-a-Box (IIAB) <https://internet-in-a-box.org/>`_, please see http://FAQ.IIAB.IO and  `IIAB Installation <https://github.com/iiab/iiab/wiki/IIAB-Installation>`_.
 
-This 0th stage literally sets the stage for Internet-in-a-Box (IIAB) installation, prior to Ansible running `Stages 1-to-9 <.>`_ and then the `network <../network>`_ stage.
+This 0th `stage <https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide#ansible>`_ literally sets the stage for IIAB installation, prior to Ansible running Stages 1-to-9, which are typically then followed by the `network <../network>`_ stage.
 
-This serves to confirm low-level Ansible facts from the OS — e.g. for housekeeping tasks related to TZ (time zone), hostname, FQDN (fully-qualified domain name), unusual systemwide dependencies etc — and whether Internet is live so that IIAB installation can proceed.
+But first: This 0th stage (0-init) serves to confirm low-level Ansible facts from the OS — e.g. for housekeeping tasks related to TZ (time zone), hostname, FQDN (fully-qualified domain name), unusual systemwide dependencies etc (and whether Internet is live) — so that IIAB installation can get underway.
+
+Recap: Similar to 1-prep, 2-common, 3-base-server, 4-server-options and 5-xo-services ⁠— this 0th stage installs core server infra (that is not user-facing).

roles/0-init/defaults/main.yml

@@ -1,31 +1,52 @@
+# gui_port: 80    # 2021-08-17: For iptables.  And #2811 dreams of HTTPS/443 ?
+
+# All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml
+# If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
+
+
+# SEE ALSO /opt/iiab/iiab/roles/1-prep/defaults/main.yml
+
+#is_F18: False                  # 2021-07-30: No longer used
+
 # (PRE-)release version number, for {{ iiab_env_file }} = /etc/iiab/iiab.env
-# iiab_base_ver: 7.1
+# iiab_base_ver: 8.0
 # iiab_revision: 0
-# ABOVE MOVED TO /opt/iiab/iiab/vars/default_vars.yml
+# ABOVE 3 LINES MOVED TO /opt/iiab/iiab/vars/default_vars.yml
+
 
 # These entries should never be changed in this file.
 # These are defaults for boolean routines.
+
+# 2021-07-30: This variable (first_run) is still used in 2 places:
+#   (1) roles/1-prep/tasks/main.yml for raspberry_pi.yml
+#   (2) roles/network/tasks/named.yml
+# ...after it is set in 0-init/tasks/main.yml
 first_run: False
-rpi_model: none
+rpi_model: none                 # 2021-07-30: Broadly used!
-xo_model: none
+#xo_model: none                 # 2021-07-30: No longer used
+# 2021-07-30: Recorded to /etc/iiab/iiab.ini but not used programmatically:
 gw_active: False
+# 2021-07-30: Broadly used, but not in an organized way -- most all IIAB
+# outfitting/provisioning happens online -- in situations where connectivity
+# failures should be reported to the operator, rather than papered over:
 internet_available: False
-discovered_wan_iface: none
+discovered_wan_iface: none      # 2021-07-30: Very broadly used!
 
-# Old defs
+# 2021-07-30: Barely used -- for {named, dhcpd, squid} in
-gui_port: 80
+# roles/network/tasks/main.yml -- after being set in 0-init/tasks/network.yml
-is_F18: False
+FQDN_changed: False
 
-# Set default 1-prep discovered hardware
+#rtc_id: none                   # 2021-07-30: Moved to 1-prep/defaults/main.yml
-rtc_id: none
+#NUC6_firmware_needed: False    # 2021-07-30: Apparently never used
-NUC6_firmware_needed: False
 
-# Used in 2-common/tasks/xo.yml
+#wifi_id: none          # 2021-07-30: Had been used in 2-common/tasks/xo.yml
-wifi_id: none
 
-# Used in 2-common, 3-base-server and roles/network
+# 2021-08-16: roles/network/tasks/squid.yml#L16 to stop Squid
-installing: False
+# ("when: not installing") was the only non-Fedora use of this var.
+# Earlier, this var HAD also been used in 2-common and 3-base-server.
+# installing: False
 
-# Network
+# 2021-07-30: Broadly used across roles/network/tasks/*.yml -- but things might
+# possibly change if roles/network becomes optional per PR #2876 ?
 no_net_restart: False
-no_NM_reload: False
+#no_NM_reload: False    # 2021-07-30: Was used in roles/network/tasks/fedora/*

roles/0-init/tasks/create_iiab_ini.yml

@@ -35,7 +35,7 @@
       value: "{{ ansible_local.local_facts.iiab_commit }}"
     - option: install_date
       value: "{{ ansible_date_time.iso8601 }}"
-    - option: xo_model
+    #- option: xo_model
-      value: "{{ xo_model }}"
+    #  value: "{{ xo_model }}"
     - option: rpi_model
       value: "{{ rpi_model }}"

roles/0-init/tasks/first_run.yml

@@ -1,2 +0,0 @@
-- name: Create {{ iiab_ini_file }}
-  include_tasks: iiab_ini.yml

roles/0-init/tasks/hostname.yml

@@ -1,28 +1,27 @@
-- name: Does /etc/cloud/cloud.cfg exist i.e. is this ubuntu-18 server?
+- name: Does /etc/cloud/cloud.cfg exist e.g. is this Ubuntu Server 18+ ?
   stat:
     path: /etc/cloud/cloud.cfg
-  register: U18_server
+  register: cloudcfg_test
 
-- name: 'Put "preserve_hostname: true" in /etc/cloud/cloud.cfg (ubuntu-18 server)'
+- name: "If so, ensure 'preserve_hostname: true' is in /etc/cloud/cloud.cfg"
   lineinfile:
     path: /etc/cloud/cloud.cfg
     regexp: '^preserve_hostname*'
     line: 'preserve_hostname: true'
     state: present
-  when: U18_server is defined and U18_server.stat.exists
+  when: cloudcfg_test.stat.exists
 
-- name: 'Turn the crank for systemd: hostnamectl set-hostname "{{ iiab_hostname }}.{{ iiab_domain }}" (debuntu)'
+- name: 'Turn the crank for systemd: hostnamectl set-hostname "{{ iiab_hostname }}.{{ iiab_domain }}"'
-  shell: hostnamectl set-hostname "{{ iiab_hostname }}.{{ iiab_domain }}"
+  command: hostnamectl set-hostname "{{ iiab_hostname }}.{{ iiab_domain }}"
-  when: is_debuntu
 
-- name: Install /etc/sysconfig/network from template (redhat)
+#- name: Install /etc/sysconfig/network from template (redhat)
-  template:
+#  template:
-    src: roles/network/templates/network/sysconfig.network.j2
+#    src: roles/network/templates/network/sysconfig.network.j2
-    dest: /etc/sysconfig/network
+#    dest: /etc/sysconfig/network
-    owner: root
+#    owner: root
-    group: root
+#    group: root
-    mode: 0644
+#    mode: 0644
-  when: is_redhat
+#  when: is_redhat
 
 # roles/network/tasks/hosts.yml [no longer in use] ALSO did this:
 - name: 'Put FQDN & hostnames in /etc/hosts: "127.0.0.1 {{ iiab_hostname }}.{{ iiab_domain }} localhost.localdomain localhost {{ iiab_hostname }} box box.lan"'
@@ -30,9 +29,9 @@
     path: /etc/hosts
     regexp: '^127\.0\.0\.1'
     line: '127.0.0.1     {{ iiab_hostname }}.{{ iiab_domain }} localhost.localdomain localhost {{ iiab_hostname }} box box.lan'
-    owner: root
+    #owner: root
-    group: root
+    #group: root
-    mode: 0644
+    #mode: 0644
 
 #- name: Re-configuring httpd - not initial install
 #  include_tasks: roles/httpd/tasks/main.yml

roles/0-init/tasks/main.yml

@@ -1,25 +1,39 @@
 # Initialize
+
 - name: ...IS BEGINNING ============================================
   stat:
-    path: "{{ iiab_env_file }}"
+    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
-  register: NewInstall
+  register: iiab_ini_test
 
+# Higher-level purpose explained at the bottom of:
+# https://github.com/iiab/iiab/blob/master/vars/default_vars.yml
+- name: "Ansible just ran /etc/ansible/facts.d/local_facts.fact to set 10 vars -- here we extract 2 of those -- rpi_model: {{ ansible_local.local_facts.rpi_model }}, iiab_stage: {{ ansible_local.local_facts.stage }}"
+  set_fact:
+    rpi_model: "{{ ansible_local.local_facts.rpi_model }}"
+    #xo_model: "{{ ansible_local.local_facts.xo_model }}"
+    iiab_stage: "{{ ansible_local.local_facts.stage }}"
+
+# 2020-10-29: Appears no longer nec (see 3 above ansible_local.local_facts.*)
+#- name: Re-read local_facts.facts from /etc/ansible/facts.d
+#  setup:
+#    filter: ansible_local
+
+# Initialize /etc/iiab/iiab.ini writing the 'location' and 'version' sections
+# once and only once, to preserve the install date and git hash.
+- name: Create {{ iiab_ini_file }}, if it doesn't exist
+  include_tasks: create_iiab_ini.yml
+  when: not iiab_ini_test.stat.exists
+
+# 2021-07-30: The 'first_run' flag isn't much used anymore.  In theory it's
+# still used in these 2 places:
+#   (1) roles/1-prep/tasks/main.yml for raspberry_pi.yml
+#   (2) roles/network/tasks/named.yml for "Stop named before copying files"
+# In practice however, it's no longer important, and might be reconsidered?
 - name: Set first_run flag
   set_fact:
     first_run: True
-  when: not NewInstall.stat.exists
+  when: not iiab_ini_test.stat.exists
 
-- name: Set top-level variables from local_facts for convenience
-  set_fact:
-    rpi_model: "{{ ansible_local.local_facts.rpi_model }}"
-    xo_model: "{{ ansible_local.local_facts.xo_model }}"
-    iiab_stage: "{{ ansible_local.local_facts.stage }}"
-
-# We need to inialize the ini file and only write the location and version
-# sections once and only once to preserve the install date and git hash.
-- name: Create IIAB tools and {{ iiab_ini_file }}, if first_run
-  include_tasks: first_run.yml
-  when: first_run
 
 # Copies the latest/known version of iiab-diagnostics into /usr/bin (so it can
 # be run even if local source tree /opt/iiab/iiab is deleted to conserve disk).
@@ -29,90 +43,26 @@
     dest: /usr/bin/
     mode: '0755'
 
-- name: Create globally-writable directory /etc/iiab/diag so non-root users can run iiab-diagnostics
+- name: Create globally-writable directory /etc/iiab/diag (0777) so non-root users can run 'iiab-diagnostics'
   file:
     state: directory
     path: /etc/iiab/diag
     mode: '0777'
 
-# 2020-10-29: Appears no longer nec (see 3 above ansible_local.local_facts.*)
-#- name: Re-read local_facts.facts from /etc/ansible/facts.d
-#  setup:
-#    filter: ansible_local
 
 - name: Pre-check that IIAB's "XYZ_install" + "XYZ_enabled" vars (1) are defined, (2) are boolean-not-string variables, and (3) contain plausible values.  Also checks that "XYZ_install" is True when "XYZ_installed" is defined.
   include_tasks: validate_vars.yml
 
-# Discover: do we have a gateway?
+- name: "Time Zone / TZ: Set symlink /etc/localtime to UTC if it doesn't exist?"
-# If Ansible detects gateway, becomes WAN candidate.
-- name: "Do we have a gateway? If so set discovered_wan_iface: {{ ansible_default_ipv4.alias }}"
-  set_fact:
-    discovered_wan_iface: "{{ ansible_default_ipv4.alias }}"
-  when: ansible_default_ipv4.gateway is defined
-
-- name: "Verify gateway active: ping -c4 {{ ansible_default_ipv4.gateway }}"
-  shell: ping -c4 "{{ ansible_default_ipv4.gateway }}" | grep icmp_seq=4 | wc -l
-  when: discovered_wan_iface != "none"
-  register: gw_active_test
-
-- name: If so, set gw_active, iiab_wan_iface to {{ discovered_wan_iface }}
-  set_fact:
-    iiab_wan_iface: "{{ discovered_wan_iface }}"
-    gw_active: True
-  when: discovered_wan_iface != "none" and gw_active_test.stdout == "1"
-
-- name: Test with {{ iiab_wan_iface }} for Internet access ({{ iiab_download_url }}/heart-beat.txt)
-  get_url:
-    url: "{{ iiab_download_url }}/heart-beat.txt"
-    dest: /tmp/heart-beat.txt
-    #timeout: "{{ download_timeout }}"
-    # @jvonau recommends: 100sec is too much (keep 10sec default)
-  ignore_errors: True
-  #async: 10
-  #poll: 2
-  register: internet_access_test
-
-- name: Set internet_available if download succeeded and not disregard_network
-  set_fact:
-    internet_available: True
-  when: not internet_access_test.failed and not disregard_network
-
-- name: Remove downloaded Internet test file /tmp/heart-beat.txt
-  file:
-    path: /tmp/heart-beat.txt
-    state: absent
-
-# Put all computed vars here so derive properly from any prior var file.
-- name: If the TZ is not set in env, set it to UTC
   include_tasks: tz.yml
 
-- name: Set port 80 for Admin Console if not adm_cons_force_ssl
+- name: Test Gateway + Test Internet + Set new hostname/domain (hostname.yml) if nec + Set 'gui_port' to 80 or 443 for Admin Console
-  set_fact:
+  include_tasks: network.yml
-    gui_port: 80
-  when: not adm_cons_force_ssl
 
-- name: Set port 443 for Admin Console if adm_cons_force_ssl
-  set_fact:
-    gui_port: 443
-  when: adm_cons_force_ssl
-
-- name: "Set iiab_fqdn: {{ iiab_hostname }}.{{ iiab_domain }}"
-  set_fact:
-    iiab_fqdn: "{{ iiab_hostname }}.{{ iiab_domain }}"
-    FQDN_changed: False
-
-- name: Set FQDN_changed when iiab_fqdn != ansible_fqdn ({{ ansible_fqdn }})
-  set_fact:
-    FQDN_changed: True
-  when: iiab_fqdn != ansible_fqdn
-
-- name: Set hostname if FQDN_changed
-  include_tasks: hostname.yml
-  when: FQDN_changed
 
