Merge branch 'master' into conditional_bare_variables

2025-03-09 15:40:17 +00:00 · 2020-10-16 17:51:42 -07:00 · 2020-10-16 17:51:42 -07:00 · e705294997
commit e705294997
parent 1c4f60150e a30a8b8f36
17 changed files with 257 additions and 197 deletions
--- a/roles/2-common/tasks/packages.yml
+++ b/roles/2-common/tasks/packages.yml
@ -27,7 +27,7 @@
    state: present
  when: is_debuntu

- name: "Install 23 common packages: acpid, bridge-utils, bzip2, curl, gawk, hostapd, htop, i2c-tools, logrotate, make, mlocate, netmask, net-tools, ntfs-3g, pandoc, pastebinit, rsync, sqlite3, sudo, tar, unzip, usbutils, wget"
+- name: "Install 22 common packages: acpid, bridge-utils, bzip2, curl, gawk, hostapd, htop, i2c-tools, logrotate, make, mlocate, netmask, net-tools, ntfs-3g, pandoc, pastebinit, rsync, sqlite3, sudo, tar, unzip, usbutils, wget"
  package:
    name:
      - acpid
@ -52,7 +52,7 @@
      - rsync
      #- screen    # Installed by 1-prep's roles/iiab-admin/tasks/access.yml
      - sqlite3
-      - sudo
+      #- sudo    # Installed by 1-prep's roles/iiab-admin/tasks/sudo-prereqs.yml
      - tar
      - unzip
      #- usbmount    # Moved to roles/usb_lib/tasks/install.yml
--- a/roles/iiab-admin/README.rst
+++ b/roles/iiab-admin/README.rst
@ -13,31 +13,59 @@
 iiab-admin README
 =================

-This role is home to a number of administrative (Ansible) playbooks:
+`Internet-in-a-Box <http://internet-in-a-box.org>`_ (IIAB) encourages you to pay attention to the security of your learning community.

-Add Administrative User
-----------------------
+This Ansible playbook is one of the very first that runs when you install IIAB, and we hope reading this helps you understand your choices:

-* Adds the Linux user that will allow you access to IIAB's Admin Console (http://box.lan/admin) if this has not already been done for you by IIAB's 1-line installer (http://download.iiab.io).
-* By default this is ``iiab-admin`` with password ``g0adm1n``
+Configure user 'iiab-admin'
+---------------------------
+
+* `admin-user.yml <tasks/admin-user.yml>`_ configures a Linux user that will give you access to IIAB's Admin Console (http://box.lan/admin) after IIAB is installed — and can also help you at the command-line with IIAB community support commands like {iiab-diagnostics, iiab-hotspot-on, iiab-check-firmware, etc}.
+   * If initial creation of the user and password was somehow not already taken care of by IIAB's 1-line installer (http://download.iiab.io) or by your underlying OS, that too will be taken care of here.
+* By default this user is ``iiab-admin`` with password ``g0adm1n``
   * *Do change the default password if you haven't yet, by running:* **sudo passwd iiab-admin**
-   * After IIAB is installed, you can also change the password by logging into Admin Console (http://box.lan/admin) > Utilities > Change Password
-   * If you prefer using a pre-existing user like ``pi`` or ``ubuntu`` etc, consider customizing variables ``iiab_admin_user_install``, ``iiab_admin_user`` and ``iiab_admin_user_group`` in your `/etc/iiab/local_vars.yml <http://wiki.laptop.org/go/IIAB/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F>`_ (please do this prior to installing IIAB !)
-* Please read more about what escalated (root) actions are authorized when you log into IIAB's Admin Console, and how this works: https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md
+   * After IIAB is installed, you can also change the password by logging into Admin Console (http://box.lan/admin) > Utilities > Change Password.
+* If you prefer to use a pre-existing user like ``pi`` or ``ubuntu`` (or any other username) customize the variable ``iiab_admin_user`` in your `/etc/iiab/local_vars.yml <http://wiki.laptop.org/go/IIAB/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F>`_ (preferably do this prior to installing IIAB!)
+   * You can set ``iiab_admin_can_sudo: False`` if you want a strict security lockdown (if you're really sure you won't need IIAB community support commands like `/usr/bin/iiab-diagnostics <../../scripts/iiab-diagnostics.README.md>`_, `/usr/bin/iiab-hotspot-on <../network/templates/network/iiab-hotspot-on>`_, `iiab-check-firmware <../firmware/templates/iiab-check-firmware>`_, etc!)
+   * You can also set ``iiab_admin_user_install: False`` if you're sure you know how to do all this `account and sudo configuration <tasks/admin-user.yml>`_ manually.

