diff --git a/iiab-from-console.yml b/iiab-from-console.yml
index 33f995186..97e8de990 100644
--- a/iiab-from-console.yml
+++ b/iiab-from-console.yml
@@ -16,3 +16,4 @@
       - { role: 7-edu-apps, tags: ['7-edu-apps'] }
       - { role: 8-mgmt-tools, tags: ['8-mgmt-tools'] }
       - { role: 9-local-addons, tags: ['9-local-addons'] }
+      - { role: network, tags: ['network'] }
diff --git a/iiab-install b/iiab-install
index 7ede032ab..32b2c1c64 100755
--- a/iiab-install
+++ b/iiab-install
@@ -70,15 +70,7 @@ fi
 # Stage 0 will always be run.  From there on up to Stage 9 we keep a counter
 # (in /etc/iiab/iiab.env) of the highest completed Stage.  Avoid repetition!
 STAGE=0
-if [ ! -f /etc/iiab/iiab.env ]; then
-    mkdir -p /etc/iiab
-    echo "Ran 'mkdir -p /etc/iiab'"
-    # ./runtags and Admin Console currently require /etc/iiab/config_vars.yml (in future they may be self-sufficient?)
-    if [ ! -f /etc/iiab/config_vars.yml ]; then
-        echo "{}" > /etc/iiab/config_vars.yml
-        echo "Created stub /etc/iiab/config_vars.yml"
-    fi
-else
+if [ -f /etc/iiab/iiab.env ]; then
     if [[ `grep STAGE= /etc/iiab/iiab.env` ]]; then
         source /etc/iiab/iiab.env
         echo "Extracted STAGE="$STAGE" (counter) from /etc/iiab/iiab.env"
diff --git a/iiab-stages.yml b/iiab-stages.yml
index 74af5c454..0f0d0ae56 100644
--- a/iiab-stages.yml
+++ b/iiab-stages.yml
@@ -68,3 +68,8 @@
       name: 9-local-addons
     when: ansible_local.local_facts.stage|int < 9
     tags: 9-local-addons
+
+  - name: Network
+    include_role:
+      name: network
+    tags: network
diff --git a/iiab.yml b/iiab.yml
index d7055e91a..721203544 100644
--- a/iiab.yml
+++ b/iiab.yml
@@ -19,3 +19,4 @@
       - { role: 7-edu-apps, tags: ['7-edu-apps'] }
       - { role: 8-mgmt-tools, tags: ['8-mgmt-tools'] }
       - { role: 9-local-addons, tags: ['9-local-addons'] }
+      - { role: network, tags: ['network'] }
diff --git a/roles/0-init/tasks/first_run.yml b/roles/0-init/tasks/first_run.yml
index 4248be004..0c3b01281 100644
--- a/roles/0-init/tasks/first_run.yml
+++ b/roles/0-init/tasks/first_run.yml
@@ -1,6 +1,5 @@
-- name: Write iiab_ini.yml for the first time
-  include_tasks: iiab_ini.yml
-
 - name: Create the directory structure for IIAB
   include_tasks: fl.yml
 
+- name: Write iiab_ini.yml for the first time
+  include_tasks: iiab_ini.yml
diff --git a/roles/0-init/tasks/fl.yml b/roles/0-init/tasks/fl.yml
index 3dd518df7..537029c48 100644
--- a/roles/0-init/tasks/fl.yml
+++ b/roles/0-init/tasks/fl.yml
@@ -5,6 +5,7 @@
         mode=0755
         state=directory
   with_items:
+    - /etc/iiab
     - "{{ yum_packages_dir }}"
     - "{{ pip_packages_dir }}"
     - "{{ downloads_dir }}"
@@ -14,6 +15,7 @@
     - /library/working/rachel
     - "{{ iiab_zim_path }}/content"
     - "{{ iiab_zim_path }}/index"
+    - "{{ doc_root }}/local_content"
     - "{{ doc_root }}/modules"
     - "{{ doc_root }}/common/css"
     - "{{ doc_root }}/common/js"
diff --git a/roles/3-base-server/tasks/main.yml b/roles/3-base-server/tasks/main.yml
index 9da79a5d8..7e972e04b 100644
--- a/roles/3-base-server/tasks/main.yml
+++ b/roles/3-base-server/tasks/main.yml
@@ -21,10 +21,6 @@
   # has no "when: XXXXX_install" flag
   tags: base, mysql
 