 - name: Add 'runtime' variable values to {{ iiab_ini_file }}
   ini_file:
-    dest: "{{ iiab_ini_file }}"
+    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
     section: runtime
     option: "{{ item.option }}"
     value: "{{ item.value | string }}"
@@ -137,9 +87,6 @@
       value: "{{ ansible_memtotal_mb }}"
     - option: swap_mb
       value: "{{ ansible_swaptotal_mb }}"
-    # 2021-01-28: Non-existent var, so fails with ansible-base 2.10.5 (#2669)
-    #- option: product_id
-    #  value: "{{ ansible_product_uuid }}"
     - option: gw_active
       value: "{{ gw_active }}"
     - option: internet_available
@@ -148,18 +95,20 @@
       value: "{{ rpi_model }}"
     - option: first_run
       value: "{{ first_run }}"
-    - option: local_tz
+    - option: local_tz    # e.g. 'EDT' (summer) or 'EST' (winter) after Ansible interprets symlink /etc/localtime -- or 'UTC' if /etc/localtime doesn't exist
       value: "{{ local_tz }}"
-    - option: no_NM_reload
+    - option: etc_localtime.stdout    # e.g. 'America/New_York' direct from symlink /etc/localtime -- or '' if /etc/localtime doesn't exist
-      value: "{{ no_NM_reload }}"
+      value: "{{ etc_localtime.stdout }}"
-    - option: is_F18
+    #- option: no_NM_reload
-      value: "{{ is_F18 }}"
+    #  value: "{{ no_NM_reload }}"
+    #- option: is_F18
+    #  value: "{{ is_F18 }}"
     - option: FQDN_changed
       value: "{{ FQDN_changed }}"
 
 - name: Add 'runtime' variable 'is_VM' value if defined, to {{ iiab_ini_file }}
   ini_file:
-    dest: "{{ iiab_ini_file }}"
+    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
     section: runtime
     option: "{{ item.option }}"
     value: "{{ item.value | string }}"
@@ -169,4 +118,4 @@
   when: is_VM is defined
 
 - name: STAGE 0 HAS COMPLETED ======================================
-  command: echo    # "name: XYZ" fails to appear with "meta: noop"
+  meta: noop    # Or use "command: echo" to force instantiation of vars e.g. "name: {{ var }}"

roles/0-init/tasks/network.yml

@@ -0,0 +1,74 @@
+- name: Do we have a gateway? If 'ip route' specifies a default route, Ansible parses details here...
+  debug:
+    var: ansible_default_ipv4
+
+- name: "If above ansible_default_ipv4.gateway is defined, set WAN candidate 'discovered_wan_iface: {{ ansible_default_ipv4.alias }}' -- using ansible_default_ipv4.alias"
+  set_fact:
+    discovered_wan_iface: "{{ ansible_default_ipv4.alias }}"
+  when: ansible_default_ipv4.gateway is defined
+
+- name: "Verify gateway active: ping -c4 {{ ansible_default_ipv4.gateway }} -- using ansible_default_ipv4.gateway"
+  shell: ping -c4 "{{ ansible_default_ipv4.gateway }}" | grep icmp_seq=4 | wc -l
+  register: gw_active_test
+  when: discovered_wan_iface != "none"
+
+- name: "If gateway responded, set 'gw_active: True' and 'iiab_wan_iface: {{ discovered_wan_iface }}' -- using discovered_wan_iface"
+  set_fact:
+    iiab_wan_iface: "{{ discovered_wan_iface }}"
+    gw_active: True
+  when: discovered_wan_iface != "none" and gw_active_test.stdout == "1"
+
+
+- name: 'Test for Internet access, using: {{ iiab_download_url }}/heart-beat.txt'
+  get_url:
+    url: "{{ iiab_download_url }}/heart-beat.txt"
+    dest: /tmp/heart-beat.txt
+    #timeout: "{{ download_timeout }}"
+    # @jvonau recommends: 100sec is too much (keep 10sec default)
+  ignore_errors: True
+  #async: 10
+  #poll: 2
+  register: internet_access_test
+
+- name: "Set 'internet_available: True' if above download succeeded AND not disregard_network"
+  set_fact:
+    internet_available: True    # Initialized to 'False' in 0-init/defaults/main.yml
+  when: not internet_access_test.failed and not disregard_network
+
+- name: Remove downloaded Internet test file /tmp/heart-beat.txt
+  file:
+    path: /tmp/heart-beat.txt
+    state: absent
+
+
+- name: "Set 'iiab_fqdn: {{ iiab_hostname }}.{{ iiab_domain }}'"
+  set_fact:
+    iiab_fqdn: "{{ iiab_hostname }}.{{ iiab_domain }}"
+    FQDN_changed: False
+
+- name: Set hostname / domain (etc) in various places -- if iiab_fqdn != ansible_fqdn ({{ ansible_fqdn }})
+  include_tasks: hostname.yml
+  when: iiab_fqdn != ansible_fqdn
+
+# 2021-07-30: FQDN_changed isn't used as in the past -- its remaining use is
+# for {named, dhcpd, squid} in roles/network/tasks/main.yml -- possibly it
+# should be reconsidered?  See PR #2876: roles/network might become optional?
+- name: "Also set 'FQDN_changed: True' -- if iiab_fqdn != ansible_fqdn ({{ ansible_fqdn }})"
+  set_fact:
+    FQDN_changed: True
+  when: iiab_fqdn != ansible_fqdn
+
+
+# 2021-08-17: (1) iiab-gen-iptables works better if gui_port is set directly in
+# default_vars.yml and/or local_vars.yml (2) Admin Console's iiab-admin.yml
+# and js-menu.yml set 'adm_cons_force_ssl: False'
+
+# - name: "Set 'gui_port: 80' for Admin Console if not adm_cons_force_ssl"
+#   set_fact:
+#     gui_port: 80
+#   when: not adm_cons_force_ssl
+
+# - name: "Set 'gui_port: 443' for Admin Console if adm_cons_force_ssl"
+#   set_fact:
+#     gui_port: 443
+#   when: adm_cons_force_ssl

roles/0-init/tasks/tz.yml

@@ -1,32 +1,70 @@
-- name: Check if the TZ is not already set via /etc/localtime - Can Fail
+- name: "'local_tz: {{ local_tz }}' was set by ansible_date_time.tz in /opt/iiab/iiab/vars/default_vars.yml -- e.g. if Ansible finds symlink /etc/localtime -> ../usr/share/zoneinfo/America/New_York -- it will simplify that to 'EDT' (in the summer) or 'EST' (in the winter)"
-  shell: readlink /etc/localtime | awk -F "zoneinfo/" '{print $2}'
+  command: echo
-  register: TZ_set
-  ignore_errors: True
 
-- name: Set local and iiab TZ to UTC if /etc/localtime is not set
+- name: "Create symlink /etc/localtime if it doesn't exist, by running 'timedatectl set-timezone UTC' -- THIS ALL MIGHT NO LONGER BE NEC IN 2021, AS ANSIBLE CORRECTLY NOW INTERPRETS THE ABSENCE OF /etc/localtime AS 'UTC' -- PER https://www.freedesktop.org/software/systemd/man/localtime.html"
-  set_fact:
+  command: timedatectl set-timezone UTC
-    local_tz: "UTC"
+  args:
-    iiab_TZ: "UTC"
+    creates: /etc/localtime
-  when: TZ_set.stdout == ""
 
-- name: Override ansible on timezone if TZ set
+- name: Symlink /etc/localtime points to which TZ?
-  set_fact:
+  shell: readlink /etc/localtime | awk -F "zoneinfo/" '{print $2}'    # Overall shell command always completes (return code 0) even when /etc/localtime is missing -- due to the '|' pipe
-    local_tz: "{{ TZ_set.stdout }}"
+  register: etc_localtime
-  when: TZ_set.stdout != ""
 
-- name: Using iiab TZ for local TZ
+- name: "/etc/localtime now specifies: {{ etc_localtime.stdout }}"
-  set_fact:
+  command: echo    # 'meta: noop' is not enough to force instantiation of 'name: {{ var }}' just above
-    local_tz: "{{ iiab_TZ }}"
-  when: iiab_TZ is defined and iiab_TZ != "" and iiab_TZ != "TZ_set.stdout"
 
-- name: Set default Timezone from iiab TZ (debuntu)
-  shell: timedatectl set-timezone {{ iiab_TZ }}
-  when: is_debuntu and iiab_TZ is defined and iiab_TZ != "" and iiab_TZ != "TZ_set.stdout"
 
-- name: Set default Timezone from iiab TZ (redhat)
+#- name: Check for a /etc/localtime symlink to TZ - NEVER FAILS DUE TO PIPE
-  file:
+#  shell: readlink /etc/localtime | awk -F "zoneinfo/" '{print $2}'
-    path: /etc/localtime
+#  register: tz_set
-    src: "/usr/share/zoneinfo/{{ iiab_TZ }}"
+
-    force: yes
+#- debug:
-    state: link
+#    var: tz_set
-  when: is_redhat and iiab_TZ is defined and iiab_TZ != "" and iiab_TZ != "TZ_set.stdout"
+
+#- name: "If /etc/localtime specified TZ, set 'local_tz: {{ tz_set.stdout }}' overriding the value Ansible set via /etc/iiab/default_vars.yml"
+#  set_fact:
+#    local_tz: "{{ tz_set.stdout }}"
+#  when: tz_set.stdout != ""
+
+#- name: "If not, run 'timedatectl set-timezone UTC' and..."
+#  command: timedatectl set-timezone UTC
+#  when: tz_set.stdout == ""
+
+#- name: "...also set 'local_tz: UTC'"
+#  set_fact:
+#    local_tz: UTC
+#  when: tz_set.stdout == ""
+
+
+#- name: Check if the TZ is not already set via /etc/localtime - Can Fail
+#  shell: readlink /etc/localtime | awk -F "zoneinfo/" '{print $2}'
+#  register: TZ_set
+#  ignore_errors: True
+
+#- name: Set local and iiab TZ to UTC if /etc/localtime is not set
+#  set_fact:
+#    local_tz: "UTC"
+#    iiab_TZ: "UTC"
+#  when: TZ_set.stdout == ""
+
+#- name: Override ansible on timezone if TZ set
+#  set_fact:
+#    local_tz: "{{ TZ_set.stdout }}"
+#  when: TZ_set.stdout != ""
+
+#- name: Using iiab TZ for local TZ
+#  set_fact:
+#    local_tz: "{{ iiab_TZ }}"
+#  when: iiab_TZ is defined and iiab_TZ != "" and iiab_TZ != "TZ_set.stdout"
+
+#- name: Set default Timezone from iiab TZ (debuntu)
+#  shell: timedatectl set-timezone {{ iiab_TZ }}
+#  when: is_debuntu and iiab_TZ is defined and iiab_TZ != "" and iiab_TZ != "TZ_set.stdout"
+
+#- name: Set default Timezone from iiab TZ (redhat)
+#  file:
+#    path: /etc/localtime
+#    src: "/usr/share/zoneinfo/{{ iiab_TZ }}"
+#    force: yes
+#    state: link
+#  when: is_redhat and iiab_TZ is defined and iiab_TZ != "" and iiab_TZ != "TZ_set.stdout"

roles/0-init/tasks/validate_vars.yml

@@ -61,9 +61,9 @@
 # https://github.com/iiab/iiab/blob/master/tests/test.yml
 # https://github.com/iiab/iiab/blob/master/roles/0-init/tasks/validate_vars.yml
 #
-# 2020-11-04: Fix validation of 5 core dependencies, for ./runrole etc
+# 2020-11-04: Fix validation of 5 [now 4] core dependencies, for ./runrole etc
 
-- name: Set vars_checklist for 46 + 46 + 41 vars ("XYZ_install" + "XYZ_enabled" + "XYZ_installed") to be checked
+- name: Set vars_checklist for 43 + 43 + 39 vars ("XYZ_install" + "XYZ_enabled" + "XYZ_installed") to be checked
   set_fact:
     vars_checklist:
       - hostapd
@@ -76,10 +76,10 @@
       - openvpn
       - admin_console
       #- nginx              # MANDATORY
-      - apache              # Dependency - excluded from _installed check below
+      #- apache             # Unmaintained - former dependency
       #- mysql              # MANDATORY
       - squid
-      - dansguardian
+      #- dansguardian       # Unmaintained
       - cups
       - samba
       - usb_lib
@@ -90,7 +90,7 @@
       - azuracast
       #- dokuwiki           # Unmaintained
       #- ejabberd           # Unmaintained
-      - elgg
+      #- elgg               # Unmaintained
       - gitea
       - jupyterhub
       - lokole
@@ -99,7 +99,6 @@
       - nodejs              # Dependency - excluded from _installed check below
       - nodered
       - nextcloud
-      - pbx
       - wordpress
       - kalite
       - kolibri
@@ -116,11 +115,12 @@
       - phpmyadmin
       - vnstat
       - yarn                # Dependency - excluded from _installed check below
-      - internetarchive
       - captiveportal
+      - internetarchive
       - minetest
-      - calibre
       - calibreweb
+      - calibre
+      - pbx
 
 - name: Assert that {{ vars_checklist | length }} "XYZ_install" vars are all... defined
   assert:
@@ -162,5 +162,5 @@
     that: "{{ item }}_install or {{ item }}_installed is undefined"
     fail_msg: "DISALLOWED: '{{ item }}_install: False' (e.g. in /etc/iiab/local_vars.yml) WHEN '{{ item }}_installed' is defined (e.g. in /etc/iiab/iiab_state.yml) -- IIAB DOES NOT SUPPORT UNINSTALLS -- please verify those 2 files especially, and other places variables are defined?"
     quiet: yes
-  when: item != 'apache' and item != 'nodejs' and item != 'postgresql' and item != 'mongodb' and item != 'yarn'    # Exclude auto-installed dependencies
+  when: item != 'nodejs' and item != 'postgresql' and item != 'mongodb' and item != 'yarn'    # Exclude auto-installed dependencies
   loop: "{{ vars_checklist }}"

roles/1-prep/README.rst

@@ -2,15 +2,24 @@
 1-prep README
 =============
 
-This 1st stage (1-prep) is primarily hardware-focused, prior to OS
+This 1st `stage <https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide#ansible>`_ (1-prep) arranges low-level things like remote support infra, DNS prep, hardware, low-level OS quirks, and basic security:
-additions/mods, but also includes critical pieces sometimes needed for
-remote support:
 
-- SSH
+- SSHD
-- `iiab-admin <https://github.com/iiab/iiab/tree/master/roles/iiab-admin>`_ username and group to log into Admin Console
+- OpenVPN if/as needed later for remote support
-- OpenVPN software if/as needed later for remote support
+- `iiab-admin <https://github.com/iiab/iiab/tree/master/roles/iiab-admin#iiab-admin-readme>`_ username and group, to log into Admin Console
+- dnsmasq (install now, configure later!)
+- Universally unique identifier: /etc/iiab/uuid
+- Ubermix (distro) needs /etc/tmpfiles.d/iiab.conf to create essential /var/log subdirs on each boot
+- Hardware actions:
+   - `raspberry_pi.yml <tasks/raspberry_pi.yml>`_:
+      - RTC (real-time clock): install udev rule, configure, enable
+      - Install packages related to:
+         - growpart
+         - swapfile
+         - fake-hwclock (as RTC is often missing or dead!)
+         - Wi-Fi
+      - Increase swap file size
+      - `rootfs auto-resizing <https://github.com/iiab/iiab/blob/master/roles/1-prep/templates/iiab-rpi-max-rootfs.sh>`_
+   - NUC 6 Wi-Fi firmware
 
