2025-03-09 15:40:17 +00:00
247 changed files with 1875 additions and 5975 deletions
--- a/.github/workflows/10min-iiab-test-install.yml
+++ b/.github/workflows/10min-iiab-test-install.yml
@ -1,58 +0,0 @@
 name: '"10 min" IIAB on Ubuntu 24.04 on x86-64'
 # run-name: ${{ github.actor }} is testing out GitHub Actions 🚀
 # https://michaelcurrin.github.io/dev-cheatsheets/cheatsheets/ci-cd/github-actions/triggers.html
 on: [push, pull_request, workflow_dispatch]
 # on:
 #   push:
 #
 #   pull_request:
 #
 #   # Allows you to run this workflow manually from the Actions tab
 #   workflow_dispatch:
 #
 #   # Set your workflow to run every day of the week from Monday to Friday at 6:00 UTC
 #   schedule:
 #     - cron: "0 6 * * 1-5"
 jobs:
  test-install:
    runs-on: ubuntu-24.04
    steps:
      - run: echo "🎉 The job was automatically triggered by a ${{ github.event_name }} event."
      - run: echo "🔎 The name of your branch is ${{ github.ref }} and your repository is ${{ github.repository }}."
      #- name: Dump GitHub context (typically almost 500 lines)
      #  env:
      #    GITHUB_CONTEXT: ${{ toJSON(github) }}
      #  run: echo "$GITHUB_CONTEXT"
      - name: Check out repository code
        uses: actions/checkout@v4
      - run: echo "🍏 This job's status is ${{ job.status }}."
      - name: GitHub Actions "runner" environment
        run: |
          uname -a    # uname -srm
          whoami      # Typically 'runner' instead of 'root'
          pwd         # /home/runner/work/iiab/iiab == $GITHUB_WORKSPACE == ${{ github.workspace }}
          # ls
          # ls $GITHUB_WORKSPACE
          # ls ${{ github.workspace }}
          # ls -la /opt    # az, containerd, google, hostedtoolcache, microsoft, mssql-tools, pipx, pipx_bin, post-generation, runner, vsts
          # apt update
          # apt dist-upgrade -y
          # apt autoremove -y
      - name: Set up /opt/iiab/iiab
        run: |
          mkdir /opt/iiab
          mv $GITHUB_WORKSPACE /opt/iiab
          mkdir $GITHUB_WORKSPACE    # OR SUBSEQUENT STEPS WILL FAIL ('working-directory: /opt/iiab/iiab' hacks NOT worth it!)
      - name: Set up /etc/iiab/local_vars.yml
        run: |
          sudo mkdir /etc/iiab
          # touch /etc/iiab/local_vars.yml
          sudo cp /opt/iiab/iiab/vars/local_vars_none.yml /etc/iiab/local_vars.yml
      - run: sudo /opt/iiab/iiab/scripts/ansible
      - run: sudo ./iiab-install
        working-directory: /opt/iiab/iiab
      - run: iiab-summary
      - run: cat /etc/iiab/iiab_state.yml
--- a/.github/workflows/30min-iiab-test-install-deb12-on-rpi3.yml
+++ b/.github/workflows/30min-iiab-test-install-deb12-on-rpi3.yml
@ -1,65 +0,0 @@
 name: '"30 min" IIAB on Debian 12 on RPi 3'
 # run-name: ${{ github.actor }} is testing out GitHub Actions 🚀
 # https://michaelcurrin.github.io/dev-cheatsheets/cheatsheets/ci-cd/github-actions/triggers.html
 on: [push, pull_request, workflow_dispatch]
 # on:
 #   push:
 #
 #   pull_request:
 #
 #   # Allows you to run this workflow manually from the Actions tab
 #   workflow_dispatch:
 #
 #   # Set your workflow to run every day of the week from Monday to Friday at 6:00 UTC
 #   schedule:
 #     - cron: "0 6 * * 1-5"
 jobs:
  test-install:
    runs-on: ubuntu-22.04
    strategy:
      matrix:
        arch: [debian12]
        include:
        - arch: debian12
          cpu: cortex-a7
          cpu_info: cpuinfo/raspberrypi_3b
          base_image: https://raspi.debian.net/daily/raspi_3_bookworm.img.xz
          # source https://raspi.debian.net/daily-images/
    steps:
      #- run: echo "🎉 The job was automatically triggered by a ${{ github.event_name }} event."
      #- run: echo "🔎 The name of your branch is ${{ github.ref }} and your repository is ${{ github.repository }}."
      #- name: Dump GitHub context (typically almost 500 lines)
      #  env:
      #    GITHUB_CONTEXT: ${{ toJSON(github) }}
      #  run: echo "$GITHUB_CONTEXT"
      - name: Dump matrix context
        env:
          MATRIX_CONTEXT: ${{ toJSON(matrix) }}
        run: echo "$MATRIX_CONTEXT"
      - uses: actions/checkout@v3.1.0
      - uses: pguyot/arm-runner-action@v2
        with:
          image_additional_mb: 1024
          base_image: ${{ matrix.base_image }}
          cpu: ${{ matrix.cpu }}
          cpu_info: ${{ matrix.cpu_info }}
          copy_repository_path: /opt/iiab/iiab
          commands: |
              echo "🍏 This job's status is ${{ job.status }}."
              grep Model /proc/cpuinfo
              uname -a    # uname -srm
              whoami      # Typically 'root' instead of 'runner'
              pwd         # /home/runner/work/iiab/iiab == $GITHUB_WORKSPACE == ${{ github.workspace }}
              apt-get update -y --allow-releaseinfo-change
              apt-get install --no-install-recommends -y git
              ls /opt/iiab/iiab
              mkdir /etc/iiab
              cp /opt/iiab/iiab/vars/local_vars_none.yml /etc/iiab/local_vars.yml
              /opt/iiab/iiab/scripts/ansible
              ./iiab-install
              cd /opt/iiab/iiab
              iiab-summary
              cat /etc/iiab/iiab_state.yml
--- a/.github/workflows/30min-iiab-test-install-raspios-on-zero2w.yml
+++ b/.github/workflows/30min-iiab-test-install-raspios-on-zero2w.yml
@ -1,77 +0,0 @@
 name: '"30 min" IIAB on RasPiOS on Zero 2 W'
 # run-name: ${{ github.actor }} is testing out GitHub Actions 🚀
 # https://michaelcurrin.github.io/dev-cheatsheets/cheatsheets/ci-cd/github-actions/triggers.html
 on: [push, pull_request, workflow_dispatch]
 # on:
 #   push:
 #
 #   pull_request:
 #
 #   # Allows you to run this workflow manually from the Actions tab
 #   workflow_dispatch:
 #
 #   # Set your workflow to run every day of the week from Monday to Friday at 6:00 UTC
 #   schedule:
 #     - cron: "0 6 * * 1-5"
 jobs:
  test-install:
    runs-on: ubuntu-22.04
    strategy:
      matrix:
        arch: [aarch64] #[zero_raspbian, zero_raspios, zero2_raspios, aarch64]
        include:
        #- arch: zero_raspbian
        #  cpu: arm1176
        #  cpu_info: cpuinfo/raspberrypi_zero_w
        #  base_image: raspbian_lite:latest
        #- arch: zero_raspios
        #  cpu: arm1176
        #  cpu_info: cpuinfo/raspberrypi_zero_w
        #  base_image: raspios_lite:latest
        #- arch: zero2_raspios
        #  cpu: cortex-a7
        #  cpu_info: cpuinfo/raspberrypi_zero2_w
        #  base_image: raspios_lite:latest
        - arch: aarch64
          cpu: cortex-a53
          cpu_info: cpuinfo/raspberrypi_zero2_w_arm64
          base_image: raspios_lite_arm64:latest
    steps:
      #- run: echo "🎉 The job was automatically triggered by a ${{ github.event_name }} event."
      #- run: echo "🔎 The name of your branch is ${{ github.ref }} and your repository is ${{ github.repository }}."
      #- name: Dump GitHub context (typically almost 500 lines)
      #  env:
      #    GITHUB_CONTEXT: ${{ toJSON(github) }}
      #  run: echo "$GITHUB_CONTEXT"
      - name: Dump matrix context
        env:
          MATRIX_CONTEXT: ${{ toJSON(matrix) }}
        run: echo "$MATRIX_CONTEXT"
      - uses: actions/checkout@v3.1.0
      - uses: pguyot/arm-runner-action@v2
        with:
          image_additional_mb: 1024
          base_image: ${{ matrix.base_image }}
          cpu: ${{ matrix.cpu }}
          cpu_info: ${{ matrix.cpu_info }}
          copy_repository_path: /opt/iiab/iiab
          commands: |
              echo "🍏 This job's status is ${{ job.status }}."
              #test `uname -m` = ${{ matrix.arch }}
              grep Model /proc/cpuinfo
              uname -a    # uname -srm
              whoami      # Typically 'root' instead of 'runner'
              pwd         # /home/runner/work/iiab/iiab == $GITHUB_WORKSPACE == ${{ github.workspace }}
              apt-get update -y --allow-releaseinfo-change
              apt-get install --no-install-recommends -y git
              ls /opt/iiab/iiab
              mkdir /etc/iiab
              cp /opt/iiab/iiab/vars/local_vars_none.yml /etc/iiab/local_vars.yml
              /opt/iiab/iiab/scripts/ansible
              ./iiab-install
              cd /opt/iiab/iiab
              iiab-summary
              cat /etc/iiab/iiab_state.yml
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -1,3 +1,3 @@
-# SEE THE NEW<br>[github.com/iiab/iiab/wiki/Contributors-Guide-(EN)](https://github.com/iiab/iiab/wiki/Contributors-Guide-(EN))
+# SEE THE NEW<br>[github.com/iiab/iiab/wiki/IIAB-Contributors-Guide](https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide)
 # THANKS!
--- a/LICENSING.md
+++ b/LICENSING.md
@ -15,6 +15,6 @@ this is to include the following two lines at the top of the file:
    Licensed under the terms of the GNU GPL v2 or later; see LICENSE for details.
 All files not containing an explicit copyright notice or terms of license in
-the file are Copyright © 2015-2025, Unleash Kids, and are licensed under the
+the file are Copyright © 2015-2022, Unleash Kids, and are licensed under the
 terms of the GPLv2 license in the file named LICENSE in the root of the
 repository.
--- a/README.md
+++ b/README.md
@ -2,26 +2,26 @@
 # Internet-in-a-Box (IIAB)
-[Internet-in-a-Box (IIAB)](https://internet-in-a-box.org) is a “learning hotspot” that brings the Internet's crown jewels
+[Internet-in-a-Box (IIAB)](https://internet-in-a-box.org) is a "learning hotspot" that brings the Internet's crown jewels
-(Wikipedia in any language, thousands of Khan Academy videos, zoomable OpenStreetMap, electronic books, WordPress journaling, “Toys from Trash” electronics projects, ETC) to those without Internet.
+(Wikipedia in any language, thousands of Khan Academy videos, zoomable OpenStreetMap, electronic books, WordPress journaling, Toys from Trash electronics projects, ETC) to those without Internet.
 You can build your own tiny, affordable server (an offline digital library) for your school, your medical clinic, your prison, your region and/or your very own family — accessible with any nearby smartphone, tablet or laptop.
 Internet-in-a-Box gives you the DIY tools to:
 1. Download then drag-and-drop to arrange the [very best of the World’s Free Knowledge](https://internet-in-a-box.org/#quality-content).
-2. Choose among [30+ powerful educational apps](https://wiki.iiab.io/go/FAQ#What_services_%28IIAB_apps%29_are_suggested_during_installation%3F) for your school or learning/teaching community, optionally with a complete LMS (learning management system).
+2. Choose among [30+ powerful educational apps](https://wiki.iiab.io/go/FAQ#What_services_.28IIAB_apps.29_are_suggested_during_installation.3F) for your school or learning/teaching community, optionally with a complete LMS (learning management system).
 3. Exchange local/indigenous knowledge with nearby communities, using our [Manage Content](https://github.com/iiab/iiab-admin-console/blob/master/roles/console/files/help/InstContent.rst#manage-content) interface and possible mesh networking.
-FYI this [community product](https://en.wikipedia.org/wiki/Internet-in-a-Box) is enabled by professional volunteers working [side-by-side](https://wiki.iiab.io/go/FAQ#What_are_the_best_places_for_community_support%3F) with schools, clinics and libraries around the world.  *Thank you for being a part of our http://OFF.NETWORK grassroots technology [movement](https://meta.wikimedia.org/wiki/Internet-in-a-Box)!*
+FYI this [community product](https://en.wikipedia.org/wiki/Internet-in-a-Box) is enabled by professional volunteers working [side-by-side](https://wiki.iiab.io/go/FAQ#What_are_the_best_places_for_community_support.3F) with schools, clinics and libraries around the world.  *Thank you for being a part of our http://OFF.NETWORK grassroots technology [movement](https://meta.wikimedia.org/wiki/Internet-in-a-Box)!*
 ## Installation
-Install Internet-in-a-Box (IIAB) from: [**download.iiab.io**](https://download.iiab.io/)
+Install Internet-in-a-Box (IIAB) from [download.iiab.io](https://download.iiab.io/)
-Please see [FAQ.IIAB.IO](https://wiki.iiab.io/go/FAQ) which has 50+ questions and answers to help you along the way (e.g. [“Is a quick installation possible?”](https://wiki.iiab.io/go/FAQ#Is_a_quick_installation_possible%3F)) as you put together the <!--digital--> “local learning hotspot” most suitable for your own teaching/learning community.  Here are 2 ways to install IIAB:
+Please see [FAQ.IIAB.IO](https://wiki.iiab.io/go/FAQ) which has 40+ questions and answers to help you along the way, as you put together the <!--digital--> "local learning hotspot" most suitable for your own teaching/learning community.  Here are 2 ways to install IIAB:
 - Our [1-line installer](https://download.iiab.io/) gets you the very latest, typically within about an hour, on [different Linux distributions](https://github.com/iiab/iiab/wiki/IIAB-Platforms#operating-systems).
- [Prefab disk images](https://github.com/iiab/iiab/wiki/Raspberry-Pi-Images-~-Summary#iiab-images-for-raspberry-pi) ([.img files](https://archive.org/search.php?query=iiab%20.img&sort=-publicdate)) are sometimes a few months out of date, but can be flashed directly onto a microSD card, for insertion into Raspberry Pi.
+- [Prefab disk images](https://github.com/iiab/iiab/wiki/Raspberry-Pi-Images:-Summary#iiab-images-for-raspberry-pi) ([.img files](https://archive.org/search.php?query=iiab%20.img&sort=-publicdate)) are sometimes a few months out of date, but can be flashed directly onto a microSD card, for insertion into Raspberry Pi.
 Our [HOW-TO videos](https://www.youtube.com/channel/UC0cBGCxr_WPBPa3IqPVEe3g) can be very helpful and the [Installation](https://github.com/iiab/iiab/wiki/IIAB-Installation) wiki page has more intricate details e.g. if you're trying to install Internet-in-a-Box (IIAB) onto a [another Linux](https://github.com/iiab/iiab/wiki/IIAB-Platforms) that has not yet been tried.
@ -29,22 +29,22 @@ See our [Tech Docs Wiki](https://github.com/iiab/iiab/wiki) for more about the u
 After you've installed the software, you should [add content](https://github.com/iiab/iiab/wiki/IIAB-Installation#add-content), which can of course take time when downloading multi-gigabyte Content Packs!
-Finally, you can [customize your Internet-in-a-Box home page](https://wiki.iiab.io/go/FAQ#How_do_I_customize_my_Internet-in-a-Box_home_page%3F) (typically http://box or http://box.lan) using our **drag-and-drop** Admin Console (http://box.lan/admin) &mdash; to arrange Content Packs and IIAB Apps (services) for your local community's needs.