-- name: Make sure there is a content directory
-  file: dest={{ doc_root }}/local_content
-        state=directory
-
 - name: Restart httpd
   service: name={{ apache_service }}
            state=restarted
diff --git a/roles/4-server-options/tasks/main.yml b/roles/4-server-options/tasks/main.yml
index 0b8ef0e10..addb76517 100644
--- a/roles/4-server-options/tasks/main.yml
+++ b/roles/4-server-options/tasks/main.yml
@@ -15,31 +15,31 @@
   when: openvpn_install
   tags: openvpn
 
-- name: Configuring wondershaper
-  include_tasks: roles/network/tasks/wondershaper.yml
-  when: wondershaper_install
-  tags: wondershaper, network
+#- name: Configuring wondershaper
+#  include_tasks: roles/network/tasks/wondershaper.yml
+#  when: wondershaper_install
+#  tags: wondershaper, network
 
-- name: Configuring named
+- name: Installing named
   include_tasks: roles/network/tasks/named.yml
-  when: FQDN_changed
-  tags: named, network, domain
+  when: named_install
+  tags: base, named, network, domain
 
-- name: Configuring dhcpd
+- name: Installing dhcpd
   include_tasks: roles/network/tasks/dhcpd.yml
-  when: FQDN_changed
-  tags: dhcpd, network, domain
+  when: dhcpd_install
+  tags: base, dhcpd, network, domain
 
-- name: Configuring Squid
+- name: Installing Squid
   include_tasks: roles/network/tasks/squid.yml
   when: squid_install
-  tags: squid, network, domain
+  tags: base, squid, network, domain
 
-- name: NETWORK
-  include_role:
-    name: network
-  # has no "when: XXXXX_install" flag
-  tags: base, network
+#- name: NETWORK
+#  include_role:
+#    name: network
+#  # has no "when: XXXXX_install" flag
+#  tags: base, network
 
 - name: HOMEPAGE
   include_role:
diff --git a/roles/network/tasks/detected_network.yml b/roles/network/tasks/detected_network.yml
index 50636bb87..ff876f314 100644
--- a/roles/network/tasks/detected_network.yml
+++ b/roles/network/tasks/detected_network.yml
@@ -60,9 +60,10 @@
   set_fact:
      wifi2: "{{ item|trim }}"
      discovered_wireless_iface: "{{ item|trim }}"
-  when: wireless_list2.stdout != "" and item|trim != discovered_wan_iface
+  when: wireless_list2.stdout is defined
   with_items:
       - "{{ wireless_list2.stdout_lines }}"
+#item|trim != discovered_wan_iface
 
 - name: Count WiFi ifaces
   shell: "ls -la /sys/class/net/*/phy80211 | awk -F / '{print $5}' | wc -l"
diff --git a/roles/network/tasks/enable_services.yml b/roles/network/tasks/enable_services.yml
index e8e272a78..243342c15 100644
--- a/roles/network/tasks/enable_services.yml
+++ b/roles/network/tasks/enable_services.yml
@@ -1,3 +1,9 @@
+- name: Disable the Access Point 'hostapd' service
+  service: enabled=no
+           name=hostapd.service
+  when: not iiab_wireless_lan_iface is defined or iiab_network_mode == "Appliance"
+#or not hostapd_enabled
+
 - name: Disable dhcpd service
   service: name=dhcpd
            enabled=no
@@ -46,7 +52,7 @@
   when: not dnsmasq_enabled and dnsmasq_install
 
 - name: dnsmasq copy config file to /etc
-  template: src=network/dnsmasq.conf dest=/etc/
+  template: src=network/dnsmasq.conf.j2 dest=/etc/
   when: dnsmasq_enabled and dnsmasq_install
 
 - name: Enable dnsmasq
diff --git a/roles/network/tasks/hostapd.yml b/roles/network/tasks/hostapd.yml
index 199e0a883..2f8ac6c07 100644
--- a/roles/network/tasks/hostapd.yml
+++ b/roles/network/tasks/hostapd.yml
@@ -4,12 +4,20 @@
             owner=root
             group=root
             mode=0644
+  when: iiab_wireless_lan_iface is defined
+
+- name: Create a config template for hostapd
+  template: src=hostapd/iiab-hostapd.conf.j2
+            dest=/etc/hostapd/hostapd.conf.template
+            owner=root
+            group=root
+            mode=0644
   when: discovered_wireless_iface is defined
 