-Traditionally 1-prep also included preliminaries like hostname and
+Recap: Similar to 0-init, 2-common, 3-base-server, 4 server-options and 5-xo-services — this 1st stage installs core server infra (that is not user-facing).
-hardware-oriented things specific to a particular platform (such as
-One Laptop Per Child's XO laptop) i.e. critical setup prior to the
-bulk of IIAB's software install.

roles/1-prep/defaults/main.yml

@@ -0,0 +1,11 @@
+# Real-time clock: RTC chip family.  Future auto-detection plausible?
+
+# rtc_id: none    # Or ds3231 ?  Used in 1-prep/tasks/raspberry_pi.yml
+
+# All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml
+# If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
+
+
+# SEE ALSO /opt/iiab/iiab/roles/0-init/defaults/main.yml
+
+#NUC6_firmware_needed: False    # 2021-07-30: Apparently never used

roles/1-prep/tasks/hardware.yml

@@ -0,0 +1,17 @@
+##  DISCOVER PLATFORMS ######
+# Put conditional actions for hardware platforms here
+
+- include_tasks: raspberry_pi.yml
+  when: first_run and rpi_model != "none"
+
+- name: Check if the identifier for Intel's NUC6 built-in WiFi is present
+  shell: "lsusb | grep 8087:0a2b | wc | awk '{print $1}'"
+  register: usb_NUC6
+  ignore_errors: True
+
+- name: Download {{ iiab_download_url }}/iwlwifi-8000C-13.ucode to /lib/firmware for built-in WiFi on NUC6    # iiab_download_url is http://download.iiab.io/packages
+  get_url:
+    url: "{{ iiab_download_url }}/iwlwifi-8000C-13.ucode"
+    dest: /lib/firmware
+    timeout: "{{ download_timeout }}"
+  when: internet_available and usb_NUC6.stdout|int > 0

roles/1-prep/tasks/main.yml

@@ -1,87 +1,31 @@
-# Preparations (Hardware Level)
+# Preparations (low-level e.g. remote support, DNS prep, HW/OS, basic security)
 
 - name: ...IS BEGINNING ============================================
-  command: echo
+  meta: noop
 
-- name: dnsmasq (install now, configure LATER in 'network', after Stage 9)
+- name: SSHD -- required by OpenVPN below -- also run by roles/4-server-options/tasks/main.yml
-  include_tasks: roles/network/tasks/dnsmasq.yml
-  #when: dnsmasq_install    # Flag might be used in future?
-
-
-- name: Install uuid-runtime package (debuntu)
-  package:
-    name: 
-      - uuid-runtime
-      - sudo
-    state: present
-  when: is_debuntu
-
-- name: Does /etc/iiab/uuid file exist?
-  stat:
-    path: /etc/iiab/uuid
-  register: uuid_file
-
-- name: If no uuid exists, create one
-  shell: uuidgen
-  register: uuid_response
-  when: not uuid_file.stat.exists
-
-- name: Put uuid in place at /etc/iiab/uuid
-  shell: echo {{ uuid_response.stdout_lines[0] }} > /etc/iiab/uuid
-  when: not uuid_file.stat.exists
-
-- name: Grab the uuid from /etc/iiab/uuid, into register stored_uuid
-  command: cat /etc/iiab/uuid
-  register: stored_uuid
-
-- name: Place the uuid from register into variable/fact "uuid"
-  set_fact:
-    uuid: "{{ stored_uuid.stdout_lines[0] }}"
-
-
-- name: Does 'ubermix' exist in /etc/lsb-release?
-  shell: grep -i ubermix /etc/lsb-release    # Pipe to cat to avoid red errors?
-  register: grep_ubermix
-  failed_when: False    # Universal way to hide alarmist red errors!
-  #ignore_errors: True
-  #check_mode: no
-
-- name: If so, install /etc/tmpfiles.d/iiab.conf to create /var/log subdirs on each boot, so {Apache, MongoDB, Munin} run on Ubermix
-  copy:
-    src: roles/1-prep/files/iiab.conf
-    dest: /etc/tmpfiles.d/
-    # owner: root
-    # group: root
-    # mode: '0644'
-    force: yes
-  when: grep_ubermix.rc == 0    # 1 if absent in file, 2 if file doesn't exist
-
-# 2020-03-19: for KA Lite, but moved from roles/kalite/tasks/install.yml
-# This effectively does nothing at all on Ubuntu & Raspbian, where libgeos-*
-# pkgs are not installed FWIW.  But it's included to safeguard us across all
-# OS's, in case others OS's like Ubermix later appear.  See #1382 for details.
-# Removing pkgs libgeos-3.6.2 & libgeos-c1v5 fixed the situation on Ubermix!
-- name: Remove libgeos-* pkgs, avoiding KA Lite Django failure on Ubermix
-  shell: apt -y remove "libgeos-*"
-  when: grep_ubermix.rc == 0    # 1 if absent in file, 2 if file doesn't exist
-
-
-# Required by OpenVPN below.  Also run by roles/4-server-options/tasks/main.yml
-- name: SSHD
   include_role:
     name: sshd
   when: sshd_install
 
-- name: IIAB-ADMIN
-  include_role:
-    name: iiab-admin
-  #when: iiab_admin_install    # Flag might be created in future?
-
 - name: OPENVPN
   include_role:
     name: openvpn
   when: openvpn_install
 
+- name: IIAB-ADMIN -- includes roles/iiab-admin/tasks/access.yml
+  include_role:
+    name: iiab-admin
+  #when: iiab_admin_install    # Flag might be created in future?
+
+- name: Install dnsmasq -- configure LATER in 'network', after Stage 9
+  include_tasks: roles/network/tasks/dnsmasq.yml
+  #when: dnsmasq_install    # Flag might be used in future?
+
+- include_tasks: uuid.yml
+- include_tasks: ubermix.yml
+- include_tasks: hardware.yml    # Can run raspberry_pi.yml
+
 
 # Debian 10 "Buster" is apparently enabling AppArmor in 2019:
 # https://wiki.debian.org/AppArmor/Progress
@@ -111,27 +55,7 @@
 #  when: not is_debuntu and selinux_disabled is defined and selinux_disabled.changed
 
 
-##  DISCOVER PLATFORMS ######
-# Put conditional actions for hardware platforms here
-
-- include_tasks: raspberry_pi.yml
-  when: first_run and rpi_model != "none"
-
-- name: Check if the identifier for Intel's NUC6 built-in WiFi is present
-  shell: "lsusb | grep 8087:0a2b | wc | awk '{print $1}'"
-  register: usb_NUC6
-  ignore_errors: True
-
-- name: Download {{ iiab_download_url }}/iwlwifi-8000C-13.ucode to /lib/firmware for built-in WiFi on NUC6    # iiab_download_url is http://download.iiab.io/packages
-  get_url:
-    url: "{{ iiab_download_url }}/iwlwifi-8000C-13.ucode"
-    dest: /lib/firmware
-    timeout: "{{ download_timeout }}"
-  when: internet_available and usb_NUC6.stdout|int > 0
-
-
-# This script can be sourced to get IIAB path/location
 - name: Recording STAGE 1 HAS COMPLETED ============================
   template:
     src: roles/1-prep/templates/iiab.env.j2
-    dest: "{{ iiab_env_file }}"
+    dest: "{{ iiab_env_file }}"    # Can also be run as a script if absolutely nec, e.g. 'source /etc/iiab/iiab.env && echo $WWWROOT'

roles/1-prep/tasks/raspberry_pi.yml

@@ -1,12 +1,12 @@
 # Specific to Raspberry Pi
 
-- name: Install udev rule /etc/udev/rules.d/92-rtc-i2c.rules from template, to transfer hwclock to system clock at dev creation, if rtc_id is defined and rtc_id != "none"
+- name: Install udev rule /etc/udev/rules.d/92-rtc-i2c.rules from template, to transfer hwclock to system clock at dev creation, if rtc_id is defined and rtc_id != "none" (root:root, 0644 by default)
   template:
     src: 92-rtc-i2c.rules
     dest: /etc/udev/rules.d/92-rtc-i2c.rules
-    owner: root
+    #owner: root
-    group: root
+    #group: root
-    mode: 0644
+    #mode: 0644
   when: rtc_id is defined and rtc_id != "none"
 
 # RTC requires a change to the device tree (and reboot)
@@ -22,7 +22,7 @@
     path: /boot/firmware/usercfg.txt
     line: "dtoverlay=i2c-rtc,{{ rtc_id }}=on"
     state: present
-  when: rtc_id is defined and rtc_id != "none" and is_ubuntu
+  when: rtc_id is defined and rtc_id != "none" and is_ubuntu    # CLARIF: Ubuntu runs increasingly well on RPi hardware, starting in 2020 especially
 
 #- name: Enable bluetooth in /boot/firmware/syscfg.txt on Ubuntu (needs reboot)
 #  lineinfile:
@@ -31,17 +31,32 @@
 #    line: 'include btcfg.txt'
 #  when: is_ubuntu
 
-- name: 'Ensure packages are installed: dphys-swapfile, fake-hwclock, iw, rfkill, wireless-tools'
+
+- name: '2021-07-27: SEE ALSO ~4 networking packages LATER installed by https://github.com/iiab/iiab/blob/master/roles/2-common/tasks/packages.yml'
+  meta: noop
+
+- name: '2021-07-27: SEE ALSO 4-5 networking packages LATER installed by https://github.com/iiab/iiab/blob/master/roles/2-common/tasks/network.yml'
+  meta: noop
+
+# 2021-07-27 explanation from @jvonau: The 3 BELOW (iw, rfkill, wireless-tools)
+# are provided by RaspiOS.  Ubuntu|Debian on the other hand are hit or miss:
+# desktops might have some/all 3 preinstalled, while servers tend not to have
+# these present at all, but are needed to be installed if you want to take full
+# advantage of WiFi on Ubuntu and friends -- but it's only enforced on RPi
+# hardware where we know in advance of the likelihood of WiFi being present.
+
+- name: 'Install packages: cloud-guest-utils, dphys-swapfile, fake-hwclock, iw, rfkill, wireless-tools'
   package:
     name:
-      - dphys-swapfile
+      - cloud-guest-utils    # Contains 'growpart' for resizing a partition during boot, which is normally done with the aid of cloud-init
-      - fake-hwclock
+      - dphys-swapfile       # 2021-07-27: RaspiOS installs this regardless -- autogenerate and use a swap file
-      - iw
+      - fake-hwclock         # 2021-07-27: RaspiOS installs this regardless -- save/restore system clock on machines without working RTC hardware
-      - rfkill
+      - iw                # 2021-07-27: RaspiOS installs this regardless -- configure Linux wireless devices -- hard dependence for ap0 creation, SEE https://github.com/iiab/iiab/blob/master/roles/network/templates/hostapd/iiab-clone-wifi.service.j2
-      - wireless-tools
+      - rfkill            # 2021-07-27: RaspiOS installs this regardless -- enable & disable wireless devices
-      - cloud-guest-utils
+      - wireless-tools    # 2021-07-27: RaspiOS installs this regardless -- manipulate Linux Wireless Extensions
     state: present
 
+
 - name: Increase swap file size (to CONF_SWAPSIZE={{ pi_swap_file_size }} in /etc/dphys-swapfile) as kalite pip download fails
   lineinfile:
     path: /etc/dphys-swapfile
@@ -50,20 +65,21 @@
 
 - name: Restart swap service "dphys-swapfile"
   #command: /etc/init.d/dphys-swapfile restart
-  service:    # A rare/legacy service that is NOT systemd
+  systemd:    # Had been...a rare/legacy service that was NOT systemd
     name: dphys-swapfile
     state: restarted
 
-- name: Install RPi rootfs resizing (iiab-rpi-max-rootfs.sh) and its systemd service (iiab-rpi-root-resize.service), from templates
+
+- name: Install RPi rootfs resizing (/usr/sbin/iiab-rpi-max-rootfs.sh) and its systemd service (/etc/systemd/system/iiab-rpi-root-resize.service), from templates (root:root by default)
   template:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
-    owner: root
+    #owner: root
-    group: root
+    #group: root
     mode: "{{ item.mode }}"
   with_items:
-    - { src: 'iiab-rpi-max-rootfs.sh', dest: '/usr/sbin/iiab-rpi-max-rootfs.sh', mode: '0755'}
+    - { src: 'iiab-rpi-max-rootfs.sh', dest: '/usr/sbin/', mode: '0755' }
-    - { src: 'iiab-rpi-root-resize.service', dest: '/etc/systemd/system/iiab-rpi-root-resize.service', mode: '0644'}
+    - { src: 'iiab-rpi-root-resize.service', dest: '/etc/systemd/system/', mode: '0644' }
 
 - name: Enable RPi rootfs resizing (systemd service iiab-rpi-root-resize.service)
   systemd:

roles/1-prep/tasks/ubermix.yml

@@ -0,0 +1,25 @@
+- name: Does 'ubermix' exist in /etc/lsb-release?
+  shell: grep -i ubermix /etc/lsb-release    # Pipe to cat to avoid red errors?
+  register: grep_ubermix
+  failed_when: False    # Universal way to hide alarmist red errors!
+  #ignore_errors: True
+  #check_mode: no
+
+- name: If so, install /etc/tmpfiles.d/iiab.conf to create /var/log subdirs on each boot, so {Apache, MongoDB, Munin} run on Ubermix (root:root, 0644 by default)
+  copy:
+    src: roles/1-prep/files/iiab.conf
+    dest: /etc/tmpfiles.d/
+    # owner: root
+    # group: root
+    # mode: 0644
+    force: yes
+  when: grep_ubermix.rc == 0    # 1 if absent in file, 2 if file doesn't exist
+
+# 2020-03-19: for KA Lite, but moved from roles/kalite/tasks/install.yml
+# This effectively does nothing at all on Ubuntu & Raspbian, where libgeos-*
+# pkgs are not installed FWIW.  But it's included to safeguard us across all
+# OS's, in case others OS's like Ubermix later appear.  See #1382 for details.
+# Removing pkgs libgeos-3.6.2 & libgeos-c1v5 fixed the situation on Ubermix!
+- name: Remove libgeos-* pkgs, avoiding KA Lite Django failure on Ubermix
+  shell: apt -y remove "libgeos-*"
+  when: grep_ubermix.rc == 0    # 1 if absent in file, 2 if file doesn't exist

roles/1-prep/tasks/uuid.yml

@@ -0,0 +1,26 @@
+- name: "Install packages: uuid-runtime"
+  package:
+    name: uuid-runtime
+    state: present
+
+- name: Does /etc/iiab/uuid exist?
+  stat:
+    path: /etc/iiab/uuid
+  register: uuid_file
+
+- name: If not, run 'uuidgen' to create a uuid, in register uuid_response
+  command: uuidgen
+  register: uuid_response
+  when: not uuid_file.stat.exists
+
+- name: Save it to /etc/iiab/uuid
+  shell: echo {{ uuid_response.stdout_lines[0] }} > /etc/iiab/uuid
+  when: not uuid_file.stat.exists
+
+- name: Load /etc/iiab/uuid, into register stored_uuid
+  command: cat /etc/iiab/uuid
+  register: stored_uuid
+
+- name: Store it in Ansible variable 'uuid'
+  set_fact:
+    uuid: "{{ stored_uuid.stdout_lines[0] }}"

roles/2-common/README.rst

@@ -2,7 +2,13 @@
 2-common README
 ===============
 
-This 2nd stage is for OS-level roles/packages/tasks *common* to all platforms,
+This 2nd `stage <https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide#ansible>`_ is for OS-level basics *common* to all platforms, i.e. core prerequisites to building up a functioning `Internet-in-a-Box (IIAB) <https://internet-in-a-box.org/>`_ server.
-prerequisites to building up a functioning server.
 