+Finally, you can [customize your Internet-in-a-Box home page](https://wiki.iiab.io/go/FAQ#How_do_I_customize_my_Internet-in-a-Box_home_page.3F) (typically http://box or http://box.lan) using our **drag-and-drop** Admin Console (http://box.lan/admin) &mdash; to arrange Content Packs and IIAB Apps (services) for your local community's needs.
 ## Community
 Global community updates and videos are regularly posted to: **[@internet_in_box](https://twitter.com/internet_in_box)**
-_Internet-in-a-Box (IIAB) greatly welcomes contributions from educators, librarians and [IT/UX/QA people](https://github.com/iiab/iiab/wiki/Contributors-Guide-(EN)) ([versión en español](https://github.com/iiab/iiab/wiki/Gu%C3%ADa-para-Contribuidores-(ES))) of all kinds!_
+_Internet-in-a-Box (IIAB) greatly welcomes contributions from educators, librarians and [IT/UX/QA people](https://github.com/iiab/iiab/wiki/Technical-Contributors-Guide) of all kinds!_
-If you would like to volunteer, please [make contact](https://internet-in-a-box.org/contributing.html) after looking over [“How can I help?”](https://wiki.iiab.io/go/FAQ#How_can_I_help%3F) at: [FAQ.IIAB.IO](https://wiki.iiab.io/go/FAQ)
+If you would like to volunteer, please [make contact](https://internet-in-a-box.org/contributing.html) after looking over "[How can I help?](https://wiki.iiab.io/go/FAQ#How_can_I_help.3F)" at: [FAQ.IIAB.IO](https://wiki.iiab.io/go/FAQ)
 <!-- To learn about our software architecture, check out our [Contributors Guide](https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide).-->
-To learn more about our open community architecture for “offline” learning, check out [“What technical documentation exists?”](https://wiki.iiab.io/go/FAQ#What_technical_documentation_exists%3F)
+To learn more about our open community architecture for "offline" learning, check out "[What technical documentation exists?](https://wiki.iiab.io/go/FAQ#What_technical_documentation_exists.3F)"
-FYI we use [Ansible](https://wiki.iiab.io/go/FAQ#What_is_Ansible_and_what_version_should_I_use%3F) <!--as the underlying technology--> to install, deploy, configure and manage the various software components.
+FYI we use [Ansible](https://wiki.iiab.io/go/FAQ#What_is_Ansible_and_what_version_should_I_use.3F) <!--as the underlying technology--> to install, deploy, configure and manage the various software components.
-*Thank you for helping us enable offline access to the Internet's free/open knowledge jewels, as well as “Sneakernet-of-Alexandria” distribution of local/indigenous content, when mass media channels do not serve grassroots voices.*
+*Thank you for helping us enable offline access to the Internet's free/open knowledge jewels, as well as "Sneakernet-of-Alexandria" distribution of local/indigenous content, when mass media channels do not serve grassroots voices.*
 ## Versions
--- a/ansible.cfg
+++ b/ansible.cfg
@ -5,4 +5,4 @@
 # Disallowed by Ansible 2.11+ -- see https://docs.ansible.com/ansible/devel/porting_guides/porting_guide_2.7.html#using-a-loop-on-a-package-module-via-squash-actions
 #squash_actions = apk, apt, dnf, homebrew, openbsd_pkg, pacman, pkgng, yum, zypper, package
 [defaults]
-interpreter_python=/usr/local/ansible/bin/python3
+interpreter_python=/usr/bin/python3
--- a/2
+++ b/2
@ -11,7 +11,7 @@ CWD=`pwd`
 OS=`grep ^ID= /etc/os-release | cut -d= -f2`
 OS=${OS//\"/}    # Remove all '"'
 MIN_RPI_KERN=5.4.0         # Do not use 'rpi-update' unless absolutely necessary: https://github.com/iiab/iiab/issues/1993
-MIN_ANSIBLE_VER=2.16.14    # 2024-11-08: ansible-core 2.15 EOL is November 2024 per https://docs.ansible.com/ansible/latest/reference_appendices/release_and_maintenance.html#ansible-core-support-matrix  2022-11-09: Raspberry Pi 3 (and 3 B+ etc?) apparently install (and require?) ansible-core 2.11 for now -- @deldesir can explain more on PR #3419.  Historical: Ansible 2.8.3 and 2.8.6 had serious bugs, preventing their use with IIAB.
+MIN_ANSIBLE_VER=2.11.12    # 2022-11-09: Raspberry Pi 3 (and 3 B+ etc?) apparently install (and require?) ansible-core 2.11 for now -- @deldesir can explain more on PR #3419.  Historical: Ansible 2.8.3 and 2.8.6 had serious bugs, preventing their use with IIAB.
 REINSTALL=false
 DEBUG=false
--- a/2
+++ b/2
@ -42,7 +42,7 @@ fi
 echo "Ansible will now run iiab-network.yml -- log file is iiab-network.log"
 Start=`date`
 ansible -m setup -i ansible_hosts localhost --connection=local | grep python
-ansible-playbook -i ansible_hosts iiab-network.yml --extra-vars "{\"skip_role_on_error\":false}" --connection=local
+ansible-playbook -i ansible_hosts iiab-network.yml --connection=local
 End=`date`
--- a/roles/0-DEPRECATED-ROLES/httpd/defaults/main.yml
+++ b/roles/0-DEPRECATED-ROLES/httpd/defaults/main.yml
@ -8,7 +8,7 @@
 # apache_interface: 127.0.0.1
 # Make this False to disable http://box/common/services/power_off.php button:
-# allow_www_data_poweroff: False
+# apache_allow_sudo: True
 # All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml
 # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
--- a/roles/0-init/tasks/create_iiab_ini.yml
+++ b/roles/0-init/tasks/create_iiab_ini.yml
@ -1,26 +1,13 @@
- name: Record disk_used_a_priori (permanently, into {{ iiab_ini_file }} below) to later estimate iiab_software_disk_usage
+# workaround for fact that auto create does not work on iiab_ini_file (/etc/iiab/iiab.ini)
  shell: df -B1 --output=used / | tail -1
  register: df1
 # workaround for fact that auto create does not work on iiab_ini_file
 - name: Create {{ iiab_ini_file }}
  file:
-    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+    path: "{{ iiab_ini_file }}"
    state: touch
- name: Run command 'dpkg --print-architecture' to identify OS architecture (CPU arch as revealed by ansible_architecture ~= ansible_machine is NOT enough!)
+- name: Add 'location' variable values to {{ iiab_ini_file }}
  command: dpkg --print-architecture
  register: dpkg_arch
 - name: Run command 'dpkg --print-foreign-architectures' (secondary OS arch, if available)
  command: dpkg --print-foreign-architectures
  register: dpkg_foreign_arch
 - name: Add 'summary' variable values to {{ iiab_ini_file }}
  ini_file:
    path: "{{ iiab_ini_file }}"
-    section: summary
+    section: location
    option: "{{ item.option }}"
    value: "{{ item.value | string }}"
  with_items:
@ -28,30 +15,18 @@
      value: "{{ iiab_base }}"
    - option: iiab_dir
      value: "{{ iiab_dir }}"
    - option: disk_used_a_priori
      value: "{{ df1.stdout }}"
- name: Add 'initial' variable values to {{ iiab_ini_file }}
+- name: Add 'version' variable values to {{ iiab_ini_file }}
  ini_file:
    path: "{{ iiab_ini_file }}"
-    section: initial
+    section: version
    option: "{{ item.option }}"
    value: "{{ item.value | string }}"
  with_items:
    - option: os_ver
      value: "{{ os_ver }}"
    - option: distribution
-      value: "{{ ansible_facts['distribution'] }}"
+      value: "{{ ansible_distribution }}"
    - option: arch
      value: "{{ ansible_architecture }}"
    - option: dpkg_arch
      value: "{{ dpkg_arch.stdout }}"
    - option: dpkg_foreign_arch
      value: "{{ dpkg_foreign_arch.stdout }}"
    - option: rpi_model
      value: "{{ rpi_model }}"
    - option: devicetree_model
      value: "{{ devicetree_model }}"
    - option: iiab_base_ver
      value: "{{ iiab_base_ver }}"
    - option: iiab_remote_url
@ -64,3 +39,7 @@
      value: "{{ ansible_local.local_facts.iiab_recent_tag }}"
    - option: install_date
      value: "{{ ansible_date_time.iso8601 }}"
    - option: rpi_model
      value: "{{ rpi_model }}"
    - option: devicetree_model
      value: "{{ devicetree_model }}"
--- a/roles/0-init/tasks/main.yml
+++ b/roles/0-init/tasks/main.yml
@ -34,23 +34,14 @@
 # Copies the latest/known version of iiab-diagnostics into /usr/bin (so it can
 # be run even if local source tree /opt/iiab/iiab is deleted to conserve disk).
- name: Copy iiab-update & iiab-summary & iiab-diagnostics & iiab-root-login from /opt/iiab/iiab/scripts/ to /usr/bin/
+- name: Copy iiab-summary & iiab-diagnostics from /opt/iiab/iiab/scripts/ to /usr/bin/
  copy:
    src: "{{ iiab_dir }}/scripts/{{ item }}"
    dest: /usr/bin/
    mode: '0755'
  with_items:
    - iiab-update
    - iiab-summary
    - iiab-diagnostics
    - iiab-root-login
 - name: Symlink /usr/bin/iiab-upgrade -> /usr/bin/iiab-update
  file:
    src: /usr/bin/iiab-update
    path: /usr/bin/iiab-upgrade
    state: link
    #force: yes
 - name: Create globally-writable directory /etc/iiab/diag (0777) so non-root users can run 'iiab-diagnostics'
  file:
--- a/roles/0-init/tasks/validate_vars.yml
+++ b/roles/0-init/tasks/validate_vars.yml
@ -64,19 +64,19 @@
 # 2020-11-04: Fix validation of 5 [now 4] core dependencies, for ./runrole etc
- name: Set vars_checklist for 45 + 45 + 40 vars ("XYZ_install" + "XYZ_enabled" + "XYZ_installed") to be checked
+- name: Set vars_checklist for 44 + 44 + 40 vars ("XYZ_install" + "XYZ_enabled" + "XYZ_installed") to be checked
  set_fact:
    vars_checklist:
      - hostapd
      - dnsmasq
      - bluetooth
      - sshd
-      #- openvpn            # Deprecated
+      - openvpn
      - tailscale
      - remoteit
      - admin_console
      #- nginx              # MANDATORY
      #- apache             # Unmaintained - former dependency
      #- mysql              # MANDATORY
      - squid
      - cups
      - samba
@ -85,7 +85,6 @@
      - gitea
      - jupyterhub
      - lokole
      - mysql               # Dependency - excluded from _installed check below
      - mediawiki
      - mosquitto
      - nodejs              # Dependency - excluded from _installed check below
@ -156,41 +155,23 @@
    that: "{{ item }}_install or {{ item }}_installed is undefined"
    fail_msg: "DISALLOWED: '{{ item }}_install: False' (e.g. in /etc/iiab/local_vars.yml) WHEN '{{ item }}_installed' is defined (e.g. in /etc/iiab/iiab_state.yml) -- IIAB DOES NOT SUPPORT UNINSTALLS -- please verify those 2 files especially, and other places variables are defined?"
    quiet: yes
-  when: item != 'mysql' and item != 'postgresql' and item != 'mongodb' and item != 'nodejs' and item != 'yarn'    # Exclude auto-installed dependencies
+  when: item != 'nodejs' and item != 'postgresql' and item != 'mongodb' and item != 'yarn'    # Exclude auto-installed dependencies
  loop: "{{ vars_checklist }}"
 - name: Set vars_deprecated_list for 4+ vars ("XYZ_install") to be checked
  set_fact:
    vars_deprecated_list:
      - dhcpd               # Deprecated
      - named               # Deprecated
      - wondershaper        # Deprecated
      - dansguardian        # Deprecated
      #- xo_services        # Unmaintained
      #- activity_server    # Unmaintained
      #- ejabberd_xs        # Unmaintained
      #- idmgr              # Unmaintained
      #- dokuwiki           # Unmaintained
      #- ejabberd           # Unmaintained
      #- elgg               # Unmaintained
 - name: 'DISALLOW "XYZ_install: True" if deprecated'
  assert:
    that: "{{ item }}_install is undefined or not {{ item }}_install"
    fail_msg: "DISALLOWED: '{{ item }}_install: True' (e.g. in /etc/iiab/local_vars.yml)"
    quiet: yes
-  loop: "{{ vars_deprecated_list }}"
+  with_items:
-  # 2023-12-04: ansible-core 2.16.1 suddenly no longer allows 'assert' with
+    - dhcpd               # Deprecated
-  # 'with_items' below (whereas 'loop' construct above works!)  BACKGROUND:
+    - named               # Deprecated
-  #
+    - wondershaper        # Deprecated
-  #  'due to mitigation of security issue CVE-2023-5764 in ansible-core 2.16.1,
+    - dansguardian        # Deprecated
-  #  conditional expressions with embedded template blocks can fail with the
+    #- xo_services        # Unmaintained
-  #  message “Conditional is marked as unsafe, and cannot be evaluated.”'
+    #- activity_server    # Unmaintained
-  #  https://docs.ansible.com/ansible-core/2.16/porting_guides/porting_guide_core_2.16.html#playbook
+    #- ejabberd_xs        # Unmaintained
-  #
+    #- idmgr              # Unmaintained
-  # with_items:
+    #- dokuwiki           # Unmaintained
-  #   - dhcpd               # Deprecated
+    #- ejabberd           # Unmaintained
-  #   - named               # Deprecated
+    #- elgg               # Unmaintained
  #   - wondershaper        # Deprecated
  #   - dansguardian        # Deprecated
--- a/roles/1-prep/README.adoc
+++ b/roles/1-prep/README.adoc
@ -6,7 +6,7 @@ https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide#ansible[stage]
 hardware, low-level OS quirks, and basic security:
 * SSHD
-* Tailscale if/as needed later for remote support
+* OpenVPN if/as needed later for remote support
 * https://github.com/iiab/iiab/tree/master/roles/iiab-admin#iiab-admin-readme[iiab-admin]
 username and group, to log into Admin Console
 * dnsmasq (install now, configure later!)