-Desiderata, for the historical record:
+Security
+--------

-* Auto-checking for the default password is implemented in `/etc/profile.d <https://github.com/iiab/iiab/blob/master/roles/iiab-admin/templates/sshpwd-profile-iiab.sh>`_ (and `/etc/xdg/lxsession/LXDE-pi <https://github.com/iiab/iiab/blob/master/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh>`_ when it exists).
-* |ss| N.B. to create password hash use python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")' |se| |nbsp| (not recommended as of October 2020)
-* |ss| Make a sudoer |se| |nbsp| (likely going away in October 2020, as group 'iiab-admin' should be recommended instead of group 'sudo')
-* |ss| Add /root/.ssh and dummy authorized_keys file as placeholder |se| |nbsp| (moved to `roles/openvpn/tasks/install.yml <https://github.com/iiab/iiab/blob/master/roles/openvpn/tasks/install.yml>`_)
-* |ss| Force password for sudoers |se| |nbsp| (sudo flag ``NOPASSWORD:`` and the ``wheel`` group will no longer being used as of October 2020)
+* A user MUST be a member of at least one of these 2 Linux groups, in order to log in to IIAB's Admin Console: (http://box.lan/admin)
+   #. ``iiab-admin`` (specified by ``admin_console_group`` in `/opt/iiab/iiab/vars/default_vars.yml <../../vars/default_vars.yml>`_ and `/opt/iiab/iiab-admin-console/vars/default_vars.yml <https://github.com/iiab/iiab-admin-console/blob/master/vars/default_vars.yml>`_)
+   #. ``sudo``
+* Please read much more about what escalated (root) actions are authorized when you log into IIAB's Admin Console, and how this works: https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md
+* If your IIAB includes OpenVPN, ``/root/.ssh/authorized_keys`` should be installed by `roles/openvpn/tasks/install.yml <../openvpn/tasks/install.yml>`_ to faciliate remote community support.  Feel free to remove this as mentioned here: http://wiki.laptop.org/go/IIAB/Security
+* Auto-checking for the default/published password (as specified by ``iiab_admin_published_pwd`` in `/opt/iiab/iiab/vars/default_vars.yml <../../vars/default_vars.yml>`_) is implemented in `/etc/profile.d <templates/sshpwd-profile-iiab.sh>`_ (and `/etc/xdg/lxsession/LXDE-pi <templates/sshpwd-lxde-iiab.sh>`_ when it exists, i.e. on Raspberry Pi OS with desktop).

-Add Packages for Remote Access
------------------------------
+Example
+=======

-* screen
-* lynx
+* If you later change your mind about ``sudo`` privileges for user 'iiab-admin' (as specified by ``iiab_admin_user``) then do this:
+   #. Go ahead and change the value of ``iiab_admin_can_sudo`` (to either True or False) in `/etc/iiab/local_vars.yml <http://wiki.laptop.org/go/IIAB/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F>`_
+   #. Make sure that ``iiab_admin_user_install: True`` is also set.
+   #. Then re-run this Ansible playbook, by running ``cd /opt/iiab/iiab`` followed by ``sudo ./runrole --reinstall iiab-admin``
+
+Historical Notes
+================
+
+* We no longer support setting your password using a hash e.g. ``python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")'`` (or the Python 3 equivalent, ``python3 -c 'import crypt; print(crypt.crypt("<plaintext>", crypt.mksalt(crypt.METHOD_SHA512)))'``) as these are very cumbersome — and worse, exposing your "salt" opens up your password to `possible attack <https://stackoverflow.com/questions/6776050/how-long-to-brute-force-a-salted-sha-512-hash-salt-provided>`_.  [October 2020]
+* The sudo flag ``NOPASSWORD:`` and the ``wheel`` group are similarly no longer recommended, so that your IIAB faces fewer security risks.  [October 2020]
+
+Remote Support Tools
+--------------------
+
+The `iiab-diagnostics <../../scripts/iiab-diagnostics.README.md>`_ and `OpenVPN <https://en.wikipedia.org/wiki/OpenVPN>`_ options mentioned above can greatly help you empower your community, typically during the implementation phase of your project, even if Linux is new to you.
+
+Similarly, `access.yml <tasks/access.yml>`_ adds a couple text mode tools — extremely helpful over expensive / low-bandwidth connections:
+
+* `lynx <https://en.wikipedia.org/wiki/Lynx_(web_browser)>`_
+* `screen <https://linuxize.com/post/how-to-use-linux-screen/>`_
+
+*More great tools to help you jumpstart community action at a distance:*
+
+* http://FAQ.IIAB.IO > "How can I remotely manage my Internet-in-a-Box?"