-As in the case of 3-base-server, 4-server-options and 5-xo-services: this stage installs core server infra, that is not user-facing.
+These are (partially) put in place:
+
+- IIAB directory structure (`file layout <tasks/fl.yml>`_)
+- Common `apt <https://en.wikipedia.org/wiki/APT_(software)>`_ software packages
+- Networking (including the `iptables <https://en.wikipedia.org/wiki/Iptables>`_ firewall)
+- `/usr/libexec/iiab-startup.sh <tasks/iiab-startup.yml>`_ similar to AUTOEXEC.BAT and /etc/rc.local, in order to run jobs on boot
+
+Recap: As with 0-init, 1-prep, 3-base-server, 4-server-options and 5-xo-services — this 2nd stage installs core server infra (that is not user-facing).

roles/2-common/tasks/main.yml

@@ -1,53 +1,46 @@
 # Common OS-Level Additions & Mods (that only need to be performed once)
 
 - name: ...IS BEGINNING ==========================================
-  command: echo
+  meta: noop
 
 - name: Create IIAB directory structure ("file layout")
   include_tasks: fl.yml
 
-- include_tasks: centos.yml
-  when: ansible_distribution == "CentOS"
-
-- include_tasks: fedora.yml
-  when: ansible_distribution == "Fedora"
-
-- include_tasks: prep.yml
-  when: not is_debuntu
-
-- include_tasks: xo.yml
-  when: xo_model != "none" or osbuilder is defined
-
 - include_tasks: packages.yml
-- include_tasks: network.yml
 
-# Ongoing rework (e.g. PR #2652) arising from ansible.posix collection changes:
+- name: "Network prep, including partial setup of iptables (firewall) -- SEE ALSO: 1-prep/tasks/raspberry_pi.yml"
-- name: Use 'sysctl' to set 5 network/kernel settings, turning off IPv6 if possible
+  include_tasks: network.yml
-  sysctl:    # Places these settings in /etc/sysctl.conf, to survive reboot
-    name: "{{ item.name }}"
-    value: "{{ item.value }}"
-  with_items:
-    - { name: 'net.ipv4.ip_forward', value: '1' }  # Masquerading LAN->Internet
-    - { name: 'net.ipv4.conf.default.rp_filter', value: '1' }
-    - { name: 'net.ipv4.conf.default.accept_source_route', value: '0' }
-    #- { name: 'kernel.sysrq', value: '1' }             # OS values differ, Ok?
-    - { name: 'kernel.core_uses_pid', value: '1' }
-    #- { name: 'net.ipv4.tcp_syncookies', value: '1' }  # Very standard in 2020
-    #- { name: 'kernel.shmmax', value: '268435456' }    # OS values differ, Ok?
-    - { name: 'net.ipv6.conf.all.disable_ipv6', value: '1' }    # IPv6 disabled
-    #- { name: 'net.ipv6.conf.default.disable_ipv6', value: '1' }    # AUTO-SET
-    #- { name: 'net.ipv6.conf.lo.disable_ipv6', value: '1' }         # BY ABOVE
-
-- name: Install /etc/profile.d/zzz_iiab.sh from template, to add sbin dirs to unprivileged users' $PATH
-  template:
-    dest: /etc/profile.d/zzz_iiab.sh
-    src: zzz_iiab.sh
-
-- include_tasks: net_mods.yml
-  when: not is_debuntu and not is_F18
 
 - include_tasks: iiab-startup.yml
 
+
+# UNMAINTAINED
+#- include_tasks: centos.yml
+#  when: ansible_distribution == "CentOS"
+
+# UNMAINTAINED
+#- include_tasks: fedora.yml
+#  when: ansible_distribution == "Fedora"
+
+# UNMAINTAINED
+#- include_tasks: prep.yml
+#  when: not is_debuntu
+
+# UNMAINTAINED
+#- include_tasks: xo.yml
+#  when: xo_model != "none" or osbuilder is defined
+
+# UNMAINTAINED
+#- include_tasks: net_mods.yml
+#  when: not is_debuntu and not is_F18
+
+# UNMAINTAINED
+#- name: Install /etc/profile.d/zzz_iiab.sh from template, to add sbin dirs to unprivileged users' $PATH
+#  template:
+#    dest: /etc/profile.d/zzz_iiab.sh
+#    src: zzz_iiab.sh
+
+
 - name: Recording STAGE 2 HAS COMPLETED ==========================
   lineinfile:
     path: "{{ iiab_env_file }}"

roles/2-common/tasks/network.yml

@@ -1,23 +1,45 @@
+- name: '2021-07-27: SEE ALSO ~3 networking packages EARLIER installed by https://github.com/iiab/iiab/blob/master/roles/1-prep/tasks/raspberry_pi.yml'
+  meta: noop
+
+- name: '2021-07-27: SEE ALSO ~4 networking packages EARLIER installed by https://github.com/iiab/iiab/blob/master/roles/2-common/tasks/packages.yml'
+  meta: noop
+
 - name: Install package networkd-dispatcher (OS's other than RaspiOS)
   package:
-    name: networkd-dispatcher
+    name: networkd-dispatcher    # Dispatcher service for systemd-networkd connection status changes
     state: present
   when: not is_raspbian
 
-# used in the network role
+- name: 'Install network packages: hostapd, iproute2, iptables-persistent, netmask -- later used by https://github.com/iiab/iiab/tree/master/roles/network'
-- name: 'Install network packages: hostapd, iproute2, iptables-persistent, netmask (debuntu)'
   package:
     name:
-      - iproute2
+      - hostapd                # IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator -- has its service masked out of the box, and only used when IIAB's network roles detects the presence of WiFi and an AP is desired
-      - iptables-persistent
+      - iproute2               # 2021-07-27: RaspiOS installs this regardless -- the new networking and traffic control tools, meant to replace net-tools
-      - hostapd
+      - iptables-persistent    # Boot-time loader for netfilter rules, iptables (firewall) plugin -- however Netfilter / nftables is ever moving forward so keep an eye on it!
-      - netmask
+      - netmask                # Handy utility -- helps determine network masks
     state: present
-  when: is_debuntu
 
-- name: Install /etc/network/if-pre-up.d/iptables from template (0755, debuntu)
+# 2021-08-17: Debian ignores this, according to 2013 post:
-  template:
+# https://serverfault.com/questions/511099/debian-ignores-etc-network-if-pre-up-d-iptables
-    src: iptables
+# - name: Install /etc/network/if-pre-up.d/iptables from template (0755)
-    dest: /etc/network/if-pre-up.d/iptables
+#   template:
-    mode: '0755'
+#     src: iptables
-  when: is_debuntu
+#     dest: /etc/network/if-pre-up.d/iptables
+#     mode: '0755'
+
+# Ongoing rework (e.g. PR #2652) arising from ansible.posix collection changes:
+- name: "Use 'sysctl' to set 'kernel.core_uses_pid: 1' + 4 network settings in /etc/sysctl.conf -- e.g. disabling IPv6 (this might be overkill, as IPv6 should really only be disabled on the LAN side, i.e. br0)"
+  sysctl:    # Places these settings in /etc/sysctl.conf, to survive reboot
+    name: "{{ item.name }}"
+    value: "{{ item.value }}"
+  with_items:
+    - { name: 'net.ipv4.ip_forward', value: '1' }  # Masquerading LAN->Internet
+    - { name: 'net.ipv4.conf.default.rp_filter', value: '1' }
+    - { name: 'net.ipv4.conf.default.accept_source_route', value: '0' }
+    #- { name: 'kernel.sysrq', value: '1' }             # OS values differ, Ok?
+    - { name: 'kernel.core_uses_pid', value: '1' }
+    #- { name: 'net.ipv4.tcp_syncookies', value: '1' }  # Very standard in 2020
+    #- { name: 'kernel.shmmax', value: '268435456' }    # OS values differ, Ok?
+    - { name: 'net.ipv6.conf.all.disable_ipv6', value: '1' }    # IPv6 disabled
+    #- { name: 'net.ipv6.conf.default.disable_ipv6', value: '1' }    # AUTO-SET
+    #- { name: 'net.ipv6.conf.lo.disable_ipv6', value: '1' }         # BY ABOVE

roles/2-common/tasks/packages.yml

@@ -1,59 +1,61 @@
-- name: "Install 10 yum/dnf packages: avahi, avahi-tools, createrepo, linux-firmware, nss-mdns, openssl, syslog, wpa_supplicant, xml-common, yum-utils (redhat)"
+- name: '2021-07-27: SEE ALSO ~3 networking packages EARLIER installed by https://github.com/iiab/iiab/blob/master/roles/1-prep/tasks/raspberry_pi.yml'
-  package:
+  meta: noop
-    name:
-      - avahi
-      - avahi-tools
-      - createrepo
-      - linux-firmware
-      - nss-mdns
-      - openssl    # FC 18 does not supply, but pear requires
-      - syslog
-      - wpa_supplicant
-      - xml-common
-      - yum-utils
-    state: present
-  when: is_redhat
 
-- name: "Install 6 deb/apt packages: avahi-daemon, exfat-fuse, exfat-utils, inetutils-syslogd, libnss-mdns, wpasupplicant (debuntu)"
+- name: '2021-07-27: SEE ALSO 4-5 networking packages LATER installed by https://github.com/iiab/iiab/blob/master/roles/2-common/tasks/network.yml'
-  package:
+  meta: noop
-    name:
-      #- avahi-discover
-      - avahi-daemon
-      - exfat-fuse     # Should no longer be nec with 5.4+ kernels
-      - exfat-utils    # Likewise!
-      - inetutils-syslogd    # Error logging facility
-      - libnss-mdns    # Provides name resolution via mDNS (Multicast DNS) using Zeroconf/Bonjour e.g. Avahi
-      - wpasupplicant
-    state: present
-  when: is_debuntu
 
-- name: "Install 20 common packages: acpid, bzip2, curl, gawk, hostapd, htop, i2c-tools, logrotate, make, mlocate, net-tools, ntfs-3g, pandoc, pastebinit, rsync, sqlite3, tar, unzip, usbutils, wget"
+- name: "Install 20 common packages: acpid, avahi-daemon, bzip2, curl, gawk, htop, i2c-tools, libnss-mdns, logrotate, mlocate, net-tools, pandoc, pastebinit, rsync, sqlite3, tar, unzip, usbutils, wget, wpasupplicant"
   package:
     name:
       - acpid              # Daemon for ACPI (power mgmt) events
+      - avahi-daemon       # 2021-07-27: RaspiOS (and package libnss-mnds, below) install this regardless -- holdover from the XO days and used to advertise ssh/admin-console being available via avahi-daemon -- used with https://github.com/iiab/iiab/blob/master/roles/network/tasks/avahi.yml
+      #- avahi-discover    # 2021-07-27: Commented out long ago
       - bzip2              # 2021-04-26: Prob not used, but can't hurt?
       - curl               # Used to install roles/nodejs and roles/nodered
       #- etckeeper         # "nobody is really using etckeeper and it's bloating the filesystem every time apt runs" per @jvonau at https://github.com/iiab/iiab/issues/1146
+      #- exfat-fuse        # 2021-07-27: Should no longer be nec with 5.4+ kernels, so let's try commenting it out
+      #- exfat-utils       # Ditto!  See also 'ntfs-3g' below
       - gawk
       - htop
       - i2c-tools          # Low-level bus/chip/register/EEPROM tools e.g. for RTC
-      - iproute2
+      #- inetutils-syslogd # 2021-07-27: Error logging facility -- holdover from the XO days, journalctl has replaced this in newer distros
+      #- iproute2          # Installed by roles/2-common/tasks/network.yml
       - logrotate
+      - libnss-mdns        # 2021-07-27: RaspiOS (and package avahi-daemon, above) install this regardless -- client-side library -- provides name resolution via mDNS (Multicast DNS) using Zeroconf/Bonjour e.g. Avahi
       #- lynx              # Installed by 1-prep's roles/iiab-admin/tasks/access.yml
-      - make          # 2021-04-26: What roles (if any) truly still use this?
+      #- make              # 2021-07-27: Currently used by roles/pbx and no other roles
       - mlocate
       - net-tools          # 2021-04-26: @jvonau suggests possibly deleting this...unless oldtimers really want these older commands in iiab-diagnostics output?
-      - ntfs-3g       # Possibly no longer nec, similar to exfat packages above?
+      #- ntfs-3g           # 2021-07-31: RaspiOS installs this regardless -- but this should no longer be nec with 5.4+ kernels, similar to exfat packages above -- however, see also this symlink warning: https://superuser.com/questions/1050544/mount-with-kernel-ntfs-and-not-ntfs-3g -- and upcoming kernel 5.15 improvements: https://www.phoronix.com/scan.php?page=news_item&px=New-NTFS-Likely-For-Linux-5.15
       #- openssh-server    # ssh (Raspbian) or openssh-server (other OS's) already installed by 1-prep's roles/sshd/tasks/main.yml
       - pandoc             # For /usr/bin/iiab-refresh-wiki-docs
       - pastebinit         # For /usr/bin/iiab-diagnostics
+      #- python3-pip       # 2021-07-29: Already installed by /opt/iiab/iiab/scripts/ansible -- this auto-installs 'python3-setuptools' and 'python3' etc
+      #- python3-venv      # 2021-07-30: For Ansible module 'pip' used in roles like {calibre-web, jupyterhub, lokole} -- whereas roles/kalite uses (virtual) package 'virtualenv' for Python 2 -- all these 3+1 IIAB roles install 'python3-venv' for themselves.  FYI: Debian 11 auto-installs 'python3-venv' when you install 'python3' -- whereas Ubuntu (e.g. 20.04 & 21.10) and RaspiOS 10 do not.
       - rsync
       #- screen            # Installed by 1-prep's roles/iiab-admin/tasks/access.yml
       - sqlite3
-      #- sudo         # Installed by 1-prep's roles/iiab-admin/tasks/sudo-prereqs.yml
+      #- sudo              # (1) Should be installed prior to installing IIAB, (2) Can also be installed by roles/1-prep's roles/openvpn/tasks/install.yml, (3) Is definitely installed by 1-prep's roles/iiab-admin/tasks/sudo-prereqs.yml
       - tar
       - unzip
       #- usbmount          # Moved to roles/usb_lib/tasks/install.yml
-      - usbutils      # 2021-04-26: Also move to roles/usb_lib/tasks/install.yml ?
+      - usbutils           # 2021-07-27: RaspiOS installs this regardless -- move to roles/usb_lib/tasks/install.yml ?
       - wget
+      - wpasupplicant      # 2021-07-27: RaspiOS installs this regardless -- client library for connections to a WiFi AP
     state: present
+
+#- name: "Install 10 yum/dnf packages: avahi, avahi-tools, createrepo, linux-firmware, nss-mdns, openssl, syslog, wpa_supplicant, xml-common, yum-utils (redhat)"
+#  package:
+#    name:
+#      - avahi
+#      - avahi-tools
+#      - createrepo
+#      - linux-firmware
+#      - nss-mdns
+#      - openssl    # FC 18 does not supply, but pear requires
+#      - syslog
+#      - wpa_supplicant
+#      - xml-common
+#      - yum-utils
+#    state: present
+#  when: is_redhat

roles/2-common/templates/iiab-extra.repo.unused

@@ -13,4 +13,3 @@ baseurl=http://download.iiab.io/repos/xsce-extra/
 enabled=1
 metadata_expire=1d
 gpgcheck=0
-

roles/2-common/templates/li.nux.ro.repo.unused

@@ -4,5 +4,3 @@ baseurl=http://li.nux.ro/download/nux/dextop/el7/x86_64/
 enabled=0
 gpgcheck=1
 gpgkey=http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro
-
-

roles/2-common/templates/rpmfusion-free-updates.repo.unused

@@ -21,4 +21,3 @@ mirrorlist=http://mirrors.rpmfusion.org/mirrorlist?repo=free-fedora-updates-rele
 enabled=0
 gpgcheck=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-fedora-$releasever
-

roles/3-base-server/README.rst

@@ -2,7 +2,7 @@
 3-base-server README
 ====================
 
-This 3rd stage installs base server infra that Internet-in-a-Box requires, including:
+This 3rd `stage <https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide#ansible>`_ installs base server infra that `Internet-in-a-Box (IIAB) <https://internet-in-a-box.org/>`_ requires, including:
 