--- a/roles/1-prep/tasks/hardware.yml
+++ b/roles/1-prep/tasks/hardware.yml
@ -7,18 +7,17 @@
  when: first_run and rpi_model != "none"
-# 2024-02-09: Code below appears stale for Shanti's #3707 hardware
+- name: Check if the identifier for Intel's NUC6 built-in WiFi is present
-#- name: Check if the identifier for Intel's NUC6 built-in WiFi is present
+  shell: "lsusb | grep 8087:0a2b | wc | awk '{print $1}'"
-#  shell: "lsusb | grep 8087:0a2b | wc | awk '{print $1}'"
+  register: usb_NUC6
-#  register: usb_NUC6
+  ignore_errors: True
-#  ignore_errors: True
+
-#
+- name: Download {{ iiab_download_url }}/iwlwifi-8000C-13.ucode to /lib/firmware for built-in WiFi on NUC6
-#- name: Download {{ iiab_download_url }}/iwlwifi-8000C-13.ucode to /lib/firmware for built-in WiFi on NUC6
+  get_url:
-#  get_url:
+    url: "{{ iiab_download_url }}/iwlwifi-8000C-13.ucode"    # https://download.iiab.io/packages
-#    url: "{{ iiab_download_url }}/Old/iwlwifi-8000C-13.ucode"    # https://download.iiab.io/packages
+    dest: /lib/firmware
-#    dest: /lib/firmware
+    timeout: "{{ download_timeout }}"
-#    timeout: "{{ download_timeout }}"
+  when: usb_NUC6.stdout|int > 0
 #  when: usb_NUC6.stdout|int > 0
 - name: "Look for any WiFi devices present: ls -la /sys/class/net/*/phy80211 | cut -d/ -f5"
--- a/roles/1-prep/tasks/main.yml
+++ b/roles/1-prep/tasks/main.yml
@ -3,22 +3,22 @@
 - name: ...IS BEGINNING ============================================
  meta: noop
- name: SSHD
+- name: SSHD -- required by OpenVPN below -- also run by roles/4-server-options/tasks/main.yml
  include_role:
    name: sshd
  when: sshd_install
- name: TAILSCALE (VPN)
+- name: OPENVPN
  include_role:
-    name: tailscale
+    name: openvpn
-  when: tailscale_install
+  when: openvpn_install
 - name: REMOTE.IT
  include_role:
    name: remoteit
  when: remoteit_install
- name: IIAB-ADMIN -- includes {lynx, screen, sudo-prereqs.yml, admin-user.yml, pwd-warnings.yml}
+- name: IIAB-ADMIN -- includes roles/iiab-admin/tasks/access.yml
  include_role:
    name: iiab-admin
  #when: iiab_admin_install    # Flag might be created in future?
--- a/roles/1-prep/templates/iiab-expand-rootfs
+++ b/roles/1-prep/templates/iiab-expand-rootfs
@ -8,21 +8,12 @@
 # Verifies that rootfs is the last partition.
 # RELATED:
 # 1. https://github.com/iiab/iiab-factory/blob/master/box/rpi/min-sd
 # 2. https://github.com/iiab/iiab-factory/blob/master/box/rpi/cp-sd
 # 3. https://github.com/iiab/iiab-factory/blob/master/box/rpi/xz-json-sd
 # OR https://github.com/iiab/iiab-factory/blob/master/box/rpi/exp-sd
 if [ -f /.expand-rootfs ] || [ -f /.resize-rootfs ]; then
    echo "$0: Expanding rootfs partition"
-    if [ -x /usr/bin/raspi-config ]; then    # Raspberry Pi OS -- WARNING: their fdisk-centric approach of course FAILS with "Hybrid MBR" or GPT partition tables, as required by any drive > 2TB :/
+    if [ -x /usr/bin/raspi-config ]; then    # Raspberry Pi OS
        # 2022-02-17: Uses do_expand_rootfs() from:
        # https://github.com/RPi-Distro/raspi-config/blob/master/raspi-config
        # 2023-10-05: Official new RPi instructions:
        # sudo raspi-config nonint do_expand_rootfs
        # https://www.raspberrypi.com/documentation/computers/configuration.html#expand-filesystem-nonint
        raspi-config --expand-rootfs    # REQUIRES A REBOOT
        rm -f /.expand-rootfs /.resize-rootfs
        reboot                          # In future, we might warn interactive users that a reboot is coming?
@ -41,7 +32,7 @@ if [ -f /.expand-rootfs ] || [ -f /.resize-rootfs ]; then
        fi
        # Expand partition
-        growpart $ROOT_DEV $ROOT_PART_NUM || true    # raspi-config instead uses fdisk (assuming MBR).  They really should transition to gdisk, as required by any drive > 2TB.  WARNING: growpart RC 2 is more severe than RC 1, and should possibly be handled separately in future?
+        growpart $ROOT_DEV $ROOT_PART_NUM || true    # raspi-config instead uses fdisk.  WARNING: growpart RC 2 is more severe than RC 1, and should possibly be handled separately in future?
        rc=$?    # Make Return Code visible, for 'bash -x'
        resize2fs $ROOT_PART
        rc=$?    # Make RC visible (as above)
--- a/roles/2-common/tasks/packages.yml
+++ b/roles/2-common/tasks/packages.yml
@ -1,6 +1,6 @@
 # 2022-03-16: 'apt show <pkg> | grep Size' revealed download sizes, on 64-bit RasPiOS with desktop.
- name: "Install 19 common packages: acpid, bzip2, cron, curl, gawk, gpg, htop, i2c-tools, logrotate, lshw, pandoc, pastebinit, plocate, rsync, sqlite3, tar, unzip, usbutils, wget"
+- name: "Install 17 common packages: acpid, bzip2, cron, curl, gawk, htop, i2c-tools, logrotate, plocate, pandoc, pastebinit, rsync, sqlite3, tar, unzip, usbutils, wget"
  package:
    name:
      - acpid              #   55kB download: Daemon for ACPI (power mgmt) events
@ -11,24 +11,23 @@
      #- exfat-fuse        #   28kB download: 2021-07-27: Should no longer be nec with 5.4+ kernels, so let's try commenting it out
      #- exfat-utils       #   41kB download: Ditto!  See also 'ntfs-3g' below
      - gawk               #  533kB download
      - gpg                #  884kB download: Debian 12+ (especially!) require this for apt installs of gitea, kolibri, mongodb, yarn
      - htop               #  109kB download: RasPiOS installs this regardless
-      - i2c-tools          #   78kB download: Low-level bus/chip/register/EEPROM tools e.g. for RTC
+      - i2c-tools          #   78kB download: RasPiOS installs this regardless -- Low-level bus/chip/register/EEPROM tools e.g. for RTC
      - logrotate          #   67kB download: RasPiOS installs this regardless
      - lshw               #  257kB download: For 'lshw -C network' in iiab-diagnostics
      #- lynx              #  505kB download: Installed by 1-prep's roles/iiab-admin/tasks/main.yml
      #- make              #  376kB download: 2021-07-27: Currently used by roles/pbx and no other roles
      #- mlocate           #   92kB download
      - plocate            #   97kB download: Faster & smaller than locate & mlocate
      #- ntfs-3g           #  379kB download: RasPiOS installs this regardless -- 2021-07-31: But this should no longer be nec with 5.4+ kernels, similar to exfat packages above -- however, see also this symlink warning: https://superuser.com/questions/1050544/mount-with-kernel-ntfs-and-not-ntfs-3g -- and upcoming kernel 5.15 improvements: https://www.phoronix.com/scan.php?page=news_item&px=New-NTFS-Likely-For-Linux-5.15
      #- openssh-server    #  318kB download: RasPiOS installs this regardless -- this is also installed by 1-prep's roles/sshd/tasks/main.yml to cover all OS's
      - pandoc             #   19kB download: For /usr/bin/iiab-refresh-wiki-docs
      - pastebinit         #   47kB download: For /usr/bin/iiab-diagnostics
-      #- mlocate           #   92kB download
+      #- python3-pip       #  337kB download: RasPiOS installs this regardless -- 2021-07-29: And already installed by /opt/iiab/iiab/scripts/ansible -- this auto-installs 'python3-setuptools' and 'python3' etc
-      - plocate            #   97kB download: Faster & smaller than locate & mlocate
+      #- python3-venv      # 1188kB download: RasPiOS installs this regardless -- 2021-07-30: For Ansible module 'pip' used in roles like {calibre-web, jupyterhub, lokole} -- whereas roles/kalite uses (virtual) package 'virtualenv' for Python 2 -- all these 3+1 IIAB roles install 'python3-venv' for themselves.  FYI: Debian 11 auto-installs 'python3-venv' when you install 'python3' -- whereas Ubuntu (e.g. 20.04 & 21.10) and RasPiOS 10 did not.
      #- python3-pip       #  337kB download: 2023-03-22: Used to be installed by /opt/iiab/iiab/scripts/ansible -- which would auto-install 'python3-setuptools' and 'python3' etc
      #- python3-venv      # 1188kB download: 2023-03-22: Already installed by /opt/iiab/iiab/scripts/ansible -- used by roles like {calibre-web, jupyterhub, lokole} -- whereas roles/kalite uses (virtual) package 'virtualenv' for Python 2 -- all these 3+1 IIAB roles install 'python3-venv' for themselves.  FYI: Debian 11 no longer auto-installs 'python3-venv' when you install 'python3'
      - rsync              #  351kB download: RasPiOS installs this regardless
      #- screen            #  551kB download: Installed by 1-prep's roles/iiab-admin/tasks/main.yml
      - sqlite3            # 1054kB download
      #- sudo              #  991kB download: RasPiOS installs this regardless -- (2) Can also be installed by roles/1-prep's roles/openvpn/tasks/install.yml, (3) Is definitely installed by 1-prep's roles/iiab-admin/tasks/sudo-prereqs.yml
      - tar                #  799kB download: RasPiOS installs this regardless
      - unzip              #  151kB download: RasPiOS installs this regardless
      #- usbmount          #   18kB download: Moved to roles/usb_lib/tasks/install.yml
--- a/roles/3-base-server/README.rst
+++ b/roles/3-base-server/README.rst
@ -1,21 +1,10 @@
 .. |ss| raw:: html
   <strike>
 .. |se| raw:: html
   </strike>
 .. |nbsp| unicode:: 0xA0
   :trim:
 ====================
 3-base-server README
 ====================
 This 3rd `stage <https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide#ansible>`_ installs base server infra that `Internet-in-a-Box (IIAB) <https://internet-in-a-box.org/>`_ requires, including:
- |ss| `MySQL <https://github.com/iiab/iiab/blob/master/roles/mysql>`_ (database underlying many/most user-facing apps). |se| |nbsp|  *As of 2023-11-05, MySQL / MariaDB is NO LONGER INSTALLED by 3-base-server — instead it's installed on-demand — as a dependency of Matomo, MediaWiki, Nextcloud, PBX (for FreePBX), WordPress &/or Admin Console.*  This IIAB role (roles/mysql) also installs apt package:
+- `MySQL <https://github.com/iiab/iiab/blob/master/roles/mysql>`_ (database underlying many/most user-facing apps).  This IIAB role also installs apt package:
   - **php{{ php_version }}-mysql** — which forcibly installs **php{{ php_version }}-common**
 - `NGINX <https://github.com/iiab/iiab/blob/master/roles/nginx>`_ web server (with Apache in some lingering cases).  This IIAB role also installs apt package:
   - **php{{ php_version }}-fpm** — which forcibly installs **php{{ php_version }}-cli**, **php{{ php_version }}-common** and **libsodium23**
--- a/roles/3-base-server/tasks/main.yml
+++ b/roles/3-base-server/tasks/main.yml
@ -3,13 +3,10 @@
 - name: ...IS BEGINNING =====================================
  meta: noop
-# 2023-11-05: MySQL (actually MariaDB) had been mandatory, installed on every
+- name: MYSQL + CORE PHP
-# IIAB by 3-base-server.  Now installed on demand -- as a dependency of Matomo,
+  include_role:
-# MediaWiki, Nextcloud, PBX (for FreePBX), WordPress &/or Admin Console.
+    name: mysql
-# - name: MYSQL + CORE PHP
+  #when: mysql_install
 #   include_role:
 #     name: mysql
 #   #when: mysql_install
 # 2021-05-21: Apache role 'httpd' is installed as nec by any of these 6 roles:
 #
--- a/roles/4-server-options/README.rst
+++ b/roles/4-server-options/README.rst
@ -2,7 +2,7 @@
 4-server-options README
 =======================
-Whereas 3-base-server installs critical packages needed by all, this 4th `stage <https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide#ansible>`_ installs a broad array of *options* ⁠— depending on which server apps will be installed in later stages ⁠— as specified in `/etc/iiab/local_vars.yml <http://FAQ.IIAB.IO#What_is_local_vars.yml_and_how_do_I_customize_it%3F>`_
+Whereas 3-base-server installs critical packages needed by all, this 4th `stage <https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide#ansible>`_ installs a broad array of *options* ⁠— depending on which server apps will be installed in later stages ⁠— as specified in `/etc/iiab/local_vars.yml <http://FAQ.IIAB.IO#What_is_local_vars.yml_and_how_do_I_customize_it.3F>`_
 This includes more networking fundamentals, that may further be configured later on.
@ -11,7 +11,7 @@ Specifically, these might be installed:
 - Python libraries
 - SSH daemon
 - Bluetooth for Raspberry Pi
- Instant-sharing of `USB stick content <https://wiki.iiab.io/go/FAQ#Can_teachers_display_their_own_content%3F>`_
+- Instant-sharing of `USB stick content <https://wiki.iiab.io/go/FAQ#Can_teachers_display_their_own_content.3F>`_
 - CUPS Printing
 - Samba for Windows filesystems
 - `www_options <https://github.com/iiab/iiab/blob/master/roles/www_options/tasks/main.yml>`_
--- a/roles/4-server-options/tasks/main.yml
+++ b/roles/4-server-options/tasks/main.yml
@ -19,6 +19,11 @@
  #when: pylibs_installed is undefined
  #when: pylibs_install    # Flag might be created in future?
 - name: SSHD -- also run by roles/1-prep/tasks/main.yml as required by OpenVPN
  include_role:
    name: sshd
  when: sshd_install
 - name: Install Bluetooth - only on Raspberry Pi
  include_role:
    name: bluetooth
--- a/roles/6-generic-apps/tasks/main.yml
+++ b/roles/6-generic-apps/tasks/main.yml
@ -29,7 +29,7 @@
 - name: JUPYTERHUB
  include_role:
    name: jupyterhub
-  when: jupyterhub_install
+  when: jupyterhub_install and ansible_machine is search("64")    # 2022-11-10: Avoid installing on 32-bit, until RasPiOS fixes Rust (PR #3421)
 # UNMAINTAINED
 - name: LOKOLE
--- a/roles/7-edu-apps/tasks/main.yml
+++ b/roles/7-edu-apps/tasks/main.yml
@ -6,13 +6,12 @@
 - name: KALITE
  include_role:
    name: kalite
-  when: kalite_install and (is_ubuntu_2204 or is_ubuntu_2310 or is_debian_12)    # Also covers is_linuxmint_21 and is_raspbian_12
+  when: kalite_install
 - name: KOLIBRI
  include_role:
    name: kolibri
  when: kolibri_install
  #when: kolibri_install and python_version is version('3.12', '<')    # Debian 13 still uses Python 3.11 (for now!) so really this just avoids Ubuntu 24.04 and 24.10 pre-releases during initial iiab-install.  CLARIF: This is all TEMPORARY until learningequality/kolibri#11316 brings Python 3.12 support to Kolibri 0.17 pre-releases (expected very soon).
 - name: KIWIX
  include_role:
@ -41,23 +40,10 @@
    name: pathagar
  when: pathagar_install is defined and pathagar_install
 # WARNING: Since March 2023, 32-bit RasPiOS can act as 64-bit on RPi 4 and
 # RPi 400 (unlike RPi 3!)  SEE: https://github.com/iiab/iiab/pull/3422 and #3516
 - name: Run command 'dpkg --print-architecture' to identify OS architecture (CPU arch as revealed by ansible_architecture ~= ansible_machine is NO LONGER enough!)
  command: dpkg --print-architecture
  register: dpkg_arch
  when: sugarizer_install
 - name: Explain bypassing of Sugarizer install if 32-bit OS
  fail:    # FORCE IT RED THIS ONCE!
    msg: "BYPASSING SUGARIZER INSTALL ATTEMPT, as Sugarizer Server 1.5.0 requires MongoDB 3.2+ which is NO LONGER SUPPORTED on 32-bit Raspberry Pi OS.  'dpkg --print-architecture' output for your OS: {{ dpkg_arch.stdout }}"
  when: sugarizer_install and not dpkg_arch.stdout is search("64")
  ignore_errors: True
 - name: SUGARIZER
  include_role:
    name: sugarizer
-  when: sugarizer_install and dpkg_arch.stdout is search("64")
+  when: sugarizer_install
 - name: Recording STAGE 7 HAS COMPLETED ========================
  lineinfile:
--- a/roles/8-mgmt-tools/tasks/main.yml
+++ b/roles/8-mgmt-tools/tasks/main.yml
@ -6,7 +6,7 @@
 - name: TRANSMISSION
  include_role:
    name: transmission
-  when: transmission_install and not (is_ubuntu_2404 or is_ubuntu_2410 or is_ubuntu_2504)    # Also excludes is_linuxmint_22, for #3756 (whereas Debian 13 works great!)