 Admin Console
 -------------
--- a/roles/iiab-admin/defaults/main.yml
+++ b/roles/iiab-admin/defaults/main.yml
@ -1,24 +1,16 @@
-# Must keep roles/0-init/defaults/main.yml sync'd ?  (Seems no longer true as of 2018-10-15)
+# Please read more about the 'iiab-admin' Linux user, for login to IIAB's
+# Admin Console (http://box.lan/admin) AND to help you at the command-line:
+# https://github.com/iiab/iiab/tree/master/roles/iiab-admin
+# https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md

-# Set iiab_admin_user_install: False if you don't want iiab_admin_user & wheel
-# group auto-created in roles/iiab-admin/tasks/main.yml (hence disabling sudo-
-# checks/warnings of published passwds like pi/raspberry & iiab-admin/g0adm1n).
+# iiab_admin_user: iiab-admin    # Some prefer to reuse 'pi' or 'ubuntu' etc.
+
+# Set iiab_admin_user_install: False if you don't want iiab_admin_user auto-
+# configured e.g. by IIAB's 1-line installer & iiab-admin/tasks/admin-user.yml
 # iiab_admin_user_install: True
-# If iiab_admin_user_install: False, set iiab_admin_user (below) to an existing
-# Linux user that has sudo access, for login to Admin Console http://box/admin
-
-# ODDLY THIS IS ALSO USED BY roles/usb-lib/tasks/main.yml TO SET GROUP PERM FOR /library/www/html/local_content (ISN'T {{ apache_user }} MORE APPROPRIATE?)
-# iiab_admin_user: iiab-admin
-
-# For live checks/alerts of published pwds
-# iiab_admin_published_pwd: g0adm1n
-
-# Password hash to override above, if Ansible creates above user:
-# iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop.
-# Obtain a password hash - NEW MORE SECURE WAY:
-#    python3 -c 'import crypt; print(crypt.crypt("<plaintext>", crypt.mksalt(crypt.METHOD_SHA512)))'
-# Obtain a password hash - OLD WAY:
-#    python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")'
+# iiab_admin_can_sudo: True   # For /usr/bin/iiab-* support commands. Optional.
+# iiab_admin_published_pwd: g0adm1n   # Default password. For pwd warnings too.
+# admin_console_group: iiab-admin   # This group & sudo log in to Admin Console

 # All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml
 # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
--- a/roles/iiab-admin/tasks/access.yml
+++ b/roles/iiab-admin/tasks/access.yml
@ -1,6 +1,6 @@
- name: "Install textmode remote access packages: screen, lynx"
+- name: "Install text mode packages, useful during remote access: screen, lynx"
  package:
    name:
-    - screen
-    - lynx
+      - lynx
+      - screen
    state: present
--- a/roles/iiab-admin/tasks/admin-user.yml
+++ b/roles/iiab-admin/tasks/admin-user.yml
@ -1,53 +1,56 @@
- name: Create user {{ iiab_admin_user }} in group sudo for Admin Console; set password from iiab_admin_pwd_hash if newly creating account
-  user:
-    name: "{{ iiab_admin_user }}"    # iiab-admin
-    password: "{{ iiab_admin_pwd_hash }}"
-    update_password: on_create
-    shell: /bin/bash
-    groups: sudo
+# Summary of how this works with IIAB's Admin Console etc:
+# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/README.rst

-#- name: Create a wheel group
-#  group:
-#    name: wheel
-#    state: present

-#- name: Create a sudo group (redhat)
-#  group:
-#    name: sudo
-#    state: present
-#  when: is_redhat
+# YOU CAN CHANGE THIS USER TO 'pi' OR 'ubuntu' ETC, IN /etc/iiab/local_vars.yml
+- name: Does user '{{ iiab_admin_user }}' (iiab_admin_user) exist?    # iiab-admin BY DEFAULT
+  command: "id {{ iiab_admin_user | quote }}"    # quote to avoid ';' exploits
+  register: user_info
+  failed_when: False    # Hides red errors (stronger than 'ignore_errors: yes')

-#- name: 'Add user {{ iiab_admin_user }} to groups: wheel, sudo'
-#  user:
-#    name: "{{ iiab_admin_user }}"
-#    groups: wheel,sudo
-
- name: Edit the sudoers file -- first make it editable
-  file:
-    path: /etc/sudoers
-    mode: 0640
-
- name: Have sudo log all commands it handles
-  lineinfile:
-    regexp: logfile
-    line: "Defaults     logfile = /var/log/sudo.log"
-    dest: /etc/sudoers
+# admin_console_group: iiab-admin   # PER default_vars.yml, SHOULD NEVER CHANGE
+- name: Establish Linux group '{{ admin_console_group }}' group, for login to Admin Console
+  group:
+    name: "{{ admin_console_group }}"
    state: present