 - `MySQL <https://github.com/iiab/iiab/blob/master/roles/mysql>`_ (database underlying many/most user-facing apps).  This IIAB role also installs apt package:
    - **php{{ php_version }}-mysql** — which forcibly installs **php{{ php_version }}-common**
@@ -10,6 +10,6 @@ This 3rd stage installs base server infra that Internet-in-a-Box requires, inclu
    - **php{{ php_version }}-fpm** — which forcibly installs **php{{ php_version }}-cli**, **php{{ php_version }}-common** and **libsodium23**
 - `www_base <https://github.com/iiab/iiab/blob/master/roles/www_base>`_ (similar to `www_options <https://github.com/iiab/iiab/blob/master/roles/www_options>`_ which runs later in 4-server-options)
 
-Recap: as with 2-common, 4-server-options and 5-xo-services: this 3rd stage installs core server infra, that is not user-facing.
+Recap: As with 0-init, 1-prep, 2-common, 4-server-options and 5-xo-services — this 3rd stage installs core server infra (that is not user-facing).
 
 The next stage (4-server-options) brings more diverse/optional server infra functionality.

roles/3-base-server/tasks/main.yml

@@ -1,7 +1,7 @@
 # Base Server
 
 - name: ...IS BEGINNING =====================================
-  command: echo
+  meta: noop
 
 - name: MYSQL + CORE PHP
   include_role:

roles/4-server-options/README.rst

@@ -2,8 +2,18 @@
 4-server-options README
 =======================
 
-Whereas 3-base-server installs critical packages needed by all, this 4th stage installs a broad array of *options* -- depending on which server apps will be installed in later stages -- as specified in /etc/iiab/local_vars.yml
+Whereas 3-base-server installs critical packages needed by all, this 4th `stage <https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide#ansible>`_ installs a broad array of *options* ⁠— depending on which server apps will be installed in later stages ⁠— as specified in `/etc/iiab/local_vars.yml <http://FAQ.IIAB.IO#What_is_local_vars.yml_and_how_do_I_customize_it.3F>`_
 
-This includes some networking fundamentals, before they're configured later on.
+This includes more networking fundamentals, that may further be configured later on.
 
-As in the case of 2-common, 3-base-server and 5-xo-services: this stage installs core server infra, that is not user-facing.
+Specifically, these might be installed:
+
+- Python libraries
+- SSH daemon
+- Bluetooth for Raspberry Pi
+- Instant-sharing of `USB stick content <https://wiki.iiab.io/go/FAQ#Can_teachers_display_their_own_content.3F>`_
+- CUPS Printing
+- Samba for Windows filesystems
+- `www_options <https://github.com/iiab/iiab/blob/master/roles/www_options/tasks/main.yml>`_
+
+Recap: As with 0-init, 1-prep, 2-common, 3-base-server and 5-xo-services ⁠— this 4th stage installs core server infra (that is not user-facing).

roles/4-server-options/tasks/main.yml

@@ -18,23 +18,27 @@
     name: pylibs
   #when: pylibs_install    # Flag might be created in future?
 
-# Also run by roles/1-prep/tasks/main.yml as required by OpenVPN.
+- name: SSHD -- also run by roles/1-prep/tasks/main.yml as required by OpenVPN
-- name: SSHD
   include_role:
     name: sshd
   when: sshd_install
 
+
+# UNMAINTAINED
 - name: Install named / BIND
   include_tasks: roles/network/tasks/named.yml
-  when: named_install
+  when: named_install is defined and named_install
 
+# UNMAINTAINED
 - name: Install dhcpd
   include_tasks: roles/network/tasks/dhcpd.yml
-  when: dhcpd_install
+  when: dhcpd_install is defined and dhcpd_install
 
-- name: Install Squid (and DansGuardian if dansguardian_install)
+# LESS MAINTAINED as of July 2019: https://github.com/iiab/iiab/issues/1879
+- name: Install Squid
   include_tasks: roles/network/tasks/squid.yml
-  when: squid_install
+  when: squid_install is defined and squid_install
+
 
 - name: Install Bluetooth - only on Raspberry Pi
   include_role:
@@ -67,6 +71,7 @@
     name: www_options
   #when: www_options_install    # Flag might be created in future?
 
+
 - name: Recording STAGE 4 HAS COMPLETED ==================
   lineinfile:
     path: "{{ iiab_env_file }}"

roles/5-xo-services/README.rst

@@ -2,6 +2,6 @@
 5-xo-services README
 ====================
 
-This 5th stage provides underlying services for One Laptop Per Child's XO laptops.
+This 5th `stage <https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide#ansible>`_ provides underlying services for One Laptop Per Child's XO laptops.
 
-As in the case of 2-common, 3-base-server and 4-server-options: this stage installs core server infra, that is not user-facing.
+Recap: As with 0-init, 1-prep, 2-common, 3-base-server and 4-server-options — this 5th stage installs core server infra (that is not user-facing).

roles/5-xo-services/tasks/main.yml

@@ -1,7 +1,7 @@
 # XO Services
 
 - name: ...IS BEGINNING =====================================
-  command: echo
+  meta: noop
 
 # UNMAINTAINED
 - name: ACTIVITY-SERVER

roles/6-generic-apps/tasks/main.yml

@@ -1,9 +1,8 @@
 # Generic Apps
 
 - name: ...IS BEGINNING ====================================
-  command: echo
+  meta: noop
 
-# UNMAINTAINED
 - name: AZURACAST
   include_role:
     name: azuracast
@@ -21,10 +20,11 @@
     name: ejabberd
   when: ejabberd_install is defined and ejabberd_install
 
+# UNMAINTAINED
 - name: ELGG
   include_role:
     name: elgg
-  when: elgg_install
+  when: elgg_install is defined and elgg_install
 
 - name: GITEA
   include_role:
@@ -61,11 +61,6 @@
     name: nextcloud
   when: nextcloud_install
 
-- name: PBX
-  include_role:
-    name: pbx
-  when: pbx_install
-
 - name: WORDPRESS
   include_role:
     name: wordpress

roles/7-edu-apps/tasks/main.yml

@@ -1,7 +1,7 @@
 # Educational Apps
 
 - name: ...IS BEGINNING ========================================
-  command: echo
+  meta: noop
 
 - name: KALITE
   include_role:

roles/8-mgmt-tools/tasks/main.yml

@@ -1,7 +1,7 @@
 # Administration and Monitoring/Assessment Tools
 
 - name: ...IS BEGINNING ======================================
-  command: echo
+  meta: noop
 
 - name: TRANSMISSION
   include_role:

roles/9-local-addons/tasks/main.yml

@@ -1,12 +1,7 @@
 # Local Add-ons
 
 - name: ...IS BEGINNING ====================================
-  command: echo
+  meta: noop
-
-- name: INTERNETARCHIVE
-  include_role:
-    name: internetarchive
-  when: internetarchive_install
 
 # Is porting to Python 3 complete, and if so does this belong elsewhere?
 - name: CAPTIVE PORTAL
@@ -14,21 +9,33 @@
     name: captiveportal
   when: captiveportal_install
 
+- name: INTERNETARCHIVE
+  include_role:
+    name: internetarchive
+  when: internetarchive_install
+
 - name: MINETEST
   include_role:
     name: minetest
   when: minetest_install
 
-# KEEP AT THE END as this installs dependencies from Debian's 'testing' branch!
+- name: CALIBRE-WEB
+  include_role:
+    name: calibre-web
+  when: calibreweb_install
+
+# KEEP NEAR THE VERY END as this installs dependencies from Debian's 'testing' branch!
 - name: CALIBRE
   include_role:
     name: calibre
   when: calibre_install
 
-- name: CALIBRE-WEB
+# Pulls in a large number of devel packages, via asterisk.yml -> 'install_prereq install'
+# https://github.com/asterisk/asterisk/blob/master/contrib/scripts/install_prereq#L21-L35
+- name: PBX - Asterisk & FreePBX
   include_role:
-    name: calibre-web
+    name: pbx
-  when: calibreweb_install
+  when: pbx_install
 
 - name: "2021-06-27 TEMPORARY CODE TO INSTALL 'php-pear' UNTIL ADMIN CONSOLE DECLARES ITS OWN DEPENDENCY FOR: https://github.com/iiab/iiab-admin-console/blob/master/roles/cmdsrv/tasks/main.yml#L19"
   package:

roles/calibre-web/tasks/install.yml

@@ -1,4 +1,4 @@
-- name: "Install ImageMagick package: imagemagick"
+- name: "Install packages: imagemagick, python3-venv"
   package:
     name:
       - imagemagick

roles/calibre/tasks/install.yml

@@ -37,13 +37,13 @@
 
 # 2. SYSTEMD SERVICES
 
-- name: Create /etc/systemd/system/calibre-serve.service and /etc/{{ apache_conf_dir }}/calibre.conf
+- name: 'Install from template: /etc/systemd/system/calibre-serve.service'
   template:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
   with_items:
     - { src: 'calibre-serve.service.j2', dest: '/etc/systemd/system/calibre-serve.service' }
-    - { src: 'calibre.conf', dest: '/etc/{{ apache_conf_dir }}' }    # apache2/sites-available (this doesn't work, see #529: let's try to create /etc/nginx/conf.d/calibre-nginx.conf in future!)
+    #- { src: 'calibre.conf', dest: '/etc/{{ apache_conf_dir }}' }    # apache2/sites-available (this doesn't work, see #529: let's try to create /etc/nginx/conf.d/calibre-nginx.conf in future!)
 
 - name: Stop service 'calibre-serve' (/usr/bin/calibre-server by Kovid Goyal)
   systemd:

roles/captiveportal/tasks/enable-or-disable.yml

@@ -36,8 +36,8 @@
     state: absent
   when: not captiveportal_enabled
 
-- name: Run iiab-divert-to-nginx to generate diversion lists for NGINX
+- name: Run /usr/sbin/iiab-divert-to-nginx to generate diversion lists for NGINX
-  shell: /usr/sbin/iiab-divert-to-nginx
+  command: /usr/sbin/iiab-divert-to-nginx
   when: captiveportal_enabled
 
 - name: Delete /etc/dnsmasq.d/capture to make sure dnsmasq is not diverting (if not captiveportal_enabled)

roles/captiveportal/tasks/install.yml

@@ -43,7 +43,7 @@
     - simple.template
     - mac.template
 
-- name: Run iiab-make-cp-servers.py to generate NGINX servers from /opt/iiab/captiveportal/checkurls input list (creates /etc/nginx/sites-available/capture.conf)
+- name: Run /usr/sbin/iiab-make-cp-servers.py to generate NGINX servers from /opt/iiab/captiveportal/checkurls input list (creates /etc/nginx/sites-available/capture.conf)
   command: /usr/sbin/iiab-make-cp-servers.py
   args:
     creates: /etc/nginx/sites-available/capture.conf

roles/firmware/tasks/install.yml

@@ -2,19 +2,19 @@
   include_tasks: download.yml
   when: firmware_downloaded is undefined    # SEE ALSO firmware_installed below
 
-- name: 'Install from template: check-firmware.service, iiab-check-firmware & fw_warn.sh'
+- name: 'Install from template: /usr/bin/iiab-check-firmware, /etc/systemd/system/iiab-check-firmware.service & /etc/profile.d/iiab-firmware-warn.sh'
   template:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
     mode: "{{ item.mode }}"
   with_items:
-    - { src: 'check-firmware.service', dest: '/etc/systemd/system/', mode: '0644' }
+    - { src: 'iiab-check-firmware', dest: '/usr/bin/', mode: '0755' }
-    - { src: 'iiab-check-firmware', dest: '/usr/sbin/', mode: '0755' }
+    - { src: 'iiab-check-firmware.service', dest: '/etc/systemd/system/', mode: '0644' }
-    - { src: 'fw_warn.sh', dest: '/etc/profile.d/', mode: '0644' }
+    - { src: 'iiab-firmware-warn.sh', dest: '/etc/profile.d/', mode: '0644' }
 
-- name: Enable & (Re)Start check-firmware.service (also runs on each boot)
+- name: Enable & (Re)Start iiab-check-firmware.service (also runs on each boot)
   systemd:
-    name: check-firmware.service
+    name: iiab-check-firmware.service
     daemon_reload: yes
     state: restarted
     enabled: yes

roles/firmware/templates/iiab-check-firmware

@@ -3,7 +3,14 @@
 WARN=0
 DATE=$(date +%F-%T)
 
-if grep -q '^wifi_hotspot_capacity_rpi_fix: False' /etc/iiab/local_vars.yml ; then
+# 2021-08-18: bash scripts using default_vars.yml &/or local_vars.yml
+# https://github.com/iiab/iiab-factory/blob/master/iiab#L79-L97
+# https://github.com/iiab/iiab/blob/master/roles/firmware/templates/iiab-check-firmware#L13
+# https://github.com/iiab/iiab/blob/master/roles/network/templates/gateway/iiab-gen-iptables#L48-L52
+# https://github.com/iiab/maps/blob/master/osm-source/pages/viewer/scripts/iiab-install-map-region#L25-L34
+# https://github.com/iiab/iiab/blob/master/roles/openvpn/templates/iiab-support READS AND WRITES, INCL NON-BOOLEAN
+
+if grep -q '^wifi_hotspot_capacity_rpi_fix:\s\+[fF]alse\b' /etc/iiab/local_vars.yml ; then
     echo "'wifi_hotspot_capacity_rpi_fix: False' found in /etc/iiab/local_vars.yml"
     echo "...so WiFi firmware will NOT be checked or replaced."
 