+  when: transmission_install
 - name: AWSTATS
  include_role:
@ -23,6 +23,11 @@
    name: monit
  when: monit_install
 - name: MUNIN
  include_role:
    name: munin
  when: munin_install
 - name: PHPMYADMIN
  include_role:
    name: phpmyadmin
--- a/roles/9-local-addons/tasks/main.yml
+++ b/roles/9-local-addons/tasks/main.yml
@ -14,23 +14,10 @@
    name: captiveportal
  when: captiveportal_install
 # WARNING: Since March 2023, 32-bit RasPiOS can act as 64-bit on RPi 4 and
 # RPi 400 (unlike RPi 3!)  SEE: https://github.com/iiab/iiab/pull/3516
 - name: Run command 'dpkg --print-architecture' to identify OS architecture (CPU arch as revealed by ansible_architecture ~= ansible_machine is NO LONGER enough!)
  command: dpkg --print-architecture
  register: dpkg_arch
  when: internetarchive_install
 - name: Explain bypassing of Internet Archive install if 32-bit OS
  fail:    # FORCE IT RED THIS ONCE!
    msg: "BYPASSING INTERNET ARCHIVE PER https://github.com/iiab/iiab/issues/3641 -- 'dpkg --print-architecture' output for your OS: {{ dpkg_arch.stdout }}"
  when: internetarchive_install and not dpkg_arch.stdout is search("64")
  ignore_errors: True
 - name: INTERNETARCHIVE
  include_role:
    name: internetarchive
-  when: internetarchive_install and dpkg_arch.stdout is search("64")
+  when: internetarchive_install
 - name: MINETEST
  include_role:
@ -40,7 +27,7 @@
 - name: CALIBRE-WEB
  include_role:
    name: calibre-web
-  when: calibreweb_install
+  when: calibreweb_install and ansible_machine is search("64")    # 2022-11-10: Avoid installing on 32-bit, until RasPiOS fixes Rust (PR #3421)
 # KEEP NEAR THE VERY END as this installs dependencies from Debian's 'testing' branch!
 - name: CALIBRE
@ -55,46 +42,6 @@
    name: pbx
  when: pbx_install
 - name: '2023-11-05 / TEMPORARY UNTIL ADMIN CONSOLE DECLARES ITS DEPENDENCY: Install MySQL (MariaDB) if admin_console_install (for setup-feedback and record_feedback.php)'
  set_fact:
    mysql_install: True
    mysql_enabled: True
  when: admin_console_install
 - name: '2023-11-05 / TEMPORARY UNTIL ADMIN CONSOLE DECLARES ITS DEPENDENCY: Install MySQL (MariaDB) if admin_console_install (for setup-feedback and record_feedback.php)'
  include_role:
    name: mysql
  when: admin_console_install
 - name: '2023-11-05 / TEMPORARY UNTIL ADMIN CONSOLE DECLARES ITS DEPENDENCY: Install MySQL (MariaDB) if admin_console_install (for setup-feedback and record_feedback.php)'
  fail:
    msg: "Admin Console install cannot proceed, as MySQL / MariaDB is not installed."
  when: admin_console_install and mysql_installed is undefined
 # 2023-11-05: Moved from Stage 8, as it acts on mysql_installed (that might be set just above!)
 - name: MUNIN
  include_role:
    name: munin
  when: munin_install
 - name: Read 'disk_used_a_priori' from /etc/iiab/iiab.ini
  set_fact:
    df1: "{{ lookup('ansible.builtin.ini', 'disk_used_a_priori', section='summary', file=iiab_ini_file) }}"
 - name: Record currently used disk space, to compare with original 'disk_used_a_priori'
  shell: df -B1 --output=used / | tail -1
  register: df2
 - name: Add ESTIMATED 'iiab_software_disk_usage = {{ df2.stdout|int - df1|int }}' to {{ iiab_ini_file }}
  ini_file:
    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
    section: summary
    option: iiab_software_disk_usage
    value: "{{ df2.stdout|int - df1|int }}"
 - name: Recording STAGE 9 HAS COMPLETED ====================
  lineinfile:
    path: "{{ iiab_env_file }}"
--- a/roles/awstats/tasks/install.yml
+++ b/roles/awstats/tasks/install.yml
@ -1,8 +1,3 @@
 - name: Record (initial) disk space used
  shell: df -B1 --output=used / | tail -1
  register: df1
 - name: 'Install package: awstats'
  package:
    name: awstats
@ -98,17 +93,6 @@
 # RECORD AWStats AS INSTALLED
 - name: Record (final) disk space used
  shell: df -B1 --output=used / | tail -1
  register: df2
 - name: Add 'awstats_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }}
  ini_file:
    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
    section: awstats
    option: awstats_disk_usage
    value: "{{ df2.stdout|int - df1.stdout|int }}"
 - name: "Set 'awstats_installed: True'"
  set_fact:
    awstats_installed: True
--- a/roles/azuracast/tasks/install.yml
+++ b/roles/azuracast/tasks/install.yml
@ -25,11 +25,6 @@
 # 5. Run './runrole --reinstall azuracast' in /opt/iiab/iiab
 - name: Record (initial) disk space used
  shell: df -B1 --output=used / | tail -1
  register: df1
 - name: AzuraCast - Make config directory {{ azuracast_host_dir }}
  file:
    path: "{{ azuracast_host_dir }}"
@ -107,17 +102,6 @@
 # RECORD AzuraCast AS INSTALLED
 - name: Record (final) disk space used
  shell: df -B1 --output=used / | tail -1
  register: df2
 - name: Add 'azuracast_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }}
  ini_file:
    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
    section: azuracast
    option: azuracast_disk_usage
    value: "{{ df2.stdout|int - df1.stdout|int }}"
 - name: "Set 'azuracast_installed: True'"
  set_fact:
    azuracast_installed: True
--- a/roles/calibre-web/README.rst
+++ b/roles/calibre-web/README.rst
@ -13,175 +13,98 @@
 Calibre-Web README
 ==================
-This Ansible role installs
+Calibre-Web provides a clean interface for browsing, reading and downloading
-`Calibre-Web <https://github.com/janeczku/calibre-web#readme>`_ as a modern
+e-books using an existing Calibre database.  Teachers can upload e-books,
-client-server alternative to Calibre, for your
+adjust e-book metadata, and create custom e-book collections ("bookshelves"):
-`Internet-in-a-Box (IIAB) <https://internet-in-a-box.org>`_.
+https://github.com/janeczku/calibre-web#about
-Calibre-Web provides a clean web interface for students to browse, read and
+This Ansible role installs Calibre-Web as part of your Internet-in-a-Box (IIAB)
-download e-books using a
+as a possible alternative to Calibre.
 `Calibre-compatible database <https://manual.calibre-ebook.com/db_api.html>`_.
-Teachers upload e-books, adjust e-book metadata, and create custom "bookshelf"
+*WARNING: Calibre-Web depends on Calibre's own* ``/usr/bin/ebook-convert`` *program,
-collections — to help students build the best local community library!
+so we strongly recommend you also install Calibre during your IIAB
 installation!*
-**NEW AS OF JANUARY 2024:** `IIAB's experimental new version of Calibre-Web <https://github.com/iiab/calibre-web/wiki>`_
+Please note Calibre-Web's Ansible playbook is ``/opt/iiab/iiab/roles/calibre-web``
-**also lets you add YouTube and Vimeo videos (and local videos, e.g. from
+whereas its Ansible variables ``calibreweb_*`` do **not** include the dash,
-teachers' phones) to expand your indigenous/local/family learning library!**
+per Ansible recommendations.
 .. image:: https://www.yankodesign.com/images/design_news/2019/05/221758/luo_beetle_library_8.jpg
 🍒 GURU TIPS 🍒
 * Calibre-Web takes advantage of Calibre's own `/usr/bin/ebook-convert
  <https://manual.calibre-ebook.com/generated/en/ebook-convert.html>`_ program
  if that's installed — so consider also installing
  `Calibre <https://calibre-ebook.com/whats-new>`_ during your IIAB
  installation — *if you tolerate the weighty ~1 GB (of graphical OS libraries)
  that Calibre mandates!*
 * If you choose to also install Calibre (e.g. by running
  ``sudo apt install calibre``) then you'll get useful e-book
  importing/organizing tools like
  `/usr/bin/calibredb <https://manual.calibre-ebook.com/generated/en/calibredb.html>`_.
 Install It
 ----------
 Install Calibre-Web by setting these 2 variables in
 `/etc/iiab/local_vars.yml <https://wiki.iiab.io/go/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it%3F>`_::
  calibreweb_install: True
  calibreweb_enabled: True
 Then install IIAB (`download.iiab.io <https://download.iiab.io>`_).  Or if
 IIAB's already installed, run::
  cd /opt/iiab/iiab
  sudo ./runrole calibre-web
 NOTE: Calibre-Web's Ansible role (playbook) in
 `/opt/iiab/iiab/roles <https://github.com/iiab/iiab/tree/master/roles>`_ is
 ``calibre-web`` which contains a hyphen — *whereas its Ansible variables*
 ``calibreweb_*`` *do NOT contain a hyphen!*
 Using It
 --------
-Try Calibre-Web on your own IIAB by browsing to http://box/books (or
+After installation, try out Calibre-Web at http://box/books (or box.lan/books).
 http://box.lan/books).
-*Students* access it without a password (to read and download books).
+Typically students access it without a password (to read and download books)
-
+whereas teachers add books using an administrative account, as follows::
 *Teachers* add and arrange books using an administrative account, by clicking
 **Guest** then logging in with::
  Username: Admin
  Password: changeme
-🍒 GURU TIPS 🍒
+If the default configuration is not found, the Calibre-Web server creates a
 new settings file with calibre-web's own default administrative account::
-* If Calibre-Web's configuration file (app.db) goes missing, the administrative
+  Username: admin
-  account will revert to::
+  Password: admin123
-    Username: admin
+Backend
-    Password: admin123
+-------
-* If you lose your password, you can change it with the
+You can manage the backend Calibre-Web server with these systemd commands::
-  ``-s [username]:[newpassword]`` command-line option:
+
-  https://github.com/janeczku/calibre-web/wiki/FAQ#what-do-i-do-if-i-lose-my-admin-password
+  systemctl enable calibre-web
  systemctl restart calibre-web
  systemctl status calibre-web
  systemctl stop calibre-web
 Configuration
 -------------
-To configure Calibre-Web browse to http://box/books then click **Guest** to log
+To configure Calibre-Web, log in as user 'Admin' then click 'Admin' on top.
-in as user **Admin** (default passwords above!)
+Check 'Configuration' options near the bottom of the page.
-Then click the leftmost **Admin** button to administer — considering all 3
+Critical settings are stored in::
 **Configuration** buttons further below.
 These critical settings are stored in::
  /library/calibre-web/config/app.db
-Whereas your e-book metadata is stored in a Calibre-style database::
+Your e-book metadata is stored in a Calibre-style database::
  /library/calibre-web/metadata.db
 Videos' metadata is stored in database::
  /library/calibre-web/xklb-metadata.db
 See also::
  /library/calibre-web/metadata_db_prefs_backup.json
-Finally, take note of Calibre-Web's
+Finally, take note of Calibre-Web's `FAQ <https://github.com/janeczku/calibre-web/wiki/FAQ>`_ and official docs on its `Runtime Configuration Options <https://github.com/janeczku/calibre-web/wiki/Configuration>`_ and `Command Line Interface <https://github.com/janeczku/calibre-web/wiki/Command-Line-Interface>`_.
 `FAQ <https://github.com/janeczku/calibre-web/wiki/FAQ>`_ and official docs on
 its
 `Runtime Configuration Options <https://github.com/janeczku/calibre-web/wiki/Configuration>`_
 and
 `Command Line Interface <https://github.com/janeczku/calibre-web/wiki/Command-Line-Interface>`_.
 Backend
 -------
 You can manage the backend Calibre-Web server with systemd commands like::
  systemctl status calibre-web
  systemctl stop calibre-web
  systemctl restart calibre-web
 Run all commands
 `as root <https://unix.stackexchange.com/questions/3063/how-do-i-run-a-command-as-the-system-administrator-root>`_.
 Errors and warnings can be seen if you run::
  journalctl -u calibre-web
 Log verbosity level can be
 `adjusted <https://github.com/janeczku/calibre-web/wiki/Configuration#logfile-configuration>`_
 within Calibre-Web's **Configuration > Basic Configuration > Logfile
 Configuration**.
 Finally, http://box/live/stats (Calibre-Web's **About** page) can be a very
 useful list of ~42 `Calibre-Web dependencies <https://github.com/janeczku/calibre-web/wiki/Dependencies-in-Calibre-Web-Linux-and-Windows>`_
 (mostly Python packages, and the version number of each that's installed).
 Back Up Everything
 ------------------
 Please back up the entire folder ``/library/calibre-web`` before upgrading —
-as it contains your Calibre-Web content **and** configuration settings!
+as it contains your Calibre-Web content **and** settings!
 Upgrading
 ---------
-Please see our `new/automated upgrade technique (iiab-update) <https://github.com/iiab/calibre-web/wiki#upgrading>`_
+Reinstalling Calibre-Web automatically upgrades to the latest version if your
-introduced in July 2024.
+Internet-in-a-Box (IIAB) is online.
-But first: back up your content **and** configuration settings, as outlined
+But first: back up your content **and** settings, as explained above.
 above!
-**Conversely if you're sure you want to fully reset your Calibre-Web settings,
+**Also move your /library/calibre-web/config/app.db AND/OR
-and remove all existing e-book/video/media metadata — then move your
+/library/calibre-web/metadata.db out of the way — if you're sure you want to
-/library/calibre-web/config/app.db, /library/calibre-web/metadata.db and
+fully reset your Calibre-Web settings (to install defaults) AND/OR remove all
-/library/calibre-web/xklb-metadata.db out of the way.**
+e-book metadata!  Then run**::
 RECAP: Either way, "reinstalling" Calibre-Web automatically installs the latest
 version — so long as your Internet-in-a-Box (IIAB) is online.  Most people
 should stick with the new ``iiab-update`` technique above.  However if you must
 use the older/manual approach, you would need to run, as root::
  cd /opt/iiab/iiab
  ./runrole --reinstall calibre-web
-Or, if there's a need to try updating Calibre-Web's code alone::
+Or, if you just want to upgrade Calibre-Web code alone, prior to proceeding
 manually::
  cd /usr/local/calibre-web-py3
  git pull
-Finally, this much older way is *no longer recommended*::
+This older way *is no longer recommended*::
  cd /opt/iiab/iiab
  ./iiab-install --reinstall    # OR: ./iiab-configure
@ -233,5 +156,5 @@ Known Issues
 * |ss| Upload of not supported file formats gives no feedback to the user: `janeczku/calibre-web#828 <https://github.com/janeczku/calibre-web/issues/828>`_ |se| |nbsp|  Fixed by `361a124 <https://github.com/janeczku/calibre-web/commit/361a1243d732116e6f520fabbaae017068b86037>`_ on 2019-02-27.