+- name: Configure user '{{ iiab_admin_user }}' with group '{{ admin_console_group }}' for login to IIAB's Admin Console (http://box.lan/admin) AND for IIAB community support commands (/usr/bin/iiab-* and /usr/sbin/iiab-*) at the command-line
+  user:
+    name: "{{ iiab_admin_user }}"
+    #group: "{{ iiab_admin_user }}"    # Not nec.  Anyway this happens during account creation b/c 'USERGROUPS_ENAB yes' is set in any modern /etc/login.defs
+    groups: "{{ admin_console_group }}"    # What guarantees any user's ability to login to Admin Console, just in case the user is not a member of sudo in future.  FWIW Ansible adds the user to this group in /etc/group even in cases where that's not nec -- i.e. user iiab-admin's primary group is normally sufficient if it (the correct GID, corresponding to group iiab-admin) is in the 4th column of /etc/passwd.
+    append: yes
+    shell: /bin/bash
+    #password: "{{ iiab_admin_pwd_hash }}"    # 2020-10-14: DEPRECATED in favor
+    #update_password: on_create               # of 'command: chpasswd' below.
+
+- name: If user didn't exist, set password to '{{ iiab_admin_published_pwd }}'    # g0adm1n
+  #shell: "echo {{ iiab_admin_user }}:{{ iiab_admin_published_pwd }} | chpasswd"
+  command: chpasswd    # Equiv to line above, but safer
+  args:
+    stdin: "{{ iiab_admin_user | quote }}:{{ iiab_admin_published_pwd | quote }}"
+  when: user_info.rc != 0
+
+
+# sudo-prereqs.yml needs to have been run!
+
+- name: Add user {{ iiab_admin_user }} to group sudo, for IIAB community support commands like {iiab-diagnostics, iiab-hotspot-on, iiab-check-firmware}, if iiab_admin_can_sudo
+  #command: "gpasswd -a {{ iiab_admin_user | quote }} sudo"
+  user:
+    name: "{{ iiab_admin_user }}"
+    groups: sudo
+    append: yes
+  when: iiab_admin_can_sudo
+
+- name: Remove user {{ iiab_admin_user }} from group sudo, if not iiab_admin_can_sudo
+  command: "gpasswd -d {{ iiab_admin_user | quote }} sudo"
+  when: not iiab_admin_can_sudo
+  failed_when: False    # Hides red errors (stronger than 'ignore_errors: yes')
+
+
 #- name: Lets {{ iiab_admin_user }} sudo without password
 ##- name: Lets wheel sudo without password
 #  lineinfile:
+#    path: /etc/sudoers
 #    line: "{{ iiab_admin_user }} ALL=(ALL) NOPASSWD: ALL"
 ##    line: "%wheel ALL= NOPASSWD: ALL"
-#    dest: /etc/sudoers
-
- name: Remove the line which requires tty
-  lineinfile:
-    regexp: requiretty
-    dest: /etc/sudoers
-    state: absent
-
- name: End editing the sudoers file -- protect it again
-  file:
-    path: /etc/sudoers
-    mode: 0440
--- a/roles/iiab-admin/tasks/main.yml
+++ b/roles/iiab-admin/tasks/main.yml
@ -1,39 +1,32 @@
- include_tasks: admin-user.yml
+# Summary of how this works with IIAB's Admin Console etc:
+# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/README.rst
+
+
+- name: Install lynx, screen
+  include_tasks: access.yml
+
+- name: Install sudo & /etc/sudoers with logging to /var/log/sudo.log
+  include_tasks: sudo-prereqs.yml
+
+- name: Configure user iiab-admin / password and its group(s), if iiab_admin_user_install
+  include_tasks: admin-user.yml
  when: iiab_admin_user_install

- include_tasks: access.yml
+# Idea: institute precautionary system-wide published password warning(s)
+# for user iiab-admin / g0adm1n, i.e. {{ iiab_admin_user }} with password
+# {{ iiab_admin_published_pwd }}, regardless whether the password is set:
+#
+# (1) by the OS installer
+# (2) by the OS's graphical desktop tools
+# (3) at the command-line: sudo passwd iiab-admin
+# (4) by IIAB's 1-line installer: http://download.iiab.io
+# (5) by this role: roles/iiab-admin/tasks/admin-user.yml
+# (6) by IIAB's Admin Console during installation
+# ...and/or...
+# (7) by IIAB's Admin Console > Utilities > Change Password

- name: Install /etc/profile.d/sshpwd-profile-iiab.sh from template, to issue warnings (during shell/ssh logins) if iiab-admin password is the default
-  template:
-    src: sshpwd-profile-iiab.sh
-    dest: /etc/profile.d/
-    mode: '0644'
-
- name: Is this LXDE-pi?
-  stat:
-    path: /etc/xdg/lxsession/LXDE-pi
-  register: lx
-
- name: "Likewise for Raspbian, installing: /etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh"
-  template:
-    src: sshpwd-lxde-iiab.sh
-    dest: /etc/xdg/lxsession/LXDE-pi/
-    mode: '0755'
-  when: lx.stat.isdir is defined and lx.stat.isdir and is_raspbian and is_debuntu
-
-# 2019-03-07: This popup (/etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh) does
-# not actually appear when triggered by /etc/xdg/autostart/pprompt-iiab.desktop
-# (or pprompt.desktop as Raspbian has working since 2018-11-13!)  Too bad as it
-# would be really nice to standardize this popup across Ubermix & all distros..
-# Is this a permissions/security issue presumably?  Official autostart spec is:
-# https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html
-# Raspbian's 2016-2018 evolution here: https://github.com/iiab/iiab/issues/1537
-
- name: Put line in /etc/xdg/lxsession/LXDE-pi/autostart to run the above (raspbian)
-  lineinfile:
-    path: /etc/xdg/lxsession/LXDE-pi/autostart
-    line: "@/etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh"
-  when: lx.stat.isdir is defined and lx.stat.isdir and is_raspbian and is_debuntu
+- name: Install password warning(s)
+  include_tasks: pwd-warnings.yml