roles/firmware/templates/iiab-check-firmware.service

@@ -1,11 +1,10 @@
 [Unit]
 Description=Check Firmware service
-Before=clone-wifi.service
+Before=iiab-clone-wifi.service
 
 [Service]
 Type=oneshot
-ExecStart=/usr/sbin/iiab-check-firmware
+ExecStart=/usr/bin/iiab-check-firmware
 
 [Install]
 WantedBy=multi-user.target
-

roles/gitea/tasks/install.yml

@@ -6,12 +6,12 @@
     state: stopped
   ignore_errors: yes
 
-- name: Ensure group gitea exists
+- name: Ensure group 'gitea' exists
   group:
     name: gitea
     state: present
 
-- name: Create user gitea
+- name: Create user 'gitea'
   user:
     name: gitea
     comment: Gitea daemon account
@@ -26,7 +26,7 @@
     group: gitea
   with_items: "{{ gitea_subdirectories }}"
 
-- name: Make directories data, indexers, and log writable
+- name: Make directories data, indexers, and log writable (0750)
   file:
     path: "{{ gitea_root_directory }}/{{ item }}"    # /library/gitea
     mode: '0750'
@@ -98,7 +98,7 @@
 
 # 4. Create systemd service & prepare NGINX for http://box/gitea
 
-- name: "Install from template: /etc/systemd/system/gitea.service"
+- name: "Install from template: /etc/systemd/system/gitea.service (by default 0644)"
   template:
     src: gitea.service.j2
     dest: /etc/systemd/system/gitea.service

roles/iiab-admin/tasks/admin-user.yml

@@ -14,7 +14,7 @@
     name: "{{ admin_console_group }}"
     state: present
 
-- name: Configure user '{{ iiab_admin_user }}' with group '{{ admin_console_group }}' for login to IIAB's Admin Console (http://box.lan/admin) AND for IIAB community support commands (/usr/bin/iiab-* and /usr/sbin/iiab-*) at the command-line
+- name: Configure user '{{ iiab_admin_user }}' with group '{{ admin_console_group }}' for login to IIAB's Admin Console (http://box.lan/admin) AND for IIAB community support commands (/usr/bin/iiab-*) at the command-line
   user:
     name: "{{ iiab_admin_user }}"
     #group: "{{ iiab_admin_user }}"    # Not nec.  Anyway this happens during account creation b/c 'USERGROUPS_ENAB yes' is set in any modern /etc/login.defs
@@ -34,7 +34,7 @@
 
 # sudo-prereqs.yml needs to have been run!
 
-- name: Add user {{ iiab_admin_user }} to group sudo, for IIAB community support commands like {iiab-diagnostics, iiab-hotspot-on, iiab-check-firmware}, if iiab_admin_can_sudo
+- name: Add user {{ iiab_admin_user }} to group sudo, for IIAB community support commands in /usr/bin like {iiab-diagnostics, iiab-hotspot-on, iiab-check-firmware}, if iiab_admin_can_sudo
   #command: "gpasswd -a {{ iiab_admin_user | quote }} sudo"
   user:
     name: "{{ iiab_admin_user }}"

roles/iiab-admin/tasks/sudo-prereqs.yml

@@ -1,7 +1,6 @@
-# roles/2-common/tasks/packages.yml also installed sudo, but that's too late
 - name: 'Install package: sudo'
   package:
-    name: sudo
+    name: sudo    # (1) Should be installed prior to installing IIAB, (2) Can also be installed by roles/1-prep's roles/openvpn/tasks/install.yml, (3) Is definitely installed by 1-prep here, (4) Used to be installed by roles/2-common/tasks/packages.yml (but that's too late!)
 
 - name: Temporarily make file /etc/sudoers editable (0640)
   file:

roles/internetarchive/tasks/install.yml

@@ -62,12 +62,6 @@
     src: internetarchive.service.j2
     dest: /etc/systemd/system/internetarchive.service
 
-- name: "Install from template: /etc/{{ apache_conf_dir }}/internetarchive.conf"
-  template:
-    src: internetarchive.conf
-    dest: "/etc/{{ apache_conf_dir }}/internetarchive.conf"    # apache2/sites-available
-  when: apache_installed is defined
-
 
 # 4. RECORD Internet Archive AS INSTALLED
 

roles/internetarchive/tasks/main.yml

@@ -68,13 +68,13 @@
     state: stopped
   when: not internetarchive_enabled
 
-- name: Enable/Disable/Restart Apache if primary
+# - name: Enable/Disable/Restart Apache if primary
-  include_tasks: apache.yml
+#   include_tasks: apache.yml
-  when: apache_installed is defined and not nginx_enabled
+#   when: apache_installed is defined and not nginx_enabled
 
 - name: Enable/Disable/Restart NGINX if primary
   include_tasks: nginx.yml
-  when: nginx_enabled
+  #when: nginx_enabled
 
 
 - name: Add 'internetarchive' variable values to {{ iiab_ini_file }}

roles/jupyterhub/README.md

@@ -1,10 +1,38 @@
 ## JupyterHub programming environment with student Notebooks
 
-#### High Schools may want to consider JupyterHub to integrate coding with dynamic interactive graphing — A New Way to Think About Programming — allowing students to integrate science experiment results and program output within their notebook/document/blog:
+#### Secondary schools may want to consider JupyterHub to integrate coding with dynamic interactive graphing — A New Way to Think About Programming — allowing students to integrate science experiment results and program output within their own blog-like "Jupyter Notebooks."
 
-* Jupyter Notebooks are widely used in the scientific community.
+* Jupyter Notebooks are widely used in the scientific community:
-* This IIAB package permits individual users to start using their own notebook on the server (http://box.lan/jupyterhub) without needing an individual server account.
+  * [Intitutional FAQ](https://jupyterhub.readthedocs.io/en/stable/getting-started/institutional-faq.html)
-* Once a user signs in with a username and password, these credentials are stored, and are used thereafter to gain access to the user's files.
+  * [Getting Started](https://jupyterhub.readthedocs.io/en/stable/getting-started/)
-* Individual folders are created for all student work in the path `/var/lib/protected/` — individual students will only be able to see their own work in that directory.
+* Students create their own accounts on first use — e.g. at http://box.lan/jupyterhub — just as if they're logging in regularly (unfortunately the login screen doesn't make that clear, but the teacher _does not_ need to be involved!)
-* Students will not have any privileges outside of their own folder.
+  * A student can then sign in with their username and password, to gain access to their files (Jupyter Notebooks).
-* They may upload Jupyter Notebooks from a local machine, and download the current state of their work via a normal browser download.
+  * The teacher should set and protect JupyterHub's overall ``Admin`` password, just in case.  As with student accounts, the login screen doesn't make that clear — so just log in with username `Admin` using any password that you want to become permanent.
+* Individual student folders are created in ``/var/lib/private/`` on the Internet-in-a-Box (IIAB) server:
+  * A student will only be able to see their own work — they do not have privileges outside of their own folder.
+  * Students may upload Jupyter Notebooks to the IIAB server, and download the current state of their work via a normal browser.
+
+### Settings
+
+Linux administrators please see `/opt/iiab/jupyterhub/etc/jupyterhub/jupyterhub_config.py` which originates from:
+
+https://github.com/iiab/iiab/blob/master/roles/jupyterhub/templates/jupyterhub_config.py
+
+Note that `/opt/iiab/jupyterhub` is a Python 3 virtual environment, that can be activated with the usual formula:
+
+```
+source /opt/iiab/jupyterhub/bin/activate
+```
+
+### PAWS/Jupyter Notebooks for Python Beginners
+
+While PAWS is a little bit off topic, if you have an interest in Wikipedia, please do see this 23m 42s video ["Intro to PAWS/Jupyter notebooks for Python beginners"](https://www.youtube.com/watch?v=AUZkioRI-aA&list=PLeoTcBlDanyNQXBqI1rVXUqUTSSiuSIXN&index=8) by Chico Venancio, from 2021-06-01.
+
+He explains PAWS as a "powerful Python execution environment http://paws.wmcloud.org [allowing] ordinary folks to write interactive scripts to work with Wikimedia content."
+
+### Known Issues
+
+* 2021-08-07: The page that allows you to reset/change your own password is not accessible.  Likewise Admin users cannot reset/change the password of any _individual_ user at this time.  <sub><sub>[#2918](https://github.com/iiab/iiab/pull/2918)</sub></sub>
+  * If necessary, a Linux administrator can delete the `/passwords.dbm.db` file at the very top of your Linux filesystem, allowing all JupyterHub users to (re)create new passwords.  This does work, but is very heavy-handed.  <sub><sub>[PR #2892](https://github.com/iiab/iiab/pull/2892#issuecomment-890551682)</sub></sub>
+* 2021-08-07: Teachers (i.e. Admin users) cannot currently access the very helpful "administrator's page" discussed at [JupyterHub FAQ >> "How do I manage users?"](https://jupyterhub.readthedocs.io/en/stable/getting-started/institutional-faq.html#how-do-i-manage-users) and [roles/jupyterhub/templates/jupyterhub_config.py#L1049-L1054 >> "Admin users have extra privileges"](https://github.com/iiab/iiab/blob/d0e8e048347bf46c02a2cdb0da9c5cd0c489fe40/roles/jupyterhub/templates/jupyterhub_config.py#L1049-L1054).  <sub><sub>[#2919](https://github.com/iiab/iiab/pull/2919)</sub></sub>
+* 2021-08-08: Password [dbm file](https://github.com/jupyterhub/firstuseauthenticator#firstuseauthenticatordbm_path) `/passwords.dbm.db` should be moved from the top of the filesystem to a better place — e.g. to `/opt/iiab/jupyterhub/etc/` ?  <sub><sub>[PR #2892](https://github.com/iiab/iiab/pull/2892#issuecomment-890579789)</sub></sub>

roles/jupyterhub/tasks/enable-or-disable.yml

@@ -1,17 +1,14 @@
-- name: systemd daemon-reload
-  systemd:
-    daemon_reload: yes
-
-
 - name: Enable & Restart jupyterhub.service
   systemd:
+    daemon_reload: yes
     name: jupyterhub
     enabled: yes
     state: restarted
   when: jupyterhub_enabled
 
-- name: Disable jupyterhub.service
+- name: Disable & Stop jupyterhub.service
   systemd:
+    daemon_reload: yes
     name: jupyterhub
     enabled: no
     state: stopped

roles/jupyterhub/tasks/install.yml

@@ -13,22 +13,27 @@
   when: nodejs_installed is undefined
 
 
-- name: Make the directories to hold JupyterHub config
+- name: "Install package: python3-venv"
+  package:
+    name: python3-venv
+    state: present
+
+- name: Make 3 directories to hold JupyterHub config
   file:
     state: directory
     path: "{{ item }}"
   with_items:
-    - "{{ jupyterhub_venv }}/etc/jupyter"
+    - "{{ jupyterhub_venv }}/etc/jupyter"    # /opt/iiab/jupyterhub
     - "{{ jupyterhub_venv }}/etc/jupyterhub"
     - "{{ jupyterhub_venv }}/etc/systemd"
 
-- name: Use npm to install configurable-http-proxy
+- name: Use npm to install 'configurable-http-proxy'
   npm:
     name: configurable-http-proxy
     global: yes
     state: latest
 
-- name: "Use pip to install into a virtual environment: {{ jupyterhub_venv }} (~229 MB)"
+- name: "pip install 7 packages into virtual environment: {{ jupyterhub_venv }} (~229 MB)"
   pip:
     name:
       - pip
@@ -40,8 +45,8 @@
       - jupyterhub-systemdspawner
     virtualenv: "{{ jupyterhub_venv }}"    # /opt/iiab/jupyterhub
     virtualenv_site_packages: no
-    virtualenv_command: /usr/bin/virtualenv
+    virtualenv_command: python3 -m venv "{{ jupyterhub_venv }}"    # 2021-07-29: This works on RaspiOS 10, Debian 11, Ubuntu 20.04 and Mint 20 -- however if you absolutely must use the older Debian 10 -- you can work around errors "can't find Rust compiler" and "This package requires Rust >=1.41.0" if you (1) revert this line to 'virtualenv_command: virtualenv' AND (2) uncomment the line just below
-    virtualenv_python: python3
+    #virtualenv_python: python3    # 2021-07-29: Was needed when above line was 'virtualenv_command: virtualenv' (generally for Python 2)
     extra_args: "--no-cache-dir"
   when: internet_available
 

roles/jupyterhub/templates/jupyterhub_config.py

@@ -64,7 +64,7 @@
 #  
 #  Users should be properly informed if this is enabled.
 #  Default: False
-# c.JupyterHub.admin_access = False
+c.JupyterHub.admin_access = True
 
 ## DEPRECATED since version 0.7.2, use Authenticator.admin_users instead.
 #  Default: set()
@@ -1057,7 +1057,7 @@ c.JupyterHub.spawner_class = 'systemdspawner.SystemdSpawner'
 #  
 #  Defaults to an empty set, in which case no user has admin access.
 #  Default: set()
-c.Authenticator.admin_users = set('iiab-admin')
+c.Authenticator.admin_users = set('Admin')
 
 ## Set of usernames that are allowed to log in.
 #  

roles/kalite/tasks/install.yml

@@ -11,13 +11,14 @@
 #  ignore_errors: yes
 #  when: is_raspbian
 
-- name: Install python2, if Raspbian/Debian > 10 or Ubuntu > 19
+- name: 'Install packages: python2, python-setuptools, virtualenv (for Python 2)'
   package:
     name:
       - python2
-      - python-setuptools # provides setuptools-44 last version compatible with python2
+      - python-setuptools    # Provides setuptools-44 on recent OS's (last version compatible with python2)
+      - virtualenv           # For Ansible module 'pip' when used with 'virtualenv_command: /usr/bin/virtualenv' and 'virtualenv_python: python2.7' -- compare package 'python3-venv' used by roles {calibre-web, jupyterhub, lokole}
     state: present
-  when: not (is_debian_9 or is_debian_10 or is_ubuntu_16 or is_ubuntu_17 or is_ubuntu_18 or is_ubuntu_19)
+  #when: not (is_debian_9 or is_debian_10 or is_ubuntu_16 or is_ubuntu_17 or is_ubuntu_18 or is_ubuntu_19)
   # 2020-03-31: Testing for {is_raspbian_9, is_raspbian_10} is not currently nec, as testing for {is_debian_9, is_debian_10} covers that already.
 