-* *Please report serious issues here:*
+* *Please assist us in reporting serious issues here:*
-  https://github.com/iiab/calibre-web/issues
+  https://github.com/janeczku/calibre-web/issues
--- a/roles/calibre-web/defaults/main.yml
+++ b/roles/calibre-web/defaults/main.yml
@ -14,10 +14,8 @@
 # All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml
 # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
 calibreweb_repo_url: https://github.com/iiab/calibre-web    # Or use upstream: https://github.com/janeczku/calibre-web
 calibreweb_version: master    # WAS: master, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.6.8, 0.6.9
 calibreweb_venv_wipe: False    # 2023-12-04: NEW default TDD (Test-Driven Dev!)
 calibreweb_venv_path: /usr/local/calibre-web-py3
 calibreweb_exec_path: "{{ calibreweb_venv_path }}/cps.py"
--- a/roles/calibre-web/files/app.db
+++ b/roles/calibre-web/files/app.db
--- a/roles/calibre-web/tasks/enable-or-disable.yml
+++ b/roles/calibre-web/tasks/enable-or-disable.yml
@ -23,29 +23,12 @@
    dest: "{{ nginx_conf_dir }}/calibre-web-nginx.conf"    # /etc/nginx/conf.d
  when: calibreweb_enabled
 - name: If enabling with Calibre-Web enhanced for large audio/video "books" too, also append onto calibre-web-nginx.conf AND symlink /library/www/html/calibre-web -> /library/calibre-web (WIP)
  shell: |
    if [ -f {{ calibreweb_venv_path }}/scripts/calibre-web-nginx.conf ]; then
        cat {{ calibreweb_venv_path }}/scripts/calibre-web-nginx.conf >> {{ nginx_conf_dir }}/calibre-web-nginx.conf
        # 2023-12-05: Not needed as a result of PR iiab/calibre-web#57
        # ln -sf {{ calibreweb_home }} {{ doc_root }}/calibre-web
    fi
  when: calibreweb_enabled
 - name: Disable http://box{{ calibreweb_url1 }} via NGINX, by removing {{ nginx_conf_dir }}/calibre-web-nginx.conf
  file:
-    path: "{{ nginx_conf_dir }}/calibre-web-nginx.conf"
+    path: "{{ nginx_conf_dir }}/calibre-web-nginx.conf"    # /etc/nginx/conf.d
    state: absent
  when: not calibreweb_enabled
 - name: If disabling, also remove symlink /library/www/html/calibre-web (WIP)
  file:
    path: "{{ doc_root }}/calibre-web"    # /library/www/html
    state: absent
  when: not calibreweb_enabled
 - name: Restart 'nginx' systemd service
  systemd:
    name: nginx
--- a/roles/calibre-web/tasks/install.yml
+++ b/roles/calibre-web/tasks/install.yml
@ -1,50 +1,10 @@
-# Or try 'iiab-update -f' for a more rapid upgrade of IIAB Calibre-Web:
+- name: "Install packages: imagemagick, python3-venv"
 #
 # https://wiki.iiab.io/go/FAQ#Can_I_upgrade_IIAB_software%3F
 # https://github.com/iiab/calibre-web/wiki#upgrading
 # https://github.com/iiab/iiab/blob/master/scripts/iiab-update
 # https://github.com/iiab/iiab/tree/master/roles/calibre-web#upgrading
 - name: Record (initial) disk space used
  shell: df -B1 --output=used / | tail -1
  register: df1
 - name: Stop 'calibre-web' systemd service for safety (RED ERROR CAN BE IGNORED!)
  systemd:
    name: calibre-web
    state: stopped
  ignore_errors: True    # Shows red errors, and continue...
  #failed_when: False    # Hides red errors, and continue...
 # Official upstream instructions:
 # apt install python3-pip python3-venv
 # https://github.com/janeczku/calibre-web/wiki/Manual-installation
 - name: "Install package: imagemagick"
  package:
    name:
      - imagemagick
-      #- python3-cryptography    # Was needed on Raspberry Pi OS (SEE iiab/calibre-web#260, janeczku/calibre-web#3183)
+      - python3-venv
      #- python3-netifaces
    state: present
 # https://github.com/iiab/iiab/pull/3496#issuecomment-1475094542
 #- name: "Install packages: python3-dev, gcc to compile 'netifaces'"
 #  package:
 #    name:
 #      - python3-dev # header files
 #      - gcc         # compiler
 #    state: present
 #  when: python_version is version('3.10', '>=')
 - name: Does /etc/ImageMagick-6/policy.xml exist?
  stat:
    path: /etc/ImageMagick-6/policy.xml
  register: imagemagick6_policy_xml
 # 2024-12-16: Debian 13 uses /etc/ImageMagick-7/policy.xml instead, which doesn't need this lineinfile surgery:
 # https://stackoverflow.com/questions/52998331/imagemagick-security-policy-pdf-blocking-conversion
 - name: Allow ImageMagick to read PDFs, per /etc/ImageMagick-6/policy.xml, to create book cover thumbnails
  lineinfile:
    path: /etc/ImageMagick-6/policy.xml
@ -52,9 +12,8 @@
    backrefs: yes
    line: '  <policy domain="coder" rights="read" pattern="PDF" />'
    state: present
  when: imagemagick6_policy_xml.stat.exists
- name: "Create 2 Calibre-Web folders to store data and config files: {{ calibreweb_home }}, {{ calibreweb_config }} (each set to {{ calibreweb_user }}:{{ apache_user }}, default to 0755)"
+- name: "Create 3 Calibre-Web folders to store data and config files: {{ calibreweb_home }}, {{ calibreweb_venv_path }}, {{ calibreweb_config }} (all set to {{ calibreweb_user }}:{{ apache_user }}) (default to 0755)"
  file:
    state: directory
    path: "{{ item }}"
@ -63,100 +22,40 @@
  with_items:
    - "{{ calibreweb_home }}"         # /library/calibre-web
    - "{{ calibreweb_config }}"       # /library/calibre-web/config
    - "{{ calibreweb_venv_path }}"    # /usr/local/calibre-web-py3
-# FYI since May 2021, Calibre-Web (major releases) can be installed with pip:
+## TODO: Calibre-web future release might get into pypi https://github.com/janeczku/calibre-web/issues/456
-# https://pypi.org/project/calibreweb/
+- name: Clone i.e. download Calibre-Web ({{ calibreweb_version }}) from https://github.com/janeczku/calibre-web.git to {{ calibreweb_venv_path }} (~94 MB initially, ~115+ MB later)
 # https://github.com/janeczku/calibre-web/issues/456
 # https://github.com/janeczku/calibre-web/issues/677
 # https://github.com/janeczku/calibre-web/pull/927
 # https://github.com/janeczku/calibre-web/pull/1459
 - name: "Remove previous virtual environment {{ calibreweb_venv_path }} -- if 'calibreweb_venv_wipe: True'"
  file:
    path: "{{ calibreweb_venv_path }}"    # /usr/local/calibre-web-py3
    state: absent
  when: calibreweb_venv_wipe
 - name: Does {{ calibreweb_venv_path }} exist?
  stat:
    path: "{{ calibreweb_venv_path }}"
  register: calibreweb_venv
 - name: git clone Calibre-Web ({{ calibreweb_version }}) from {{ calibreweb_repo_url }} to {{ calibreweb_venv_path }} (~122 MB initially, ~191+ or ~203+ MB later) -- if {{ calibreweb_venv_path }} doesns't exist
  git:
-    repo: "{{ calibreweb_repo_url }}"    # e.g. https://github.com/iiab/calibre-web or https://github.com/janeczku/calibre-web
+    repo: https://github.com/janeczku/calibre-web.git
    dest: "{{ calibreweb_venv_path }}"
-    #force: True    # CLAIM: "If true, any modified files in the working repository will be discarded" -- REALITY: even if `force: no`, Ansible destructively reclones (also removing all test branch commits etc!) -- unless a git credential is provided to Ansible?
+    force: yes
-    #depth: 1       # 2023-11-04: Full clone for now, to help @deldesir & wider community testing
+    depth: 1
-    version: "{{ calibreweb_version }}"    # e.g. master, 0.6.22
+    version: "{{ calibreweb_version }}"    # e.g. master, 0.6.17
  when: not calibreweb_venv.stat.exists
- name: cd {{ calibreweb_venv_path }} ; git pull {{ calibreweb_repo_url }} {{ calibreweb_version }} --no-rebase --no-edit -- if {{ calibreweb_venv_path }} exists
+## Ansible Pip Bug: Cannot use 'chdir' with 'env' https://github.com/ansible/ansible/issues/37912 (Patch landed)
-  command: git pull "{{ calibreweb_repo_url }}" "{{ calibreweb_version }}" --no-rebase --no-edit
+#- name: Download calibre-web dependencies into vendor subdirectory.
-  args:
+#  pip:
-    chdir: "{{ calibreweb_venv_path }}"
+#    requirements: "{{ calibreweb_path }}/requirements.txt"
-  when: calibreweb_venv.stat.exists
+#    chdir: "{{ calibreweb_path }}"
-
+#    extra_args: '--target vendor'
- debug:
+#  ignore_errors: True
-    msg:
+##
-      - "NEED BETTER/EXPERIMENTAL YouTube SCRAPING?  RUN THE NEXT LINE -- for the latest yt-dlp 'nightly' release:"
+# Implementing this with Ansible command module for now.
-      - sudo pipx inject --pip-args='--upgrade --pre' -f library yt-dlp[default]
+- name: Download Calibre-Web dependencies (using pip) into python3 virtual environment {{ calibreweb_venv_path }}
 - name: If Calibre-Web is being enhanced with audio/video "books" too, install/upgrade additional prereqs -- SEE https://github.com/iiab/calibre-web/wiki
  shell: |
    if [ -f {{ calibreweb_venv_path }}/scripts/lb-wrapper ]; then
        apt install ffmpeg pipx -y
        if lb --version; then
            if pipx list | grep -q 'xklb'; then
                pipx uninstall xklb
                pipx install library
            else
                pipx reinstall library
            fi
        else
            pipx install library
        fi
        ln -sf /root/.local/bin/lb /usr/local/bin/lb
        if [ -f /root/.local/share/pipx/venvs/library/bin/yt-dlp ]; then
            ln -sf /root/.local/share/pipx/venvs/library/bin/yt-dlp /usr/local/bin/yt-dlp
        elif [ -f /root/.local/pipx/venvs/library/bin/yt-dlp ]; then
            ln -sf /root/.local/pipx/venvs/library/bin/yt-dlp /usr/local/bin/yt-dlp
        else
            echo "ERROR: yt-dlp NOT FOUND"
        fi
        # NEED BETTER/EXPERIMENTAL YouTube SCRAPING?  UNCOMMENT THE NEXT LINE -- for the latest yt-dlp "nightly" release:
        # pipx inject --pip-args="--upgrade --pre" -f library yt-dlp[default]
        #
        # https://github.com/yt-dlp/yt-dlp-nightly-builds/releases
        # https://pypi.org/project/yt-dlp/#history
        cp {{ calibreweb_venv_path }}/scripts/lb-wrapper /usr/local/bin/
        chmod a+x /usr/local/bin/lb-wrapper
    fi
 - name: Download Calibre-Web dependencies from 'requirements.txt' into python3 virtual environment {{ calibreweb_venv_path }}
  pip:
    requirements: "{{ calibreweb_venv_path }}/requirements.txt"
    virtualenv: "{{ calibreweb_venv_path }}"    # /usr/local/calibre-web-py3
-    #virtualenv_site_packages: no
+    virtualenv_site_packages: no
    #virtualenv_command: python3 -m venv --system-site-packages {{ calibreweb_venv_path }}
    virtualenv_command: python3 -m venv {{ calibreweb_venv_path }}
    extra_args: --prefer-binary    # 2023-10-01: Lifesaver when recent wheels (e.g. piwheels.org) are inevitably not yet built!  SEE #3560
 # 2023-10-11: RasPiOS Bookworm doc for Python with venv (PEP 668 now enforced!)
 # https://www.raspberrypi.com/documentation/computers/os.html#use-python-on-a-raspberry-pi
 # https://www.raspberrypi.com/documentation/computers/os.html#install-python-packages-using-apt
 # https://www.raspberrypi.com/documentation/computers/os.html#install-python-libraries-using-pip
 # VIRTUALENV EXAMPLE COMMANDS:
 # python3 -m venv /usr/local/calibre-web-py3    (create venv)
 # cd /usr/local/calibre-web-py3
-# . bin/activate    (or 'source bin/activate' -- this prepends '/usr/local/calibre-web-py3/bin' to yr PATH)
+# source bin/activate
-# python3 -m pip list    ('pip list' sufficient *IF* path set above!)
+# python3 -m pip list    ('pip list' probably sufficient, likewise below)
 # python3 -m pip freeze > /tmp/requirements.txt
 # python3 -m pip install -r requirements.txt
 # deactivate
-# https://pip.pypa.io/en/stable/user_guide/#requirements-files
+# https://pip.pypa.io/en/latest/user_guide/#requirements-files
 # https://pip.pypa.io/en/latest/reference/requirements-file-format/
 - name: Install /etc/systemd/system/calibre-web.service from template
  template:
@ -197,17 +96,6 @@
 # RECORD Calibre-Web AS INSTALLED
 - name: Record (final) disk space used
  shell: df -B1 --output=used / | tail -1
  register: df2
 - name: Add 'calibreweb_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }}
  ini_file:
    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
    section: calibre-web
    option: calibreweb_disk_usage
    value: "{{ df2.stdout|int - df1.stdout|int }}"
 - name: "Set 'calibreweb_installed: True'"
  set_fact:
    calibreweb_installed: True
--- a/roles/calibre-web/templates/calibre-web-nginx.conf.j2
+++ b/roles/calibre-web/templates/calibre-web-nginx.conf.j2
@ -5,7 +5,7 @@ location {{ calibreweb_url1 }}/ {
    proxy_set_header        Host            $http_host;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Scheme        $scheme;
-    proxy_set_header        X-Script-Name   "{{ calibreweb_url1 }}";
+    proxy_set_header        X-Script-Name   {{ calibreweb_url1 }};
    proxy_pass http://127.0.0.1:8083;
 }
@ -14,7 +14,7 @@ location {{ calibreweb_url2 }}/ {
    proxy_set_header        Host            $http_host;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Scheme        $scheme;
-    proxy_set_header        X-Script-Name   "{{ calibreweb_url2 }}";
+    proxy_set_header        X-Script-Name   {{ calibreweb_url2 }};
    proxy_pass http://127.0.0.1:8083;
 }
@ -23,6 +23,6 @@ location {{ calibreweb_url3 }}/ {
    proxy_set_header        Host            $http_host;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Scheme        $scheme;
-    proxy_set_header        X-Script-Name   "{{ calibreweb_url3 }}";
+    proxy_set_header        X-Script-Name   {{ calibreweb_url3 }};
    proxy_pass http://127.0.0.1:8083;
 }
--- a/roles/calibre/tasks/install.yml
+++ b/roles/calibre/tasks/install.yml
@ -1,8 +1,3 @@
 - name: Record (initial) disk space used
  shell: df -B1 --output=used / | tail -1
  register: df1
 # 1. APT INSTALL CALIBRE 4.12+ or 5.12+ (calibre, calibredb, calibre-server etc) ON ALL OS'S
 - name: "Install OS's latest packages: calibre, calibre-bin"
@ -84,17 +79,6 @@
 # 5. RECORD Calibre AS INSTALLED
 - name: Record (final) disk space used
  shell: df -B1 --output=used / | tail -1
  register: df2
 - name: Add 'calibre_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }}
  ini_file:
    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
    section: calibre
    option: calibre_disk_usage
    value: "{{ df2.stdout|int - df1.stdout|int }}"
 - name: "Set 'calibre_installed: True'"
  set_fact:
    calibre_installed: True
--- a/roles/captiveportal/tasks/install.yml
+++ b/roles/captiveportal/tasks/install.yml
@ -1,8 +1,3 @@
 - name: Record (initial) disk space used
  shell: df -B1 --output=used / | tail -1
  register: df1
 - name: "Install packages: python3-dateutil, python3-jinja2"
  package:
    name:
@ -56,17 +51,6 @@
 # RECORD Captive Portal AS INSTALLED
 - name: Record (final) disk space used
  shell: df -B1 --output=used / | tail -1
  register: df2
 - name: Add 'captiveportal_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }}
  ini_file:
    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
    section: captiveportal
    option: captiveportal_disk_usage
    value: "{{ df2.stdout|int - df1.stdout|int }}"
 - name: "Set 'captiveportal_installed: True'"
  set_fact:
    captiveportal_installed: True
--- a/roles/cups/README.md
+++ b/roles/cups/README.md
@ -8,7 +8,7 @@ This can be useful if a printer is attached to your IIAB &mdash; so student/teac
 ## Using it
-Make sure your IIAB was installed with these 2 lines in [/etc/iiab/local_vars.yml](http://faq.iiab.io/#What_is_local_vars.yml_and_how_do_I_customize_it%3F) :
+Make sure your IIAB was installed with these 2 lines in [/etc/iiab/local_vars.yml](http://faq.iiab.io/#What_is_local_vars.yml_and_how_do_I_customize_it.3F) :