 # RECORD iiab-admin AS INSTALLED
@ -62,3 +55,7 @@
      value: '"Admin User"'
    - option: iiab_admin_user
      value: "{{ iiab_admin_user }}"
+    - option: iiab_admin_user_install
+      value: "{{ iiab_admin_user_install }}"
+    - option: iiab_admin_can_sudo
+      value: "{{ iiab_admin_can_sudo }}"
--- a/roles/iiab-admin/tasks/pwd-warnings.yml
+++ b/roles/iiab-admin/tasks/pwd-warnings.yml
@ -0,0 +1,31 @@
+- name: Install /etc/profile.d/sshpwd-profile-iiab.sh from template, to issue warnings (during shell/ssh logins) if iiab-admin password is the default
+  template:
+    src: sshpwd-profile-iiab.sh
+    dest: /etc/profile.d/
+    mode: '0644'
+
+- name: Is this LXDE-pi?
+  stat:
+    path: /etc/xdg/lxsession/LXDE-pi
+  register: lx
+
+- name: "Likewise for Raspbian, installing: /etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh"
+  template:
+    src: sshpwd-lxde-iiab.sh
+    dest: /etc/xdg/lxsession/LXDE-pi/
+    mode: '0755'
+  when: lx.stat.isdir is defined and lx.stat.isdir and is_raspbian and is_debuntu
+
+# 2019-03-07: This popup (/etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh) does
+# not actually appear when triggered by /etc/xdg/autostart/pprompt-iiab.desktop
+# (or pprompt.desktop as Raspbian has working since 2018-11-13!)  Too bad as it
+# would be really nice to standardize this popup across Ubermix & all distros..
+# Is this a permissions/security issue presumably?  Official autostart spec is:
+# https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html
+# Raspbian's 2016-2018 evolution here: https://github.com/iiab/iiab/issues/1537
+
+- name: Put line in /etc/xdg/lxsession/LXDE-pi/autostart to run the above (raspbian)
+  lineinfile:
+    path: /etc/xdg/lxsession/LXDE-pi/autostart
+    line: "@/etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh"
+  when: lx.stat.isdir is defined and lx.stat.isdir and is_raspbian and is_debuntu
--- a/roles/iiab-admin/tasks/sudo-prereqs.yml
+++ b/roles/iiab-admin/tasks/sudo-prereqs.yml
@ -0,0 +1,27 @@
+# roles/2-common/tasks/packages.yml also installed sudo, but that's too late
+- name: 'Install package: sudo'
+  package:
+    name: sudo
+
+- name: Temporarily make file /etc/sudoers editable (0640)
+  file:
+    path: /etc/sudoers
+    mode: 0640
+
+- name: '/etc/sudoers: Have sudo log all commands to /var/log/sudo.log -- in addition to the lengthier /var/log/auth.log'
+  lineinfile:
+    path: /etc/sudoers
+    regexp: logfile
+    line: "Defaults     logfile = /var/log/sudo.log"
+
+# Not nec (heavyhanded removal of customizations+comments) given sudo defaults.
+#- name: Remove all lines that contain 'requiretty'
+#  lineinfile:
+#    path: /etc/sudoers
+#    regexp: requiretty
+#    state: absent
+
+- name: End editing file /etc/sudoers -- protect it again (0440)
+  file:
+    path: /etc/sudoers
+    mode: 0440
--- a/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh
+++ b/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh
@ -3,6 +3,9 @@
 # SEE ALSO: /etc/profile.d/sshpwd-profile-iiab.sh sourced from...
 # https://github.com/iiab/iiab/blob/master/roles/iiab-admin/templates/sshpwd-profile-iiab.sh

+# CAUTION: popup warnings still don't appear on most OS's, as mentioned here:
+# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/pwd-warnings.yml#L19-L25
+
 # For Localization/Translation: (use /usr/bin/gettext below if later nec!)
 #export TEXTDOMAIN=pprompt-iiab
 #. gettext.sh
--- a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh
+++ b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh
@ -44,8 +44,6 @@ check_user_pwd() {
 # HISTORICAL: if password-free sudo access is truly nec, it can be set with
 # "iiab-admin ALL=(ALL) NOPASSWD: ALL" in /etc/sudoers as seen in the older:
 # https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/admin-user.yml
-# CAUTION: popup warnings still don't appear on most OS's, as mentioned here:
-# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/main.yml#L24-L30

 if check_user_pwd "{{ iiab_admin_user }}" "{{ iiab_admin_published_pwd }}" ; then    # iiab-admin g0adm1n
    echo
--- a/roles/nginx/tasks/install.yml
+++ b/roles/nginx/tasks/install.yml
@ -16,10 +16,11 @@
    - php-fpm
    - libnginx-mod-http-subs-filter