 - name: Use pip to pin setuptools to 44 in {{ kalite_venv }} if Raspbian/Debian > 10 or Ubuntu > 19
@@ -53,11 +54,11 @@
 
 # Useless stanza, for 2 reasons: (1) http://box/kalite was never made to work
 # (2) /etc/apache2/sites-available does not exist on many IIAB's w/o Apache
-- name: "Install from template: /etc/{{ apache_conf_dir }}/kalite.conf (useless, as http://box/kalite was never made to work)"
+# - name: "Install from template: /etc/{{ apache_conf_dir }}/kalite.conf (useless, as http://box/kalite was never made to work)"
-  template:
+#   template:
-    src: kalite.conf
+#     src: kalite.conf
-    dest: "/etc/{{ apache_conf_dir }}"    # apache2/sites-available on debuntu
+#     dest: "/etc/{{ apache_conf_dir }}"    # apache2/sites-available on debuntu
-  when: apache_installed is defined
+#   when: apache_installed is defined
 
 - name: Fix KA Lite bug in regex parsing ifconfig output (ifcfg/parser.py) for @m-anish's network names that contain dashes, if Raspbian/Debian > 10 or Ubuntu > 19
   replace:
@@ -89,6 +90,8 @@
   poll: 10
 
 
+# RECORD KA Lite AS INSTALLED
+
 - name: "Set 'kalite_installed: True'"
   set_fact:
     kalite_installed: True

roles/moodle/tasks/install.yml

@@ -106,7 +106,7 @@
     dest: "{{ moodle_base }}"
     mode: 0755
 
-- name: Execute {{ moodle_base }}/moodle_installer IF {{ moodle_base }}/config.php doesn't yet exist -- REQUIRES 'max_input_vars = 5000' (or higher) in /etc/php/{{ php_version }}/cli/php.ini with PHP 8+ (as set up by www_options/tasks/main.yml) -- WHEREAS LATER Moodle uses /etc/php/{{ php_version }}/fpm/php.ini during regular operation
+- name: Execute {{ moodle_base }}/moodle_installer IF {{ moodle_base }}/config.php doesn't yet exist -- REQUIRES 'max_input_vars = 5000' (or higher) in /etc/php/{{ php_version }}/cli/php.ini IF PHP 8+ (as set up by www_options/tasks/main.yml) -- WHEREAS LATER Moodle uses /etc/php/{{ php_version }}/fpm/php.ini during regular operation
   shell: "{{ moodle_base }}/moodle_installer"
   args:
     creates: "{{ moodle_base }}/config.php"

roles/munin/tasks/install.yml

@@ -1,21 +1,14 @@
-- name: "Install 5 packages: munin, munin-node, munin-plugins-extra, libcgi-fast-perl"
+- name: "Install 5 packages: libcgi-fast-perl, munin, munin-node, munin-plugins-extra, python3-passlib"
   package:
     name:
+      #- libapache2-mod-fcgid
+      - libcgi-fast-perl
       - munin
       - munin-node
       - munin-plugins-extra
-      - libcgi-fast-perl
+      - python3-passlib    # For Ansible module 'htpasswd' in Ansible collection community.general -- used just below
-      #- libapache2-mod-fcgid
     state: present
 
-# - name: "Install 2 packages: munin, munin-node (OS's other than debuntu)"
-#   package:
-#     name:
-#       - munin
-#       - munin-node
-#     state: present
-#   when: not is_debuntu
-
 - name: Establish username/password Admin/changeme in /etc/munin/munin-htpasswd
   htpasswd:
     path: /etc/munin/munin-htpasswd

roles/mysql/tasks/install.yml

@@ -1,113 +1,31 @@
-# Stanzas as of 2020-05-21:
+- name: 'Install MySQL packages: mariadb-server, mariadb-client, php{{ php_version }}-mysql, python3-pymysql'
-#
-# - 1 base install
-# - 6 double timeout for slow CPUs
-# - 7 DB config
-# - 2 record as installed
-
-- name: 'Install MySQL packages: mariadb-server, mariadb-client, php{{ php_version }}-mysql'
   package:
     name:
       - mariadb-server
       - mariadb-client
       #- php{{ php_version }}-common    # Auto-installed as an apt dependency.  REGARDLESS: php{{ php_version }}-common superset php{{ php_version }}-cli is auto-installed by php{{ php_version }}-fpm in nginx/tasks/install.yml
-      - php{{ php_version }}-mysql      # Likewise installed in nextcloud/tasks/install.yml, pbx/tasks/freepbx_dependencies.yml, wordpress/tasks/install.yml
+      - php{{ php_version }}-mysql      # Likewise installed in nextcloud/tasks/install.yml, pbx/tasks/freepbx.yml, wordpress/tasks/install.yml
+      - python3-pymysql                 # For Ansible modules {mysql_db, mysql_user} in Ansible collection community.mysql -- used in MySQL roles {mediawiki, nextcloud, wordpress} and possibly {elgg, pbx}
     state: present
 
-# 2020-07-11:
+# 2020-07-11: 10 PHP package installs moved to roles/www_base/tasks/main.yml
-# 10 PHP package installs moved to roles/www_base/tasks/main.yml
 # php{{ php_version }}-sqlite3 install moved to roles/osm-vector-maps/tasks/install.yml
 
-# - name: "Install packages: mysql, MySQL-python and 9 php packages (OS's other than debuntu)"
+# 2021-08-11: 50 lines (6 stanzas) removed, that had been doubling MariaDB's
-#   package:
+# default boot timeout (90s to 180s) since 2019-07-03, for slow CPUs like this
-#     name:
+# Ubuntu 18.04.2 VM: https://github.com/iiab/iiab/issues/1802 -> PR #1813
-#       - MySQL-python
-#       - mysql
-#       - php
-#       - php-mysql
-#       - php-pear
-#       - php-gd
-#       - php-imap
-#       - php-ldap
-#       - php-odbc
-#       - php-xml
-#       - php-xmlrpc
-#     state: present
-#   when: not is_debuntu
-#
-# - include_tasks: centos.yml
-#   when: ansible_distribution == "CentOS"
-#
-# - include_tasks: fedora.yml
-#   when: ansible_distribution == "Fedora"
-
-
-# 2019-07-03 @jvonau @holta: the next 50 lines (6 stanzas) double MariaDB's
-# default boot timeout (90s to 180s) for slow CPUs like this Ubuntu 18.04.2 VM:
-# https://github.com/iiab/iiab/issues/1802
 # https://mariadb.com/kb/en/library/what-to-do-if-mariadb-doesnt-start/#systemd
-
+# OS's have finally caught up - default timeout is now 900 seconds:
-- name: Check if /lib/systemd/system/mariadb.service exists
+# https://github.com/iiab/iiab/pull/2936
-  stat:
-    path: /lib/systemd/system/mariadb.service
-  register: mariadb_unit_file
-
-- name: Copy pkg's /lib/systemd/system/mariadb.service to /etc/systemd/system/ to be customized (CREATES TIMESTAMPED BACKUPS OF /etc/systemd/system/mariadb.service e.g. IF OPERATOR CUSTOMIZED IT, EVEN DESPITE WARNING BELOW!)
-  copy:
-    force: yes
-    backup: yes
-    src: /lib/systemd/system/mariadb.service
-    dest: /etc/systemd/system/
-  when: mariadb_unit_file.stat.exists
-
-- name: Symlink /etc/systemd/system/mysql.service -> /etc/systemd/system/mariadb.service
-  file:
-    state: link
-    force: yes
-    src: /etc/systemd/system/mariadb.service
-    path: /etc/systemd/system/mysql.service
-  when: mariadb_unit_file.stat.exists
-
-- name: Symlink /etc/systemd/system/mysqld.service -> /etc/systemd/system/mariadb.service
-  file:
-    state: link
-    force: yes
-    src: /etc/systemd/system/mariadb.service
-    path: /etc/systemd/system/mysqld.service
-  when: mariadb_unit_file.stat.exists
-
-- name: "WARN OPERATOR: Changes made to /etc/systemd/system/mariadb.service WILL BE LOST whenever 'mysql' playbook is run"
-  lineinfile:
-    path: /etc/systemd/system/mariadb.service
-    insertbefore: BOF    # Beginning of file
-    line: "# WARNING: CHANGES TO THIS FILE WILL BE REGULARLY *OVERWRITTEN* BY:\n# /opt/iiab/iiab/roles/mysql/tasks/main.yml\n"
-  when: mariadb_unit_file.stat.exists
-
-- name: Set systemd boot timeout to 180 seconds for slow machines, in /etc/systemd/system/mariadb.service
-  lineinfile:
-    path: /etc/systemd/system/mariadb.service
-    insertafter: '^\[Service\]$'
-    regexp: "^TimeoutStartSec="
-    line: "\n# 2019-07-03: @jvonau @holta doubled MariaDB's default boot timeout, from\n# 90 seconds to 180 seconds, for slow machines like this Ubuntu 18.04.2 VM:\n# https://github.com/iiab/iiab/issues/1802\n# https://mariadb.com/kb/en/library/what-to-do-if-mariadb-doesnt-start/#systemd\nTimeoutStartSec=180\n"
-    # If the line above were to be run repeatedly (never happens here!) Ansible
-    # would pollute MariaDB's systemd unit file.  As multi-line regexp's are
-    # not allowed (both regexp's should match, for idempotency).  If nec, use
-    # the 1-liner below, or Ansible's 'blockinfile' which pollutes config files
-    # in its own way...surrounding blocks with marker lines.
-    # line: "TimeoutStartSec=180"
-  when: mariadb_unit_file.stat.exists
-
-
-# 7 STANZAS BELOW...could later be put into setup.yml or config.yml or or provision.yml ?
 
 # Name of MySQL service varies by OS, so hardcoded in /opt/iiab/iiab/vars/<OS>.yml (formerly in roles/0-init/tasks/main.yml)
-- name: Start MySQL systemd service ({{ mysql_service }}) to permit configuration
+- name: Restart MySQL systemd service ({{ mysql_service }}) to permit configuration
   systemd:
-    name: "{{ mysql_service }}"
     daemon_reload: yes
+    name: "{{ mysql_service }}"
     state: restarted
 
-- name: Install /root/.my.cnf file from template, with root password credentials
+- name: "Install /root/.my.cnf file from template -- used to contain root password credential, prior to 2020-08-24: https://github.com/iiab/iiab/pull/2488"
   template:
     src: my.cnf.j2
     dest: /root/.my.cnf

roles/network/README.rst

@@ -2,13 +2,13 @@
 Network README
 ==============
 
-This is run by `Ansible <http://wiki.laptop.org/go/IIAB/FAQ#What_is_Ansible_and_what_version_should_I_use.3F>`_ after it has installed the core (`Stages 0-to-9 <https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide#ansible>`_) of `Internet-in-a-Box (IIAB) <http://internet-in-a-box.org>`_ and its apps/services.
+This is run by `Ansible <http://wiki.laptop.org/go/IIAB/FAQ#What_is_Ansible_and_what_version_should_I_use.3F>`_ after it has installed the core (`Stages 0-to-9 <https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide#ansible>`_) of `Internet-in-a-Box (IIAB) <https://internet-in-a-box.org>`_ and its apps/services.
 
 Specifically, this 'network' role is run...
 
 - ...automatically during IIAB installation, after `/opt/iiab/iiab/iiab-install <../../iiab-install>`_ has run `Stages 0-to-9 <..>`_ (thanks to `iiab-stages.yml <../../iiab-stages.yml>`_).
-- ...automatically by IIAB's Admin Console (http://box/admin) if you click ``Configure`` menu -> ``Install Configured Options`` — this is similar to the above, but only runs Stage 0, then Stage 4-to-9, and then finally this 'network' role/stage (thanks to `iiab-from-console.yml <../../iiab-from-console.yml>`_).
+- ...automatically by IIAB's **Admin Console** (http://box/admin) if you click **Configure** -> **Install Configured Options** — this is similar to the above, but only runs Stage 0, then Stage 4-to-9, and then finally this 'network' role/stage (thanks to `iiab-from-console.yml <../../iiab-from-console.yml>`_).
-- ...or manually, if you run ``cd /opt/iiab/iiab`` then `./iiab-network <../../iiab-network>`_ (which is much the same as running ``./runrole network``).
+- ...or manually, if you run ``cd /opt/iiab/iiab`` then `sudo ./iiab-network <../../iiab-network>`_ (which is much the same as running ``sudo ./runrole network``).
 
 Many IIAB networking questions can be answered in these 2 documents:
 

roles/network/defaults/main.yml

@@ -85,8 +85,8 @@ systemd_networkd_active: False
 # The values here are default local variables
 gui_wan_iface: unset
 gui_static_wan_ip: unset
-wondershaper_dspeed: 4096
+# wondershaper_dspeed: 4096
-wondershaper_upspeed: 1024
+# wondershaper_upspeed: 1024
 
 # netplan
 fix_dispatcher: True

roles/network/tasks/computed_network.yml

@@ -1,15 +1,18 @@
 # just lie about active gateway present on XOs to suppress ifcfg-WAN
 # auto-creation/moving with XOs using NM/system-connections/ via keyfile.
 # ifcfg-rh acts on /etc/sys*/net*/ifcfg-* where we search for devices.
-- name: Setting XO has WiFi gateway
-  set_fact:
-    user_wan_iface: "{{ discovered_wan_iface }}"
-  when: not (discovered_wan_iface == "none") and not (xo_model == "none") and has_ifcfg_gw == "none"
 
-- name: XO laptop wants USB WiFi interface as AP mode
+# 2021-07-30: Var 'xo_model' is being deprecated
-  set_fact:
+#- name: Setting XO has WiFi gateway
-    iiab_wireless_lan_iface: "{{ discovered_lan_iface }}"
+#  set_fact:
-  when: num_wifi_interfaces >= "2" and not (xo_model == "none") and not (discovered_wan_iface == "none") and discovered_wireless_iface == "eth0"
+#    user_wan_iface: "{{ discovered_wan_iface }}"
+#  when: not (discovered_wan_iface == "none") and not (xo_model == "none") and has_ifcfg_gw == "none"
+
+# 2021-07-30: Var 'xo_model' is being deprecated
+#- name: XO laptop wants USB WiFi interface as AP mode
+#  set_fact:
+#    iiab_wireless_lan_iface: "{{ discovered_lan_iface }}"
+#  when: num_wifi_interfaces >= "2" and not (xo_model == "none") and not (discovered_wan_iface == "none") and discovered_wireless_iface == "eth0"
 
 # static backout suppy new template file
 - name: gui-static-wan
@@ -150,7 +153,7 @@
 
 - name: Add 'computed_network' variable values to {{ iiab_ini_file }}
   ini_file:
-    dest: "{{ iiab_ini_file }}"
+    dest: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
     section: computed_network
     option: "{{ item.option }}"
     value: "{{ item.value | string }}"

roles/network/tasks/computed_services.yml

@@ -1,17 +1,17 @@
 - name: No LAN configured - 'Appliance' mode
   set_fact:
-    dansguardian_enabled: False
+    # dansguardian_enabled: False
     squid_enabled: False
-    wondershaper_enabled: False
+    # wondershaper_enabled: False
     hostapd_enabled: False
     iiab_network_mode: "Appliance"
   when: iiab_lan_iface == "none" or user_lan_iface == "none"
 
 - name: LAN configured - 'LanController' mode
   set_fact:
-    dansguardian_enabled: False
+    # dansguardian_enabled: False
     squid_enabled: False
-    wondershaper_enabled: False
+    # wondershaper_enabled: False
     iiab_network_mode: "LanController"
   when: iiab_lan_iface != "none" and iiab_wan_iface == "none"
 