 ```
 cups_install: True
--- a/roles/cups/tasks/install.yml
+++ b/roles/cups/tasks/install.yml
@ -2,11 +2,6 @@
 # (OR ANY MEMBER OF LINUX GROUP 'lpadmin') AS SET UP BELOW...
 - name: Record (initial) disk space used
  shell: df -B1 --output=used / | tail -1
  register: df1
 - name: Install 'cups' package
  package:
    name: cups
@ -58,30 +53,15 @@
        AuthType Default
        Require user @SYSTEM
- name: "CUPS web administration: Create Linux username 'Admin' in Linux group 'lpadmin' (shell: /usr/sbin/nologin, create_home: no)"
+- name: "CUPS web administration: Create Linux username 'Admin' with password 'changeme' in Linux group 'lpadmin' (shell: /usr/sbin/nologin, create_home: no)"
  user:
    name: Admin
    append: yes    # Don't clobber other groups, that other IIAB Apps might need.
    groups: lpadmin
-    #password: "{{ 'changeme' | password_hash('sha512') }}"    # Random salt.  Presumably runs 5000 rounds of SHA-512 per /etc/login.defs & /etc/pam.d/common-password -- https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_filters.html#hashing-and-encrypting-strings-and-passwords
+    password: "{{ 'changeme' | password_hash('sha512') }}"    # Random salt.  Presumably runs 5000 rounds of SHA-512 per /etc/login.defs & /etc/pam.d/common-password -- https://docs.ansible.com/ansible/latest/user_guide/playbooks_filters.html#encrypting-and-checksumming-strings-and-passwords
    create_home: no
    shell: /usr/sbin/nologin    # Debian/Ubuntu norm -- instead of /sbin/nologin, /bin/false
 # 2024-05-01: Above password-setting approach no longer works w/ Ansible 2.17 RC1 (#3727).
 # Ansible STOPS with this error...
 #
 # "[DEPRECATION WARNING]: Encryption using the Python crypt module is deprecated. The Python crypt module is
 # deprecated and will be removed from Python 3.13. Install the passlib library for continued encryption
 # functionality. This feature will be removed in version 2.17. Deprecation warnings can be disabled by
 # setting deprecation_warnings=False in ansible.cfg."
 #
 # ...so we instead use Linux's "chpasswd" command (below!)
 - name: Use chpasswd to set Linux username 'Admin' password to 'changeme'
  command: chpasswd
  args:
    stdin: Admin:changeme
 # - name: Add user '{{ iiab_admin_user }}' to Linux group 'lpadmin' -- for CUPS web administration (or modify default 'SystemGroup lpadmin' in /etc/cups/cups-files.conf -- in coordination with ~14 -> ~15 '@SYSTEM' lines in /etc/cups/cupsd.conf)
 #   #command: "gpasswd -a {{ iiab_admin_user | quote }} lpadmin"
 #   #command: "gpasswd -d {{ iiab_admin_user | quote }} lpadmin"
@ -144,17 +124,6 @@
 # RECORD CUPS AS INSTALLED
 - name: Record (final) disk space used
  shell: df -B1 --output=used / | tail -1
  register: df2
 - name: Add 'cups_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }}
  ini_file:
    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
    section: cups
    option: cups_disk_usage
    value: "{{ df2.stdout|int - df1.stdout|int }}"
 - name: "Set 'cups_installed: True'"
  set_fact:
    cups_installed: True
--- a/roles/cups/tasks/main.yml
+++ b/roles/cups/tasks/main.yml
@ -23,33 +23,26 @@
    quiet: yes
- block:
+- name: Install CUPS if 'cups_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
  include_tasks: install.yml
  when: cups_installed is undefined
  - name: Install CUPS if 'cups_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
    include_tasks: install.yml
    when: cups_installed is undefined
-  - include_tasks: enable-or-disable.yml
+- include_tasks: enable-or-disable.yml
  - name: Add 'cups' variable values to {{ iiab_ini_file }}
    ini_file:
      path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
      section: cups
      option: "{{ item.option }}"
      value: "{{ item.value | string }}"
    with_items:
      - option: name
        value: CUPS
      - option: description
        value: '"CUPS (Common UNIX Printing System) is a modular printing system that allows a computer to act as a print server.  A computer running CUPS is a host that can accept print jobs from client computers, process them, and send them to the appropriate printer."'
      - option: cups_install
        value: "{{ cups_install }}"
      - option: cups_enabled
        value: "{{ cups_enabled }}"
-  rescue:
+- name: Add 'cups' variable values to {{ iiab_ini_file }}
-
+  ini_file:
-  - name: 'SEE ERROR ABOVE (skip_role_on_error: {{ skip_role_on_error }})'
+    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
-    fail:
+    section: cups
-      msg: ""
+    option: "{{ item.option }}"
-    when: not skip_role_on_error
+    value: "{{ item.value | string }}"
  with_items:
    - option: name
      value: CUPS
    - option: description
      value: '"CUPS (Common UNIX Printing System) is a modular printing system that allows a computer to act as a print server.  A computer running CUPS is a host that can accept print jobs from client computers, process them, and send them to the appropriate printer."'
    - option: cups_install
      value: "{{ cups_install }}"
    - option: cups_enabled
      value: "{{ cups_enabled }}"
--- a/roles/firmware/tasks/download.yml
+++ b/roles/firmware/tasks/download.yml
@ -1,44 +1,23 @@
-# 2023-02-25: MONITOR FIRMWARE UPDATES in 3 places especially...
+- name: Back up 4 OS-provided WiFi firmware files (or symlinks) to /lib/firmware/brcm/*.orig
-#
+  copy:
-# 1. apt changelog firmware-brcm80211
+    src: /lib/firmware/brcm/{{ item }}
-#    https://github.com/RPi-Distro/firmware-nonfree -> debian/config/brcm80211 (brcm, cypress)
+    dest: /lib/firmware/brcm/{{ item }}.orig
 #    https://archive.raspberrypi.org/debian/dists/bullseye/main/binary-arm64/Packages (1.1MB text file, look inside for summary of latest firmware-brcm80211)
 #    https://archive.raspberrypi.org/debian/pool/main/f/firmware-nonfree/ -> firmware-brcm80211_* e.g.:
 #    https://archive.raspberrypi.org/debian/pool/main/f/firmware-nonfree/firmware-brcm80211_20190114-1+rpt11_all.deb from 2021-01-25
 #    https://archive.raspberrypi.org/debian/pool/main/f/firmware-nonfree/firmware-brcm80211_20210315-3+rpt4_all.deb from 2021-12-06
 #    https://archive.raspberrypi.org/debian/pool/main/f/firmware-nonfree/firmware-brcm80211_20221012-1~bpo11+1+rpt1_all.deb from 2022-11-17
 # 2. apt changelog linux-firmware-raspi
 #    https://packages.ubuntu.com/search?keywords=linux-firmware-raspi
 # 3. https://github.com/moodlebox/moodlebox/blob/main/roles/accesspoint/tasks/main.yml
 #- name: Back up 4 OS-provided WiFi firmware files (incl symlink contents) to /lib/firmware/cypress/*.orig
 - name: Back up 4 OS-provided WiFi firmware files (replicate any symlinks) to /lib/firmware/cypress/*.orig -- /usr/bin/iiab-check-firmware will later do similar (e.g. as firmware install completes) -- moving 2-or-4 of these to <ORIGINAL FILENAME>.YYYY-MM-DD-HH:MM:SS ("doubly timestamping" to preserve BOTH last-modif & moving date)
  # copy:
  #   src: /lib/firmware/cypress/{{ item }}
  #   dest: /lib/firmware/cypress/{{ item }}.orig
  #   #local_follow: False    # FAILS TO PRESERVE LINKS (ansible/ansible#74777) e.g. /lib/firmware/cypress/cyfmac43455-sdio.bin -> /etc/alternatives/cyfmac43455-sdio.bin -> ...
  # 2023-05-01 CLARIF OF BELOW:
  # 1) Even if 'mv' fails, no matter it'll continue to 'cp' below
  # 2) 'cp -P' == 'cp --no-dereference' sufficient to replicate these symlinks and files ('cp -d' & 'cp -a' are incrementally stronger, and so probably can't hurt)
  shell: |
    mv /lib/firmware/cypress/{{ item }}.orig /lib/firmware/cypress/{{ item }}.orig.$(date +%F-%T)
    cp -a /lib/firmware/cypress/{{ item }} /lib/firmware/cypress/{{ item }}.orig
  with_items:
-    - cyfmac43430-sdio.bin
+    - brcmfmac43430-sdio.bin
-    - cyfmac43430-sdio.clm_blob
+    - brcmfmac43430-sdio.clm_blob
-    - cyfmac43455-sdio.bin
+    - brcmfmac43455-sdio.bin
-    - cyfmac43455-sdio.clm_blob
+    - brcmfmac43455-sdio.clm_blob
-  #ignore_errors: yes    # 2023-02-25: Let's INTENTIONALLY surface any errors, e.g. if any future RasPiOS or Ubuntu-on-Rpi lack some of the above 4 files/links?
+  ignore_errors: yes
 - name: Download higher-capacity firmwares (for RPi internal WiFi, per https://github.com/iiab/iiab/issues/823#issuecomment-662285202 and https://github.com/iiab/iiab/issues/2853)
  get_url:
    url: "{{ iiab_download_url }}/{{ item }}"
-    dest: /lib/firmware/cypress/
+    dest: /lib/firmware/brcm/
    timeout: "{{ download_timeout }}"
  with_items:
-    - brcmfmac43455-sdio.bin_2021-11-30_minimal                # 19 -- SAME AS RASPIOS & UBUNTU'S https://github.com/RPi-Distro/firmware-nonfree/blob/feeeda21e930c2e182484e8e1269b61cca2a8451/debian/config/brcm80211/cypress/cyfmac43455-sdio-minimal.bin
+    - brcmfmac43455-sdio.bin_2021-11-30_minimal                # 19 -- from https://github.com/RPi-Distro/firmware-nonfree/blob/feeeda21e930c2e182484e8e1269b61cca2a8451/debian/config/brcm80211/cypress/cyfmac43455-sdio-minimal.bin
    - brcmfmac43455-sdio.bin_2021-10-05_3rd-trial-minimal      # 24 -- from https://github.com/iiab/iiab/issues/2853#issuecomment-934293015
-    - brcmfmac43455-sdio.clm_blob_2021-11-17_rpi               # Works w/ both above -- SAME AS RASPIOS & UBUNTU'S https://github.com/RPi-Distro/firmware-nonfree/blob/dc406650e840705957f8403efeacf71d2d7543b3/debian/config/brcm80211/cypress/cyfmac43455-sdio.clm_blob
+    - brcmfmac43455-sdio.clm_blob_2021-11-17_rpi               # Works w/ both above -- from https://github.com/RPi-Distro/firmware-nonfree/blob/dc406650e840705957f8403efeacf71d2d7543b3/debian/config/brcm80211/cypress/cyfmac43455-sdio.clm_blob
    - brcmfmac43455-sdio.bin_2015-03-01_7.45.18.0_ub19.10.1    # 32 -- from https://github.com/iiab/iiab/issues/823#issuecomment-662285202
    - brcmfmac43455-sdio.clm_blob_2018-02-26_rpi
    - brcmfmac43430-sdio.bin_2018-09-11_7.45.98.65             # 30 -- from https://github.com/iiab/iiab/issues/823#issuecomment-662285202
--- a/roles/firmware/tasks/install.yml
+++ b/roles/firmware/tasks/install.yml
@ -4,69 +4,61 @@
 # Set 2 symlinks for RPi 3 B+ and 4 (43455)
 # COMPARE: update-alternatives --display cyfmac43455-sdio.bin
 # https://github.com/moodlebox/moodlebox/blob/main/roles/accesspoint/tasks/main.yml#L3-L6
- name: Populate rpi3bplus_rpi4_wifi_firmwares dictionary (lookup table for operator-chosen .bin and .clm_blob files in /lib/firmware/cypress)
+- name: Populate rpi3bplus_rpi4_wifi_firmwares dictionary (lookup table for operator-chosen .bin and .clm_blob files in /lib/firmware/brcm)
  set_fact:
    rpi3bplus_rpi4_wifi_firmwares:    # Dictionary keys (left side) are always strings, e.g. "19"
      os:
-        - cyfmac43455-sdio.bin.orig             # 2023-02-25: 7.45.241 from 2021-11-01 on Ubuntu 22.04.2 too (cyfmac43455-sdio-standard.bin)
+        - brcmfmac43455-sdio.bin.orig
-        - cyfmac43455-sdio.clm_blob.orig        # On Ubuntu 22.04.2 too (brcmfmac43455-sdio.clm_blob_2021-11-17_rpi)
+        - brcmfmac43455-sdio.clm_blob.orig
      ub:
        - cyfmac43455-sdio.bin.distrib          # 2023-02-25: STALE 7.45.234 from 2021-04-15; on Ubuntu 22.04.2 NOT RasPiOS
        - cyfmac43455-sdio.clm_blob.distrib     # 4.7K instead of 2.7K w/ above "os"
      19:
-        - brcmfmac43455-sdio.bin_2021-11-30_minimal     # On Ubuntu 22.04.2 too (cyfmac43455-sdio-minimal.bin)
+        - brcmfmac43455-sdio.bin_2021-11-30_minimal
-        - brcmfmac43455-sdio.clm_blob_2021-11-17_rpi    # On Ubuntu 22.04.2 too (cyfmac43455-sdio.clm_blob)
+        - brcmfmac43455-sdio.clm_blob_2021-11-17_rpi
      24:
        - brcmfmac43455-sdio.bin_2021-10-05_3rd-trial-minimal