- name: Add user '{{ apache_user }}' to shadow group, so it can authenticate Admin Console
-  user:
-    name: "{{ apache_user }}"    # www-data or apache, per /opt/iiab/iiab/vars/<OS>.yml
-    groups: shadow
+# 2020-10-16: Removed per #2560
+#- name: Add user '{{ apache_user }}' to shadow group, so it can authenticate Admin Console
+#  user:
+#    name: "{{ apache_user }}"    # www-data or apache, per /opt/iiab/iiab/vars/<OS>.yml
+#    groups: shadow

 - name: Remove NGINX default config /etc/nginx/sites-enabled/default
  file:
--- a/roles/pbx/defaults/main.yml
+++ b/roles/pbx/defaults/main.yml
@ -6,9 +6,9 @@

 # asterisk_chan_dongle: False

-# pbx_signaling_ports_chan_sip: "5160:5161"
-# pbx_signaling_ports_chan_pjsip: "5060"
-# pbx_data_ports: "10000:20000"
+# pbx_signaling_ports_chan_sip: 5160:5161
+# pbx_signaling_ports_chan_pjsip: 5060
+# pbx_data_ports: 10000:20000
 # pbx_http_port: 83
 #
 # All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml
--- a/roles/transmission/defaults/main.yml
+++ b/roles/transmission/defaults/main.yml
@ -11,7 +11,7 @@

 # Monitor downloads at http://box:9091 or http://box:9091/transmission using Admin/changeme
 # transmission_http_port: 9091
-# transmission_url : "/transmission/"
+# transmission_url: /transmission/
 # transmission_peer_port: 51413

 # Provision Transmission with torrent(s) from http://pantry.learningequality.org/downloads/ka-lite/0.17/content/
--- a/vars/default_vars.yml
+++ b/vars/default_vars.yml
@ -33,7 +33,7 @@ yum_packages_dir: "{{ iiab_base }}/yum-packages"
 downloads_dir: "{{ iiab_base }}/downloads"
 iiab_download_url: http://download.iiab.io/packages

-content_base: "/library"
+content_base: /library
 doc_base: "{{ content_base }}/www"
 doc_root: "{{ doc_base }}/html"

@ -50,20 +50,21 @@ language_priority: en es fr
 # Real-time clock: set RTC chip family here.  Future auto-detection plausible?
 # rtc_id: ds3231

-# Please read more about the 'iiab-admin' Linux user and group, which allow
-# you to log in to IIAB's Admin Console (http://box.lan/admin):
+# Please read more about the 'iiab-admin' Linux user, for login to IIAB's
+# Admin Console (http://box.lan/admin) AND to help you at the command-line:
 # https://github.com/iiab/iiab/tree/master/roles/iiab-admin
 # https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md
+#
+iiab_admin_user: iiab-admin    # Some prefer to reuse 'pi' or 'ubuntu' etc.
 # Set iiab_admin_user_install: False if you don't want iiab_admin_user auto-
-# created e.g. by IIAB's 1-line installer and roles/iiab-admin/tasks/main.yml
-iiab_admin_user_install: True
-# If iiab_admin_user_install: False, set iiab_admin_user to an existing Linux
-# user that's a member of group sudo (or group below?) for Admin Console login:
-iiab_admin_user: iiab-admin
-iiab_admin_user_group: iiab-admin    # 2020-10-13: Coming Soon?
-iiab_admin_published_pwd: g0adm1n    # For live checks/alerts of published pwds
-# Password hash to override above, if Ansible creates above user:
-iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop.
+# configured e.g. by IIAB's 1-line installer & iiab-admin/tasks/admin-user.yml
+iiab_admin_user_install: True    # If False, THE SETTING BELOW WILL BE IGNORED.
+iiab_admin_can_sudo: True    # For /usr/bin/iiab-* support commands.  Optional.
+iiab_admin_published_pwd: g0adm1n    # Default password.  For pwd warnings too.
+admin_console_group: iiab-admin    # This group & sudo log in to Admin Console.
+
+# DEPRECATED - Password hash to override above, if Ansible creates above user:
+# iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop.
 # Obtain a password hash - NEW MORE SECURE WAY:
 #    python3 -c 'import crypt; print(crypt.crypt("<plaintext>", crypt.mksalt(crypt.METHOD_SHA512)))'
 # Obtain a password hash - OLD WAY:
@ -111,7 +112,7 @@ iiab_home_url: /home
 #
 # Raspberry Pi OS requires WiFi country -- SET THIS IN /etc/iiab/local_vars.yml
 host_country_code: US
-host_ssid: "Internet in a Box"
+host_ssid: Internet in a Box
 host_wifi_mode: g
 host_channel: 6
 hostapd_secure: False
@ -306,8 +307,8 @@ cups_port: 631
 # Samba.  Do a security audit seriously before deploying this.
 samba_install: False
 samba_enabled: False
-samba_udp_ports: "137:138"
-samba_tcp_mports: "139,445"
+samba_udp_ports: 137:138
+samba_tcp_mports: 139,445
 shared_dir : "{{ content_base }}/public"    # /library/public