 - name: Disable the Access Point 'hostapd' service
   service: enabled=no
            name=hostapd.service
-  when: not iiab_wireless_lan_iface is defined or iiab_network_mode == "Appliance" or not hostapd_enabled
+  when: not hostapd_enabled
 
 - name: Use custom systemd unit file to start 'hostapd' service
   template: src=hostapd/hostapd.service.j2
@@ -17,6 +25,21 @@
             owner=root
             group=root
             mode=0644
+  when: hostapd_enabled
+
+- name: Use custom iiab-hotspot-on
+  template: src=network/iiab-hotspot-on
+            dest=/usr/bin/iiab-hotspot-on
+            owner=root
+            group=root
+            mode=0755
+
+- name: Use custom iiab-hotspot-off
+  template: src=network/iiab-hotspot-off
+            dest=/usr/bin/iiab-hotspot-off
+            owner=root
+            group=root
+            mode=0755
 
 - name: Enable the Access Point 'hostapd' service
   service: enabled=yes
diff --git a/roles/network/tasks/main.yml b/roles/network/tasks/main.yml
index 675dd805c..77b131b71 100644
--- a/roles/network/tasks/main.yml
+++ b/roles/network/tasks/main.yml
@@ -8,12 +8,31 @@
     - network
     - network-discover
 
+- name: RPi hack for AP post install via wifi so the services are right
+  set_fact:
+      iiab_lan_iface: br0
+      iiab_wan_iface: "{{ discovered_wired_iface }}"
+      iiab_wireless_lan_iface: "{{ discovered_wireless_iface }}"
+      iiab_wired_lan_iface: ""
+  when: is_rpi and discovered_wireless_iface is defined and discovered_wireless_iface == iiab_wan_iface
+
 - include_tasks: computed_network.yml
   when: not installing
   tags:
     - network
     - network-discover
 
+- include_tasks: hostapd.yml
+  tags:
+    - network
+    - AP
+
+- name: RPi hack for AP post install via wifi don't blow away current network
+  set_fact:
+      no_net_restart: True
+      hostapd_enabled: False
+  when: is_rpi and discovered_wireless_iface is defined and discovered_wired_iface != iiab_wan_iface
+
 ##### Start static ip address info for first run #####
 #- include_tasks: static.yml
 #  when: 'iiab_wan_iface != "none" and wan_ip != "dhcp"'
@@ -25,16 +44,28 @@
     - hostname
     - domain
 
+- name: Configuring wondershaper
+  include_tasks: wondershaper.yml
+  when: wondershaper_install
+  tags: wondershaper, network
+
+- name: (Re)Installing named
+  include_tasks: named.yml
+  when: FQDN_changed and iiab_stage|int == 9
+
+- name: (Re)Installing dhcpd
+  include_tasks: dhcpd.yml
+  when: FQDN_changed and iiab_stage|int == 9
+
+- name: (Re)Installing Squid
+  include_tasks: squid.yml
+  when: FQDN_changed and squid_install and iiab_stage|int == 9
+
 #### start services
 - include_tasks: avahi.yml
   tags:
     - network
 