-        - brcmfmac43455-sdio.clm_blob_2021-11-17_rpi    # On Ubuntu 22.04.2 too (cyfmac43455-sdio.clm_blob)
+        - brcmfmac43455-sdio.clm_blob_2021-11-17_rpi
      32:
        - brcmfmac43455-sdio.bin_2015-03-01_7.45.18.0_ub19.10.1
-        - brcmfmac43455-sdio.clm_blob_2018-02-26_rpi    # 14K instead of 2.7K w/ above "os"
+        - brcmfmac43455-sdio.clm_blob_2018-02-26_rpi
- name: Symlink /lib/firmware/cypress/cyfmac43455-sdio.bin.iiab -> {{ rpi3bplus_rpi4_wifi_firmwares[rpi3bplus_rpi4_wifi_firmware][0] }} (as rpi3bplus_rpi4_wifi_firmware is "{{ rpi3bplus_rpi4_wifi_firmware }}")
+- name: Symlink /lib/firmware/brcm/brcmfmac43455-sdio.bin.iiab -> {{ rpi3bplus_rpi4_wifi_firmwares[rpi3bplus_rpi4_wifi_firmware][0] }} (as rpi3bplus_rpi4_wifi_firmware is "{{ rpi3bplus_rpi4_wifi_firmware }}")
  file:
    src: "{{ rpi3bplus_rpi4_wifi_firmwares[rpi3bplus_rpi4_wifi_firmware][0] }}"
-    path: /lib/firmware/cypress/cyfmac43455-sdio.bin.iiab
+    path: /lib/firmware/brcm/brcmfmac43455-sdio.bin.iiab
    state: link
    force: yes
- name: Symlink /lib/firmware/cypress/cyfmac43455-sdio.clm_blob.iiab -> {{ rpi3bplus_rpi4_wifi_firmwares[rpi3bplus_rpi4_wifi_firmware][1] }} (as rpi3bplus_rpi4_wifi_firmware is "{{ rpi3bplus_rpi4_wifi_firmware }}")
+- name: Symlink /lib/firmware/brcm/brcmfmac43455-sdio.clm_blob.iiab -> {{ rpi3bplus_rpi4_wifi_firmwares[rpi3bplus_rpi4_wifi_firmware][1] }} (as rpi3bplus_rpi4_wifi_firmware is "{{ rpi3bplus_rpi4_wifi_firmware }}")
  file:
    src: "{{ rpi3bplus_rpi4_wifi_firmwares[rpi3bplus_rpi4_wifi_firmware][1] }}"
-    path: /lib/firmware/cypress/cyfmac43455-sdio.clm_blob.iiab
+    path: /lib/firmware/brcm/brcmfmac43455-sdio.clm_blob.iiab
    state: link
    force: yes
 # Set 2 symlinks for RPi Zero W and 3 (43430)
- name: Populate rpizerow_rpi3_wifi_firmwares dictionary (lookup table for operator-chosen .bin and .clm_blob files in /lib/firmware/cypress)
+- name: Populate rpizerow_rpi3_wifi_firmwares dictionary (lookup table for operator-chosen .bin and .clm_blob files in /lib/firmware/brcm)
  set_fact:
    rpizerow_rpi3_wifi_firmwares:
      os:
-        - cyfmac43430-sdio.bin.orig            # 2023-02-25: 7.45.98 from 2021-07-19 on Ubuntu 22.04.2 too
+        - brcmfmac43430-sdio.bin.orig
-        - cyfmac43430-sdio.clm_blob.orig       # On Ubuntu 22.04.2 too
+        - brcmfmac43430-sdio.clm_blob.orig
      ub:
        - cyfmac43430-sdio.bin.distrib         # 2023-02-25: STALE 7.45.98.118 from 2021-03-30; on Ubuntu 22.04.2 NOT RasPiOS
        - cyfmac43430-sdio.clm_blob.distrib    # Identical to above 4.7K cyfmac43430-sdio.clm_blob
      30:
        - brcmfmac43430-sdio.bin_2018-09-11_7.45.98.65
-        - brcmfmac43430-sdio.clm_blob_2018-09-11_7.45.98.65    # 14K instead of 4.7K w/ above "os" & "ub"
+        - brcmfmac43430-sdio.clm_blob_2018-09-11_7.45.98.65
- name: Symlink /lib/firmware/cypress/cyfmac43430-sdio.bin.iiab -> {{ rpizerow_rpi3_wifi_firmwares[rpizerow_rpi3_wifi_firmware][0] }} (as rpizerow_rpi3_wifi_firmware is "{{ rpizerow_rpi3_wifi_firmware }}")
+- name: Symlink /lib/firmware/brcm/brcmfmac43430-sdio.bin.iiab -> {{ rpizerow_rpi3_wifi_firmwares[rpizerow_rpi3_wifi_firmware][0] }} (as rpizerow_rpi3_wifi_firmware is "{{ rpizerow_rpi3_wifi_firmware }}")
  file:
    src: "{{ rpizerow_rpi3_wifi_firmwares[rpizerow_rpi3_wifi_firmware][0] }}"
-    path: /lib/firmware/cypress/cyfmac43430-sdio.bin.iiab
+    path: /lib/firmware/brcm/brcmfmac43430-sdio.bin.iiab
    state: link
    force: yes
- name: Symlink /lib/firmware/cypress/cyfmac43430-sdio.clm_blob.iiab -> {{ rpizerow_rpi3_wifi_firmwares[rpizerow_rpi3_wifi_firmware][1] }} (as rpizerow_rpi3_wifi_firmware is "{{ rpizerow_rpi3_wifi_firmware }}")
+- name: Symlink /lib/firmware/brcm/brcmfmac43430-sdio.clm_blob.iiab -> {{ rpizerow_rpi3_wifi_firmwares[rpizerow_rpi3_wifi_firmware][1] }} (as rpizerow_rpi3_wifi_firmware is "{{ rpizerow_rpi3_wifi_firmware }}")
  file:
    src: "{{ rpizerow_rpi3_wifi_firmwares[rpizerow_rpi3_wifi_firmware][1] }}"
-    path: /lib/firmware/cypress/cyfmac43430-sdio.clm_blob.iiab
+    path: /lib/firmware/brcm/brcmfmac43430-sdio.clm_blob.iiab
    state: link
    force: yes
@ -81,7 +73,7 @@
    - { src: 'iiab-check-firmware.service', dest: '/etc/systemd/system/', mode: '0644' }
    - { src: 'iiab-firmware-warn.sh', dest: '/etc/profile.d/', mode: '0644' }
- name: Enable & (Re)Start iiab-check-firmware.service (also runs on each boot) -- finalizing 2-or-4 symlink chains e.g. /lib/firmware/cypress/X.{bin|blob} -> /lib/firmware/cypress/X.{bin|blob}.iiab -> CHOSEN-FIRMWARE-FILE-OR-LINK
+- name: Enable & (Re)Start iiab-check-firmware.service (also runs on each boot)
  systemd:
    name: iiab-check-firmware.service
    daemon_reload: yes
--- a/roles/firmware/tasks/main.yml
+++ b/roles/firmware/tasks/main.yml
@ -3,22 +3,18 @@
 # client devices that can access your Raspberry Pi's internal WiFi hotspot.
 # If IIAB's already installed, you should then run 'cd /opt/iiab/iiab' and
-# then 'sudo ./runrole firmware' (DO RUN iiab-check-firmware FOR MORE TIPS!)
+# then 'sudo ./runrole firmware' (do run iiab-check-firmware for more tips!)
 # BACKGROUND AS OF 2022-01-10:
 # https://github.com/iiab/iiab/issues/823#issuecomment-662285202
 # https://github.com/iiab/iiab/issues/2853#issuecomment-957836892
 # https://github.com/iiab/iiab/pull/3103
 # https://github.com/RPi-Distro/firmware-nonfree/tree/bullseye/debian/config/brcm80211 (brcm, cypress)
 # https://archive.raspberrypi.org/debian/pool/main/f/firmware-nonfree/firmware-brcm80211_20190114-1+rpt11_all.deb from 2021-01-25
 # https://archive.raspberrypi.org/debian/pool/main/f/firmware-nonfree/firmware-brcm80211_20210315-3+rpt4_all.deb from 2021-12-06
 # 2018-2023 Background & Progress:
 #
 # Raspberry Pi 3 used to support 32 WiFi connections but is now limited to [4-10]
 #     https://github.com/iiab/iiab/issues/823#issuecomment-662285202
 # Opinions about Pi 4B/3B+ WiFi features [practical AP firmware for schools!]
 #     https://github.com/iiab/iiab/issues/2853#issuecomment-957836892
 # RPi WiFi hotspot firmware reliability fix, incl new/better choices for 3B+ & 4
 #     https://github.com/iiab/iiab/pull/3103
 # Set WiFi firmware in /lib/firmware/cypress due to RasPiOS & Ubuntu changes
 #     https://github.com/iiab/iiab/pull/3482
 # RISK: What USB 3.0 stick/drive patterns degrade a Raspberry Pi's 2.4GHz WiFi?
-#     https://github.com/iiab/iiab/issues/2638
+# https://github.com/iiab/iiab/issues/2638
 # ► SEE "MONITOR FIRMWARE UPDATES in 3 places especially" in tasks/download.yml ◄
 - name: Install firmware (for RPi internal WiFi)
  include_tasks: install.yml
--- a/roles/firmware/templates/iiab-check-firmware
+++ b/roles/firmware/templates/iiab-check-firmware
@ -1,25 +1,11 @@
 #!/bin/bash
-# The 1st time /usr/bin/iiab-check-firmware runs (at the end of
+# 2021-08-18: bash scripts using default_vars.yml &/or local_vars.yml
 # firmware/tasks/install.yml) 2-4 lynchpin top links are put in place,
 # finalizing symlink chains like:
 #
 #     /lib/firmware/cypress/X.{bin|blob} ->
 #     /lib/firmware/cypress/X.{bin|blob}.iiab ->
 #     CHOSEN-FIRMWARE-FILE-OR-LINK
 #
 # Also backing up top-of-chain originals (file or link!) by moving these to:
 #
 #     /lib/firmware/cypress/<ORIGINAL FILENAME>.YYYY-MM-DD-HH:MM:SS
 #
 # NOTE these are "doubly timestamped" to preserve BOTH last-modif & moving date.
 # 2023-02-25: bash scripts using default_vars.yml &/or local_vars.yml
 # https://github.com/iiab/iiab-factory/blob/master/iiab
 # https://github.com/iiab/iiab/blob/master/roles/firmware/templates/iiab-check-firmware#L10-14
 # https://github.com/iiab/iiab/blob/master/roles/network/templates/gateway/iiab-gen-iptables#L48-L52
-# https://github.com/iiab/maps/blob/master/osm-source/pages/viewer/scripts/iiab-install-map-region#L23-L39
+# https://github.com/iiab/maps/blob/master/osm-source/pages/viewer/scripts/iiab-install-map-region#L25-L34
-# https://github.com/iiab/iiab/blob/master/roles/0-DEPRECATED-ROLES/openvpn/templates/iiab-support READS AND WRITES, INCL NON-BOOLEAN
+# https://github.com/iiab/iiab/blob/master/roles/openvpn/templates/iiab-support READS AND WRITES, INCL NON-BOOLEAN
 iiab_var_value() {
    v1=$(grep "^$1:\s" /opt/iiab/iiab/vars/default_vars.yml | tail -1 | sed "s/^$1:\s\+//; s/#.*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/")
@ -28,29 +14,29 @@ iiab_var_value() {
 }
 link_fw() {
-    if [[ $(readlink /lib/firmware/cypress/$1) != $1.iiab ]] ; then
+    if [[ $(readlink /lib/firmware/brcm/$1) != $1.iiab ]] ; then
-        echo
+	echo
-        mv /lib/firmware/cypress/$1 /lib/firmware/cypress/$1.$(date +%F-%T)
+	mv /lib/firmware/brcm/$1 /lib/firmware/brcm/$1.$(date +%F-%T)
-        ln -s $1.iiab /lib/firmware/cypress/$1
+	ln -s $1.iiab /lib/firmware/brcm/$1
-        echo -e "\e[1mSymlinked /lib/firmware/cypress/$1 -> $1.iiab\e[0m"
+	echo -e "\e[1mSymlinked /lib/firmware/brcm/$1 -> $1.iiab\e[0m"
-        touch /tmp/.fw_modified
+	touch /tmp/.fw_modified
    fi
 }
 if [[ $(iiab_var_value rpi3bplus_rpi4_wifi_firmware) != "os" ]] ; then
-    link_fw cyfmac43455-sdio.bin
+    link_fw brcmfmac43455-sdio.bin
-    link_fw cyfmac43455-sdio.clm_blob
+    link_fw brcmfmac43455-sdio.clm_blob
 fi
 if [[ $(iiab_var_value rpizerow_rpi3_wifi_firmware) != "os" ]] ; then
-    link_fw cyfmac43430-sdio.bin
+    link_fw brcmfmac43430-sdio.bin
-    link_fw cyfmac43430-sdio.clm_blob
+    link_fw brcmfmac43430-sdio.clm_blob
 fi
 if [ -f /tmp/.fw_modified ]; then
    bash /etc/profile.d/iiab-firmware-warn.sh
 else
-    echo -e "\n\e[1mWiFi Firmware links in /lib/firmware/cypress appear \e[92mCORRECT\e[0m\e[1m, per iiab/iiab#3482\e[0m"
+    echo -e "\n\e[1mWiFi Firmware links in /lib/firmware/brcm appear \e[92mCORRECT\e[0m\e[1m, per iiab/iiab#2853.\e[0m"
    echo
    echo -e "\e[100;1m(No reboot appears necessary!)\e[0m"
    echo
@ -60,7 +46,7 @@ else
    echo -e "  cd /opt/iiab/iiab"
    echo -e "  sudo iiab-hotspot-off    # NO LONGER NEC? eg to restore 'wifi_up_down: True'"
    echo -e "  sudo ./runrole --reinstall firmware"
-    echo -e "  sudo iiab-network        # SOMETIMES NECESSARY"
+    echo -e "  sudo ./iiab-network      # SOMETIMES NECESSARY"
    echo -e "  sudo iiab-hotspot-on     # NO LONGER NEC? eg to restore 'wifi_up_down: True'"
    echo -e "  sudo reboot\n"
    #echo
--- a/roles/firmware/templates/iiab-firmware-warn.sh
+++ b/roles/firmware/templates/iiab-firmware-warn.sh
@ -1,7 +1,7 @@
 #!/bin/bash
 if [ -f /tmp/.fw_modified ]; then
-    echo -e "\n\e[41;1mWiFi Firmware link(s) modified, per iiab/iiab#3482: PLEASE REBOOT!\e[0m"
+    echo -e "\n\e[41;1mWiFi Firmware link(s) modified, per iiab/iiab#2853: PLEASE REBOOT!\e[0m"
    echo
    echo -e "If you want this warning to stop, reboot to remove /tmp/.fw_modified\n"
 fi
--- a/roles/gitea/defaults/main.yml
+++ b/roles/gitea/defaults/main.yml
@ -9,7 +9,7 @@
 # Info needed to install Gitea:
-gitea_version: "1.22"    # 2022-01-30: Grabs latest from this MAJOR/MINOR release branch.  Rather than exhaustively hard-coding point releases (e.g. 1.14.5) every few weeks.  Quotes nec if trailing zero.
+gitea_version: 1.18    # 2022-01-30: Grabs latest from this MAJOR/MINOR release branch.  Rather than exhaustively hard-coding point releases (e.g. 1.14.5) every few weeks.
 iset_suffixes:
  i386: 386
  x86_64: amd64
@ -17,9 +17,9 @@ iset_suffixes:
  armv6l: arm-6
  armv7l: arm-6    # "arm-7" used to work, but no longer since 2019-04-20's Gitea 1.8.0: https://github.com/iiab/iiab/issues/1673 https://github.com/iiab/iiab/pull/1713 -- 2019-07-31: ARM7 support will return at some point, according to: https://github.com/go-gitea/gitea/pull/7037#issuecomment-516735216 (what about ARM8 support for RPi 4?)