@@ -52,7 +52,7 @@
 
 - name: Add 'network' variable values (from computed_services.yml) to {{ iiab_ini_file }}
   ini_file:
-    dest: "{{ iiab_ini_file }}"
+    dest: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
     section: network
     option: "{{ item.option }}"
     value: "{{ item.value | string }}"

roles/network/tasks/enable_services.yml

@@ -11,29 +11,29 @@
     enabled: yes
   when: dhcpd_install and dhcpd_enabled
 
-- name: Install /etc/sysconfig/dhcpd, /etc/dhcpd-iiab.conf from templates
+- name: Install /etc/sysconfig/dhcpd, /etc/dhcpd-iiab.conf from templates (root:root, 0644 by default)
   template:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
-    owner: root
+    # owner: root
-    group: root
+    # group: root
-    mode: "{{ item.mode }}"
+    # mode: "{{ item.mode }}"
   with_items:
-   - { src: 'dhcp/dhcpd-env.j2', dest: '/etc/sysconfig/dhcpd', mode: '0644' }
+   - { src: 'dhcp/dhcpd-env.j2', dest: '/etc/sysconfig/dhcpd' }
-   - { src: 'dhcp/dhcpd-iiab.conf.j2', dest: '/etc/dhcpd-iiab.conf', mode: '0644' }
+   - { src: 'dhcp/dhcpd-iiab.conf.j2', dest: '/etc/dhcpd-iiab.conf' }
   when: dhcpd_install and dhcpd_enabled
 
-- name: Install /etc/named-iiab.conf and two *.zone.db files into /var/named-iiab
+- name: Install /etc/named-iiab.conf and two *.zone.db files into /var/named-iiab (root:root, 0644 by default)
   template:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
-    owner: root
+    # owner: root
-    group: root
+    # group: root
-    mode: "{{ item.mode }}"
+    # mode: "{{ item.mode }}"
   with_items:
-   - { src: 'named/named-iiab.conf.j2', dest: '/etc/named-iiab.conf', mode: '0644' }
+   - { src: 'named/named-iiab.conf.j2', dest: '/etc/named-iiab.conf' }
-   - { src: 'named/school.local.zone.db', dest: '/var/named-iiab/', mode: '0644' }
+   - { src: 'named/school.local.zone.db', dest: '/var/named-iiab/' }
-   - { src: 'named/school.internal.zone.db', dest: '/var/named-iiab/', mode: '0644' }
+   - { src: 'named/school.internal.zone.db', dest: '/var/named-iiab/' }
   when: named_install and named_enabled
 
 - name: Enable named service ({{ dns_service }}) if named_enabled
@@ -93,13 +93,13 @@
 #- debug:
 #    var: nd_dir
 
-- name: To restart dnsmasq whenever br0 comes up, install /etc/networkd-dispatcher/routable.d/dnsmasq.sh from template (if isn't Appliance, and directory /etc/networkd-dispatcher/routable.d exists, i.e. OS's like Ubuntu 18.04 or later)
+- name: To restart dnsmasq whenever br0 comes up, install /etc/networkd-dispatcher/routable.d/dnsmasq.sh from template (if isn't Appliance, and directory /etc/networkd-dispatcher/routable.d exists, i.e. OS's like Ubuntu 18.04 or later) (root:root by default)
   template:
     src: roles/network/templates/network/dnsmasq.sh.j2
     dest: /etc/networkd-dispatcher/routable.d/dnsmasq.sh
     mode: 0755
-    owner: root
+    # owner: root
-    group: root
+    # group: root
   when: dnsmasq_install and dnsmasq_enabled and nd_dir.stat.exists and nd_dir.stat.isdir and (iiab_network_mode != "Appliance")
   #when: dnsmasq_install and dnsmasq_enabled and nd_enabled is defined and nd_enabled.stdout == "enabled" and nd_dir.stat.exists and nd_dir.stat.isdir and (iiab_network_mode != "Appliance")
   #when: dnsmasq_install and dnsmasq_enabled and systemd_out.status.UnitFileState == "enabled" and networkd_dir.stat.exists and networkd_dir.stat.isdir and (iiab_network_mode != "Appliance")
@@ -122,104 +122,96 @@
     enabled: no
   when: dnsmasq_install and not dnsmasq_enabled
 
-- name: Enable DansGuardian systemd service, if dansguardian_enabled
+# - name: Enable DansGuardian systemd service, if dansguardian_enabled
-  systemd:
+#   systemd:
-    name: dansguardian
+#     name: dansguardian
-    enabled: yes
+#     enabled: yes
-  when: dansguardian_install and dansguardian_enabled
+#   when: dansguardian_install and dansguardian_enabled
 
-- name: Disable DansGuardian, if not dansguardian_enabled
+# - name: Disable DansGuardian, if not dansguardian_enabled
-  systemd:
+#   systemd:
-    name: dansguardian
+#     name: dansguardian
-    enabled: no
+#     enabled: no
-  when: (dansguardian_install or dansguardian_installed is defined) and not dansguardian_enabled
+#   when: (dansguardian_install or dansguardian_installed is defined) and not dansguardian_enabled
 
-- name: Mandate 'HTTPCACHE_ON=True' in {{ iiab_env_file }}, if squid_enabled
+- name: Mandate 'HTTPCACHE_ON=True' in {{ iiab_env_file }} - if squid_install [{{ squid_install }}] and squid_enabled [{{ squid_enabled }}]
   lineinfile:
     path: "{{ iiab_env_file }}"
     regexp: '^HTTPCACHE_ON=*'
     line: 'HTTPCACHE_ON=True'
-    state: present
   when: squid_install and squid_enabled
 
-- name: Enable Squid systemd service ({{ proxy }}) if squid_enabled
+- name: Enable systemd service '{{ proxy }}' - if squid_install and squid_enabled
   systemd:
-    name: "{{ proxy }}"
+    name: "{{ proxy }}"    # squid (or 'squid3' on vars/debian-8.yml, vars/raspbian-8.yml)
     enabled: yes
   when: squid_install and squid_enabled
 
-- name: Install /etc/{{ proxy }}/squid-iiab.conf from template, owned by {{ proxy_user }}:{{ proxy_user }}
+- name: Install /etc/{{ proxy }}/squid.conf from template (root:root, 0644 by default) - and create a timestamped backup of the original - if squid_install and squid_enabled
   template:
-    src: "{{ item.src }}"
+    src: squid/squid.conf.j2
-    dest: "{{ item.dest }}"
+    dest: /etc/{{ proxy }}/squid.conf
-    owner: "{{ item.owner }}"
+    # owner: "{{ proxy_user }}"    # proxy (or 'squid' on vars/centos-7.yml, vars/fedora-18.yml, vars/fedora-12.yml)
-    group: "{{ item.group }}"
+    # group: "{{ proxy_user }}"
-    mode: "{{ item.mode }}"
+    backup: yes
-  with_items:
-    - src: squid/squid-iiab.conf.j2
-      dest: "/etc/{{ proxy }}/squid-iiab.conf"
-      owner: "{{ proxy_user }}"
-      group: "{{ proxy_user }}"
-      mode: 0644
   when: squid_install and squid_enabled
 
-- name: Point to Squid config file from startup file, if squid_enabled (debuntu)
+# - name: Point /etc/init.d/{{ proxy }} to /etc/{{ proxy }}/squid-iiab.conf - if squid_install and squid_enabled
-  lineinfile:
+#   lineinfile:
-    regexp: '^CONFIG'
+#     regexp: '^CONFIG'
-    line: "CONFIG=/etc/{{ proxy }}/squid-iiab.conf"
+#     line: "CONFIG=/etc/{{ proxy }}/squid-iiab.conf"
-    path: "/etc/init.d/{{ proxy }}"
+#     path: "/etc/init.d/{{ proxy }}"
-  when: squid_install and squid_enabled and is_debuntu
+#   when: squid_install and squid_enabled
 
-- name: Disable Squid service, if not squid_enabled
+- name: Disable systemd service '{{ proxy }}' - if (squid_install or squid_installed [{{ squid_installed }}] is defined) and not squid_enabled
   systemd:
     name: "{{ proxy }}"
     enabled: no
   when: (squid_install or squid_installed is defined) and not squid_enabled
 
-- name: Revert to 'HTTPCACHE_ON=False' if not squid_enabled
+- name: Revert {{ iiab_env_file }} to 'HTTPCACHE_ON=False' - if squid_install and not squid_enabled
   lineinfile:
     path: "{{ iiab_env_file }}"
     regexp: '^HTTPCACHE_ON=*'
     line: 'HTTPCACHE_ON=False'
-    state: present
   when: squid_install and not squid_enabled
 
-- name: Enable Wondershaper service, if wondershaper_enabled
+# - name: Enable Wondershaper service, if wondershaper_enabled
-  systemd:
+#   systemd:
-    name: wondershaper
+#     name: wondershaper
-    enabled: yes
+#     enabled: yes
-  when: wondershaper_install and wondershaper_enabled
+#   when: wondershaper_install and wondershaper_enabled
 
-- name: Disable Wondershaper service, if not wondershaper_enabled
+# - name: Disable Wondershaper service, if not wondershaper_enabled
-  systemd:
+#   systemd:
-    name: wondershaper
+#     name: wondershaper
-    enabled: no
+#     enabled: no
-  when: (wondershaper_install or wondershaper_installed is defined) and not wondershaper_enabled
+#   when: (wondershaper_install or wondershaper_installed is defined) and not wondershaper_enabled
 
 # check-LAN should be iptables.yml remove later
-- name: Install clean copy of /usr/bin/iiab-gen-iptables from template
+- name: Install clean copy of /usr/bin/iiab-gen-iptables from template (root:root by default)
   template:
     src: gateway/iiab-gen-iptables
     dest: /usr/bin/iiab-gen-iptables
-    owner: root
+    # owner: root
-    group: root
+    # group: root
     mode: 0755
 
-- name: Install iiab-internet-on|off
+- name: Install /usr/bin/iiab-internet-on|off from template (root:root by default)
   template:
     src: "{{ item }}"
     dest: /usr/bin/
-    owner: root
+    # owner: root
-    group: root
+    # group: root
     mode: 0755
   with_items:
     - gateway/iiab-internet-on
     - gateway/iiab-internet-off
 
 
-- name: Add 'squid' variable values to {{ iiab_ini_file }}
+- name: Add 'squid' variable values to {{ iiab_ini_file }} - if squid_installed is defined
   ini_file:
-    path: "{{ iiab_ini_file }}"
+    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
     section: squid
     option: "{{ item.option }}"
     value: "{{ item.value | string }}"
@@ -230,28 +222,28 @@
       value: "{{ squid_enabled }}"
   when: squid_installed is defined
 
-- name: Add 'dansguardian' variable values to {{ iiab_ini_file }}
+# - name: Add 'dansguardian' variable values to {{ iiab_ini_file }}
-  ini_file:
+#   ini_file:
-    path: "{{ iiab_ini_file }}"
+#     path: "{{ iiab_ini_file }}"
-    section: dansguardian
+#     section: dansguardian
-    option: "{{ item.option }}"
+#     option: "{{ item.option }}"
-    value: "{{ item.value | string }}"
+#     value: "{{ item.value | string }}"
-  with_items:
+#   with_items:
-    - option: dansguardian_install
+#     - option: dansguardian_install
-      value: "{{ dansguardian_install }}"
+#       value: "{{ dansguardian_install }}"
-    - option: dansguardian_enabled
+#     - option: dansguardian_enabled
-      value: "{{ dansguardian_enabled }}"
+#       value: "{{ dansguardian_enabled }}"
-  when: dansguardian_installed is defined
+#   when: dansguardian_installed is defined
 
-- name: Add 'wondershaper' variable values to {{ iiab_ini_file }}
+# - name: Add 'wondershaper' variable values to {{ iiab_ini_file }}
-  ini_file:
+#   ini_file:
-    path: "{{ iiab_ini_file }}"
+#     path: "{{ iiab_ini_file }}"
-    section: wondershaper
+#     section: wondershaper
-    option: "{{ item.option }}"
+#     option: "{{ item.option }}"
-    value: "{{ item.value | string }}"
+#     value: "{{ item.value | string }}"
-  with_items:
+#   with_items:
-    - option: wondershaper_install
+#     - option: wondershaper_install
-      value: "{{ wondershaper_install }}"
+#       value: "{{ wondershaper_install }}"
-    - option: wondershaper_enabled
+#     - option: wondershaper_enabled
-      value: "{{ wondershaper_enabled }}"
+#       value: "{{ wondershaper_enabled }}"
-  when: wondershaper_installed is defined
+#   when: wondershaper_installed is defined

roles/network/tasks/hostapd.yml

@@ -39,7 +39,7 @@
   set_fact:
     ap0_mac_addr: "{{ ap0_mac.stdout }}"
 
-- name: Use custom 'hostapd' systemd service unit file using ap0
+- name: "Use custom 'hostapd' systemd service unit file using ap0 -- install from template: /etc/systemd/system/hostapd.service, /etc/systemd/system/iiab-clone-wifi.service, /etc/systemd/system/iiab-wifi-test.service, /usr/sbin/iiab-test-wifi"
   template:
     owner: root
     group: root
@@ -48,9 +48,9 @@
     mode: "{{ item.mode  }}"
   with_items:
     - { src: 'hostapd/hostapd.service.j2', dest: '/etc/systemd/system/hostapd.service', mode: '0644' }
-    - { src: 'hostapd/clone-wifi.service.j2', dest: '/etc/systemd/system/clone-wifi.service', mode: '0644' }
+    - { src: 'hostapd/iiab-clone-wifi.service.j2', dest: '/etc/systemd/system/iiab-clone-wifi.service', mode: '0644' }
-    - { src: 'hostapd/wifi-test.service.j2', dest: '/etc/systemd/system/wifi-test.service', mode: '0644'}
+    - { src: 'hostapd/iiab-wifi-test.service.j2', dest: '/etc/systemd/system/iiab-wifi-test.service', mode: '0644'}
-    - { src: 'hostapd/test-wifi', dest: '/sbin/test-wifi', mode: '0755' }
+    - { src: 'hostapd/iiab-test-wifi.j2', dest: '/usr/sbin/iiab-test-wifi', mode: '0755' }
   when: discovered_wireless_iface != "none"
 
 - name: Use custom 'hostapd' systemd service unit file for {{ discovered_wireless_iface }} when not wifi_up_down
@@ -145,8 +145,8 @@
     enabled: no
     daemon_reload: yes    
   with_items:
-    - clone-wifi.service
+    - iiab-clone-wifi.service
-    - wifi-test.service
+    - iiab-wifi-test.service
   when: not wifi_up_down
 
 - name: Enable the Access Point 'hostapd' and ap0 related services
@@ -156,8 +156,8 @@
     daemon_reload: yes
   with_items:
     - hostapd.service
-    - clone-wifi.service
+    - iiab-clone-wifi.service
-    - wifi-test.service
+    - iiab-wifi-test.service
   when: hostapd_enabled and wifi_up_down
 
 - name: Record HOSTAPD_ENABLED to {{ iiab_env_file }}