 # USB_LIB
@ -423,9 +424,9 @@ nextcloud_enabled: False
 pbx_install: False
 pbx_enabled: False
 asterisk_chan_dongle: False
-pbx_signaling_ports_chan_sip: "5160:5161"
-pbx_signaling_ports_chan_pjsip: "5060"
-pbx_data_ports: "10000:20000"
+pbx_signaling_ports_chan_sip: 5160:5161
+pbx_signaling_ports_chan_pjsip: 5060
+pbx_data_ports: 10000:20000
 pbx_http_port: 83

 # If using WordPress intensively, set nginx_high_php_limits further above.
@ -510,7 +511,7 @@ transmission_group: root

 # Monitor downloads at http://box:9091 or http://box:9091/transmission using Admin/changeme
 transmission_http_port: 9091
-transmission_url : "/transmission/"
+transmission_url : /transmission/
 transmission_peer_port: 51413

 # Provision Transmission with torrent(s) from http://pantry.learningequality.org/downloads/ka-lite/0.17/content/
@ -658,8 +659,8 @@ calibreweb_home: "{{ content_base }}/calibre-web"    # /library/calibre-web
 # xovis_db_name: xovis
 # xovis_db_user: admin
 # xovis_db_password: admin
-# xovis_root: "/opt/xovis"
-# xovis_backup_dir: "/library/users"
+# xovis_root: /opt/xovis
+# xovis_backup_dir: /library/users
 # xovis_chart_heading: "My School: Usage Data Visualization"

 # Unmaintained
--- a/vars/local_vars_big.yml
+++ b/vars/local_vars_big.yml
@ -22,23 +22,16 @@ language_priority: en es fr
 # Real-time clock: set RTC chip family here.  Future auto-detection plausible?
 # rtc_id: ds3231

-# Please read more about the 'iiab-admin' Linux user and group, which allow
-# you to log in to IIAB's Admin Console (http://box.lan/admin):
+# Please read more about the 'iiab-admin' Linux user, for login to IIAB's
+# Admin Console (http://box.lan/admin) AND to help you at the command-line:
 # https://github.com/iiab/iiab/tree/master/roles/iiab-admin
 # https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md
+#
+iiab_admin_user: iiab-admin    # Some prefer to reuse 'pi' or 'ubuntu' etc.
 # Set iiab_admin_user_install: False if you don't want iiab_admin_user auto-
-# created e.g. by IIAB's 1-line installer and roles/iiab-admin/tasks/main.yml
-iiab_admin_user_install: True
-# If iiab_admin_user_install: False, set iiab_admin_user to an existing Linux
-# user that's a member of group sudo (or group below?) for Admin Console login:
-iiab_admin_user: iiab-admin
-iiab_admin_user_group: iiab-admin    # 2020-10-13: Coming Soon?
-# Password hash to be used if Ansible creates the above user:
-iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop.
-# Obtain a password hash - NEW MORE SECURE WAY:
-#    python3 -c 'import crypt; print(crypt.crypt("<plaintext>", crypt.mksalt(crypt.METHOD_SHA512)))'
-# Obtain a password hash - OLD WAY:
-#    python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")'
+# configured e.g. by IIAB's 1-line installer & iiab-admin/tasks/admin-user.yml
+iiab_admin_user_install: True    # If False, THE SETTING BELOW WILL BE IGNORED.
+iiab_admin_can_sudo: True    # For /usr/bin/iiab-* support commands.  Optional.

 # Set these to False if you do not want to install/enable IIAB Admin Console
 admin_console_install: True
@ -67,7 +60,7 @@ iiab_home_url: /home
 #
 # Raspberry Pi OS requires Wi-Fi country since March 2018.  Please set it here:
 host_country_code: US
-host_ssid: "Internet in a Box"
+host_ssid: Internet in a Box
 host_wifi_mode: g
 host_channel: 6
 hostapd_secure: False
@ -155,7 +148,7 @@ sshd_enabled: True
 openvpn_install: True
 openvpn_enabled: False
 # Set /etc/iiab/openvpn_handle in advance here:
-openvpn_handle: "BIG-sized - Put Your Name Here"
+openvpn_handle: BIG-sized - Put Your Name Here

 # Some prefer 512MB for Zero W, others prefer 2048MB or higher for RPi 3 and 4.
 # Please see recommendations at: https://itsfoss.com/swap-size/
--- a/vars/local_vars_medium.yml
+++ b/vars/local_vars_medium.yml
@ -22,23 +22,16 @@ language_priority: en es fr
 # Real-time clock: set RTC chip family here.  Future auto-detection plausible?
 # rtc_id: ds3231