-- include_tasks: hostapd.yml
-  tags:
-    - network
-    - AP
-
 - include_tasks: computed_services.yml
   tags:
     - network
@@ -42,7 +73,7 @@
     - dhcpd
     - dnsmasq
     - squid
- 
+
 - include_tasks: enable_services.yml
   tags:
     - network
@@ -97,3 +128,4 @@
     - dhcpd
     - dnsmasq
     - squid
+    - AP
diff --git a/roles/network/templates/hostapd/iiab-hostapd.conf.j2 b/roles/network/templates/hostapd/iiab-hostapd.conf.j2
new file mode 100644
index 000000000..5ee541281
--- /dev/null
+++ b/roles/network/templates/hostapd/iiab-hostapd.conf.j2
@@ -0,0 +1,32 @@
+# Basic configuration
+
+interface={{ discovered_wireless_iface }}
+
+ssid={{ host_ssid }}
+channel={{ host_channel }}
+{%if iiab_lan_iface  == "br0" %}
+bridge=br0
+{% endif %}
+
+# Hardware configuration
+driver={{ driver_name }}
+{%if host_wireless_n %}
+ieee80211n=1
+{% endif %}
+country_code={{ host_country_code }}
+# limit emissions to what is legal in country
+ieee80211d=1
+hw_mode={{ host_wifi_mode }}
+
+{%if hostapd_secure %}
+# Use WPA authentication
+auth_algs=1
+# Use WPA2
+wpa=2
+# Use a pre-shared key
+wpa_key_mgmt=WPA-PSK
+# The network passphrase
+wpa_passphrase={{ hostapd_password }}
+# Use AES, instead of TKIP
+rsn_pairwise=CCMP
+{% endif %}
diff --git a/roles/network/templates/network/dnsmasq.conf.j2 b/roles/network/templates/network/dnsmasq.conf.j2
new file mode 100644
index 000000000..3a6365850
--- /dev/null
+++ b/roles/network/templates/network/dnsmasq.conf.j2
@@ -0,0 +1,20 @@
+# Never forward addresses in the non-routed address spaces.
+bogus-priv
+#　Add other name servers here, with domain specs if they are for　non-public domains.
+#server=/{{ iiab_domain }}/{{ iiab_hostname }}
+# Add local-only domains here, queries in these domains are answered　from /etc/hosts or DHCP only.
+local=/{{ iiab_domain }}/
+# Make all host names resolve to the Raspberry Pi's IP address
+address=/#/{{ lan_ip }}
+# Specify the interface that will listen for DHCP and DNS requests
+interface={{ iiab_lan_iface }}
+# Set the domain for dnsmasq
+domain={{ iiab_domain }}
+# Specify the range of IP addresses the DHCP server will lease out to devices, and the duration of the lease
+dhcp-range=172.18.100.1,172.18.126.254,1h
+# Specify the default route
+dhcp-option=3,{{ lan_ip }}
+# Specify the DNS server address
+dhcp-option=6,{{ lan_ip }}
+# Set the DHCP server to authoritative mode.
+dhcp-authoritative
diff --git a/roles/network/templates/network/iiab-hotspot-off b/roles/network/templates/network/iiab-hotspot-off
new file mode 100755
index 000000000..ca266dcb5
--- /dev/null
+++ b/roles/network/templates/network/iiab-hotspot-off
@@ -0,0 +1,7 @@
+#!/bin/bash
+sed -i -e "s/^denyinterfaces*/#denyinterfaces/" /etc/dhcpcd.conf
+systemctl disable hostapd
+systemctl stop hostapd
+systemctl daemon-reload
+systemctl restart dhcpcd
+systemctl restart networking
diff --git a/roles/network/templates/network/iiab-hotspot-on b/roles/network/templates/network/iiab-hotspot-on
new file mode 100755
index 000000000..0f1310110
--- /dev/null
+++ b/roles/network/templates/network/iiab-hotspot-on
@@ -0,0 +1,7 @@
+#!/bin/bash
+sed -i -e "s/#denyinterfaces*/denyinterfaces/" /etc/dhcpcd.conf
+systemctl enable hostapd
+systemctl daemon-reload
+systemctl restart dhcpcd
+systemctl restart networking
+systemctl start hostapd
diff --git a/roles/network/templates/network/rpi.j2 b/roles/network/templates/network/rpi.j2
index b426fa81e..4b8f86e9f 100644
--- a/roles/network/templates/network/rpi.j2
+++ b/roles/network/templates/network/rpi.j2
@@ -5,8 +5,9 @@
 #################   LANCONTROLLER   ###################
 auto br0
 iface br0 inet manual
-    bridge_ports {% if iiab_wireless_lan_iface is defined %}{{ iiab_wireless_lan_iface }}{% endif %} {% if iiab_wired_lan_iface is defined %} {{ iiab_wired_lan_iface }}{% endif %}
-
+{% if iiab_wired_lan_iface is defined %}
+    bridge_ports {{ iiab_wired_lan_iface }}
+{% endif %}
     bridge_maxwait 0
     dns-nameservers 127.0.0.1
     dns-search {{ iiab_domain }}