-# Please read more about the 'iiab-admin' Linux user and group, which allow
-# you to log in to IIAB's Admin Console (http://box.lan/admin):
+# Please read more about the 'iiab-admin' Linux user, for login to IIAB's
+# Admin Console (http://box.lan/admin) AND to help you at the command-line:
 # https://github.com/iiab/iiab/tree/master/roles/iiab-admin
 # https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md
+#
+iiab_admin_user: iiab-admin    # Some prefer to reuse 'pi' or 'ubuntu' etc.
 # Set iiab_admin_user_install: False if you don't want iiab_admin_user auto-
-# created e.g. by IIAB's 1-line installer and roles/iiab-admin/tasks/main.yml
-iiab_admin_user_install: True
-# If iiab_admin_user_install: False, set iiab_admin_user to an existing Linux
-# user that's a member of group sudo (or group below?) for Admin Console login:
-iiab_admin_user: iiab-admin
-iiab_admin_user_group: iiab-admin    # 2020-10-13: Coming Soon?
-# Password hash to be used if Ansible creates the above user:
-iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop.
-# Obtain a password hash - NEW MORE SECURE WAY:
-#    python3 -c 'import crypt; print(crypt.crypt("<plaintext>", crypt.mksalt(crypt.METHOD_SHA512)))'
-# Obtain a password hash - OLD WAY:
-#    python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")'
+# configured e.g. by IIAB's 1-line installer & iiab-admin/tasks/admin-user.yml
+iiab_admin_user_install: True    # If False, THE SETTING BELOW WILL BE IGNORED.
+iiab_admin_can_sudo: True    # For /usr/bin/iiab-* support commands.  Optional.

 # Set these to False if you do not want to install/enable IIAB Admin Console
 admin_console_install: True
@ -67,7 +60,7 @@ iiab_home_url: /home
 #
 # Raspberry Pi OS requires Wi-Fi country since March 2018.  Please set it here:
 host_country_code: US
-host_ssid: "Internet in a Box"
+host_ssid: Internet in a Box
 host_wifi_mode: g
 host_channel: 6
 hostapd_secure: False
@ -155,7 +148,7 @@ sshd_enabled: True
 openvpn_install: True
 openvpn_enabled: False
 # Set /etc/iiab/openvpn_handle in advance here:
-openvpn_handle: "MEDIUM-sized - Put Your Name Here"
+openvpn_handle: MEDIUM-sized - Put Your Name Here

 # Some prefer 512MB for Zero W, others prefer 2048MB or higher for RPi 3 and 4.
 # Please see recommendations at: https://itsfoss.com/swap-size/
--- a/vars/local_vars_min.yml
+++ b/vars/local_vars_min.yml
@ -22,23 +22,16 @@ language_priority: en es fr
 # Real-time clock: set RTC chip family here.  Future auto-detection plausible?
 # rtc_id: ds3231

-# Please read more about the 'iiab-admin' Linux user and group, which allow
-# you to log in to IIAB's Admin Console (http://box.lan/admin):
+# Please read more about the 'iiab-admin' Linux user, for login to IIAB's
+# Admin Console (http://box.lan/admin) AND to help you at the command-line:
 # https://github.com/iiab/iiab/tree/master/roles/iiab-admin
 # https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md
+#
+iiab_admin_user: iiab-admin    # Some prefer to reuse 'pi' or 'ubuntu' etc.
 # Set iiab_admin_user_install: False if you don't want iiab_admin_user auto-
-# created e.g. by IIAB's 1-line installer and roles/iiab-admin/tasks/main.yml
-iiab_admin_user_install: True
-# If iiab_admin_user_install: False, set iiab_admin_user to an existing Linux
-# user that's a member of group sudo (or group below?) for Admin Console login:
-iiab_admin_user: iiab-admin
-iiab_admin_user_group: iiab-admin    # 2020-10-13: Coming Soon?
-# Password hash to be used if Ansible creates the above user:
-iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop.
-# Obtain a password hash - NEW MORE SECURE WAY:
-#    python3 -c 'import crypt; print(crypt.crypt("<plaintext>", crypt.mksalt(crypt.METHOD_SHA512)))'
-# Obtain a password hash - OLD WAY:
-#    python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")'
+# configured e.g. by IIAB's 1-line installer & iiab-admin/tasks/admin-user.yml
+iiab_admin_user_install: True    # If False, THE SETTING BELOW WILL BE IGNORED.
+iiab_admin_can_sudo: True    # For /usr/bin/iiab-* support commands.  Optional.

 # Set these to False if you do not want to install/enable IIAB Admin Console
 admin_console_install: True
@ -67,7 +60,7 @@ iiab_home_url: /home
 #
 # Raspberry Pi OS requires Wi-Fi country since March 2018.  Please set it here:
 host_country_code: US
-host_ssid: "Internet in a Box"
+host_ssid: Internet in a Box
 host_wifi_mode: g
 host_channel: 6
 hostapd_secure: False
@ -155,7 +148,7 @@ sshd_enabled: True
 openvpn_install: True
 openvpn_enabled: False
 # Set /etc/iiab/openvpn_handle in advance here:
-openvpn_handle: "MIN-sized - Put Your Name Here"
+openvpn_handle: MIN-sized - Put Your Name Here

 # Some prefer 512MB for Zero W, others prefer 2048MB or higher for RPi 3 and 4.
 # Please see recommendations at: https://itsfoss.com/swap-size/