-gitea_iset_suffix: "{{ iset_suffixes[ansible_machine] | default('unknown') }}"    # A bit safer than ansible_architecture (see kiwix/defaults/main.yml)
+gitea_iset_suffix: "{{ iset_suffixes[ansible_architecture] | default('unknown') }}"
-gitea_download_url: "https://dl.gitea.com/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-{{ gitea_iset_suffix }}"
+gitea_download_url: "https://dl.gitea.io/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-{{ gitea_iset_suffix }}"
 gitea_integrity_url: "{{ gitea_download_url }}.asc"
 gitea_root_directory: "{{ content_base }}/gitea"    # /library/gitea
--- a/roles/gitea/tasks/install.yml
+++ b/roles/gitea/tasks/install.yml
@ -1,8 +1,3 @@
 - name: Record (initial) disk space used
  shell: df -B1 --output=used / | tail -1
  register: df1
 # 1. Prepare to install Gitea: create user and directory structure
 - name: Shut down existing Gitea instance (if we're reinstalling)
@ -48,10 +43,10 @@
    msg: "Could not find a binary for the CPU architecture \"{{ ansible_architecture }}\""
  when: gitea_iset_suffix == "unknown"
- name: Download Gitea binary {{ gitea_download_url }} to {{ gitea_install_path }} (0775, ~134 MB, SLOW DOWNLOAD CAN TAKE ~15 MIN)
+- name: Download Gitea binary {{ gitea_download_url }} to {{ gitea_install_path }} (0775, ~108 MB, SLOW DOWNLOAD CAN TAKE ~15 MIN)
  get_url:
    url: "{{ gitea_download_url }}"
-    dest: "{{ gitea_install_path }}"    # e.g. /library/gitea/bin/gitea-1.21
+    dest: "{{ gitea_install_path }}"    # e.g. /library/gitea/bin/gitea-1.16
    mode: 0775
    timeout: "{{ download_timeout }}"
@ -61,9 +56,9 @@
    dest: "{{ gitea_checksum_path }}"
    timeout: "{{ download_timeout }}"
- name: Verify Gitea binary with GPG signature ("BAD signature" FALSE ALARMS continue as of 2023-07-16, despite their claims at https://docs.gitea.com/installation/install-from-binary#verify-gpg-signature)
+- name: Verify Gitea binary with GPG signature
  shell: |
-    gpg --keyserver keys.openpgp.org --recv {{ gitea_gpg_key }}
+    gpg --keyserver pgp.mit.edu --recv {{ gitea_gpg_key }}
    gpg --verify {{ gitea_checksum_path }} {{ gitea_install_path }}
  ignore_errors: yes
@ -110,17 +105,6 @@
 # 5. RECORD Gitea AS INSTALLED
 - name: Record (final) disk space used
  shell: df -B1 --output=used / | tail -1
  register: df2
 - name: Add 'gitea_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }}
  ini_file:
    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
    section: gitea
    option: gitea_disk_usage
    value: "{{ df2.stdout|int - df1.stdout|int }}"
 - name: "Set 'gitea_installed: True'"
  set_fact:
    gitea_installed: True
--- a/roles/gitea/tasks/main.yml
+++ b/roles/gitea/tasks/main.yml
@ -27,7 +27,7 @@
  - include_tasks: enable-or-disable.yml
-  - name: Add 'gitea' variable values to {{ iiab_ini_file }}
+  - name: Add 'gitea' to list of services at {{ iiab_ini_file }}
    ini_file:
      path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
      section: gitea
--- a/roles/gitea/templates/app.ini.j2
+++ b/roles/gitea/templates/app.ini.j2
@ -2,8 +2,7 @@
 ; Copy required sections to your own app.ini (default is custom/conf/app.ini)
 ; and modify as needed.
-; see https://docs.gitea.com/administration/config-cheat-sheet for additional documentation.
+; see https://docs.gitea.io/en-us/config-cheat-sheet/ for additional documentation.
 ;     https://docs.gitea.com/next/administration/config-cheat-sheet
 ; App name that shows in every page title
 APP_NAME = {{ gitea_display_name }}
@ -24,11 +23,9 @@ DEFAULT_PRIVATE = last
 ; Global limit of repositories per user, applied at creation time. -1 means no limit
 MAX_CREATION_LIMIT = -1
 ; Mirror sync queue length, increase if mirror syncing starts hanging
-; 2023-07-16 ERROR: MIRROR_QUEUE_LENGTH = 1000
+MIRROR_QUEUE_LENGTH = 1000
 ;     `[repository].MIRROR_QUEUE_LENGTH`. Use new options in `[queue.mirror]`
 ; Patch test queue length, increase if pull request patch testing starts hanging
-; 2023-07-16 ERROR: PULL_REQUEST_QUEUE_LENGTH = 1000
+PULL_REQUEST_QUEUE_LENGTH = 1000
 ;     `[repository].PULL_REQUEST_QUEUE_LENGTH`. Use new options in `[queue.pr_patch_checker]`
 ; Preferred Licenses to place at the top of the List
 ; The name here must match the filename in conf/license or custom/conf/license
 PREFERRED_LICENSES = Apache License 2.0,MIT License
@ -204,22 +201,13 @@ PPROF_DATA_PATH = data/tmp/pprof
 LANDING_PAGE = home
 ; Enables git-lfs support. true or false, default is false.
 LFS_START_SERVER = false
 ; Where your lfs files reside, default is data/lfs.
 LFS_CONTENT_PATH = {{ gitea_lfs_root }}
 ; LFS authentication secret, change this yourself
 LFS_JWT_SECRET =
 ; LFS authentication validity period (in time.Duration), pushes taking longer than this may fail.
 LFS_HTTP_AUTH_EXPIRY = 20m
 ; lfs [Large File Storage] storage will override storage
 ;
 [lfs]
 ;STORAGE_TYPE = local
 ;
 ; Where your lfs files reside, default is data/lfs.
 PATH = {{ gitea_lfs_root }}
 ;
 ; override the minio base path if storage type is minio
 ;MINIO_BASE_PATH = lfs/
 ; Define allowed algorithms and their minimum key length (use -1 to disable a type)
 [ssh.minimum_key_sizes]
 ED25519 = 256
@ -252,8 +240,7 @@ ISSUE_INDEXER_PATH = indexers/issues.bleve
 ; repo indexer by default disabled, since it uses a lot of disk space
 REPO_INDEXER_ENABLED = false
 REPO_INDEXER_PATH = indexers/repos.bleve
-; 2023-07-16 ERROR: UPDATE_BUFFER_LEN = 20
+UPDATE_BUFFER_LEN = 20
 ;        `[indexer].UPDATE_BUFFER_LEN`. Use new options in `[queue.issue_indexer]`
 MAX_FILE_SIZE = 1048576
 [admin]
@ -373,8 +360,7 @@ PAGING_NUM = 10
 [mailer]
 ENABLED = false
 ; Buffer length of channel, keep it as it is if you don't know what it is.
-; 2023-07-16 ERROR: SEND_BUFFER_LEN = 100
+SEND_BUFFER_LEN = 100
 ;         `[mailer].SEND_BUFFER_LEN`. Use new options in `[queue.mailer]`
 ; Name displayed in mail title
 SUBJECT = %(APP_NAME)s
 ; Mail server
--- a/roles/iiab-admin/README.rst
+++ b/roles/iiab-admin/README.rst
@ -36,7 +36,7 @@ Security
   #. ``iiab-admin`` (specified by ``admin_console_group`` in `/opt/iiab/iiab/vars/default_vars.yml <../../vars/default_vars.yml>`_ and `/opt/iiab/iiab-admin-console/vars/default_vars.yml <https://github.com/iiab/iiab-admin-console/blob/master/vars/default_vars.yml>`_)
   #. ``sudo``
 * Please read much more about what escalated (root) actions are authorized when you log into IIAB's Admin Console, and how this works: https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md
-* If your IIAB includes Tailscale (VPN), ``/root/.ssh/authorized_keys`` should be installed by `roles/tailscale/tasks/install.yml <../tailscale/tasks/install.yml>`_ to facilitate remote community support.  Feel free to remove this as mentioned here: https://wiki.iiab.io/go/Security
+* If your IIAB includes OpenVPN, ``/root/.ssh/authorized_keys`` should be installed by `roles/openvpn/tasks/install.yml <../openvpn/tasks/install.yml>`_ to facilitate remote community support.  Feel free to remove this as mentioned here: https://wiki.iiab.io/go/Security
 * Auto-checking for the default/published password (as specified by ``iiab_admin_published_pwd`` in `/opt/iiab/iiab/vars/default_vars.yml <../../vars/default_vars.yml>`_) is implemented in `/etc/profile.d <templates/sshpwd-profile-iiab.sh>`_ (and `/etc/xdg/lxsession/LXDE-pi <templates/sshpwd-lxde-iiab.sh>`_ when it exists, i.e. on Raspberry Pi OS with desktop).
 Example
@ -56,16 +56,16 @@ Historical Notes
 Remote Support Tools
 --------------------
-The `iiab-diagnostics <../../scripts/iiab-diagnostics.README.md>`_ and `Tailscale (VPN) <https://en.wikipedia.org/wiki/Tailscale>`_ options mentioned above can greatly help you empower your community, typically during the implementation phase of your project, even if Linux is new to you.
+The `iiab-diagnostics <../../scripts/iiab-diagnostics.README.md>`_ and `OpenVPN <https://en.wikipedia.org/wiki/OpenVPN>`_ options mentioned above can greatly help you empower your community, typically during the implementation phase of your project, even if Linux is new to you.
-Similarly, `tasks/main.yml <tasks/main.yml>`_ adds a couple text mode tools — extremely helpful over expensive / low-bandwidth connections:
+Similarly, `access.yml <tasks/access.yml>`_ adds a couple text mode tools — extremely helpful over expensive / low-bandwidth connections:
 * `lynx <https://en.wikipedia.org/wiki/Lynx_(web_browser)>`_
 * `screen <https://linuxize.com/post/how-to-use-linux-screen/>`_
 *More great tools to help you jumpstart community action at a distance:*
-* `FAQ.IIAB.IO <https://wiki.iiab.io/go/FAQ>`_ > "How can I remotely manage my Internet-in-a-Box?"
+* http://FAQ.IIAB.IO > "How can I remotely manage my Internet-in-a-Box?"
 Admin Console
 -------------
--- a/roles/iiab-admin/tasks/main.yml
+++ b/roles/iiab-admin/tasks/main.yml
@ -2,11 +2,6 @@
 # https://github.com/iiab/iiab/blob/master/roles/iiab-admin/README.rst
 - name: Record (initial) disk space used
  shell: df -B1 --output=used / | tail -1
  register: df1
 - name: "Install text-mode packages, useful during remote access: lynx, screen"
  package:
    name:
@ -40,17 +35,6 @@
 # RECORD iiab-admin AS INSTALLED
 - name: Record (final) disk space used
  shell: df -B1 --output=used / | tail -1
  register: df2
 - name: Add 'iiab_admin_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }}
  ini_file:
    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
    section: iiab-admin
    option: iiab_admin_disk_usage
    value: "{{ df2.stdout|int - df1.stdout|int }}"
 - name: "Set 'iiab_admin_installed: True'"
  set_fact:
    iiab_admin_installed: True
--- a/roles/iiab-admin/tasks/pwd-warnings.yml
+++ b/roles/iiab-admin/tasks/pwd-warnings.yml
@ -2,35 +2,34 @@
 #                    AND roles/network/tasks/netwarn.yml  FOR iiab-network
- name: Install /etc/profile.d/iiab-pwdwarn-profile.sh from template, to issue warnings (during shell/ssh logins) if iiab-admin password is the default
+- name: Install /etc/profile.d/sshpwd-profile-iiab.sh from template, to issue warnings (during shell/ssh logins) if iiab-admin password is the default
  template:
-    src: iiab-pwdwarn-profile.sh.j2
+    src: sshpwd-profile-iiab.sh.j2
-    dest: /etc/profile.d/iiab-pwdwarn-profile.sh
+    dest: /etc/profile.d/sshpwd-profile-iiab.sh
    mode: '0644'
- name: Does directory /home/{{ iiab_admin_user }}/.config/labwc/ exist?
+- name: Is /etc/xdg/lxsession/LXDE-pi a directory?
  stat:
-    path: /home/{{ iiab_admin_user }}/.config/labwc/
+    path: /etc/xdg/lxsession/LXDE-pi
-  register: labwc_dir
+  register: lx
- name: "If so, install from template: /usr/local/sbin/iiab-pwdwarn-labwc"
+- name: "If so, install from template: /etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh"
  template:
-    src: iiab-pwdwarn-labwc.j2
+    src: sshpwd-lxde-iiab.sh.j2
-    dest: /usr/local/sbin/iiab-pwdwarn-labwc
+    dest: /etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh
    mode: '0755'
-  when: labwc_dir.stat.exists and labwc_dir.stat.isdir
+  when: lx.stat.isdir is defined and lx.stat.isdir    # and is_raspbian
-# 2019-03-07: This pop-up (/etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh) did
+# 2019-03-07: This popup (/etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh) does
 # not actually appear when triggered by /etc/xdg/autostart/pprompt-iiab.desktop
 # (or pprompt.desktop as Raspbian has working since 2018-11-13!)  Too bad as it
-# would be really nice to standardize pop-ups across Ubermix & all distros...
+# would be really nice to standardize this popup across Ubermix & all distros..
 # Is this a permissions/security issue presumably?  Official autostart spec is:
 # https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html
 # Raspbian's 2016-2018 evolution here: https://github.com/iiab/iiab/issues/1537
- name: ...and put a line in /home/{{ iiab_admin_user }}/.config/labwc/autostart to trigger iiab-pwdwarn-labwc (& pop-up as nec)
+- name: ...and put a line in /etc/xdg/lxsession/LXDE-pi/autostart to trigger popups
  lineinfile:
-    path: /home/{{ iiab_admin_user }}/.config/labwc/autostart    # iiab-admin
+    path: /etc/xdg/lxsession/LXDE-pi/autostart
-    create: yes
+    line: "@/etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh"
-    line: '/usr/local/sbin/iiab-pwdwarn-labwc &'
+  when: lx.stat.isdir is defined and lx.stat.isdir    # and is_raspbian
  when: labwc_dir.stat.exists and labwc_dir.stat.isdir
--- a/roles/iiab-admin/tasks/sudo-prereqs.yml
+++ b/roles/iiab-admin/tasks/sudo-prereqs.yml
@ -1,6 +1,6 @@
 - name: 'Install package: sudo'
  package:
-    name: sudo    # (1) Should be installed prior to installing IIAB, (2) Can be installed by 1-prep's roles/tailscale/tasks/install.yml, (3) Can be installed by 1-prep's roles/iiab-admin/tasks/sudo-prereqs.yml here, (4) Used to be installed by roles/2-common/tasks/packages.yml (but that's too late!)
+    name: sudo    # (1) Should be installed prior to installing IIAB, (2) Can also be installed by roles/1-prep's roles/openvpn/tasks/install.yml, (3) Is definitely installed by 1-prep here, (4) Used to be installed by roles/2-common/tasks/packages.yml (but that's too late!)
 - name: Temporarily make file /etc/sudoers editable (0640)
  file:
--- a/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh.j2
+++ b/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh.j2
--- a/roles/iiab-admin/templates/iiab-pwdwarn-profile.sh.j2
+++ b/roles/iiab-admin/templates/iiab-pwdwarn-profile.sh.j2
--- a/roles/internetarchive/tasks/install.yml
+++ b/roles/internetarchive/tasks/install.yml
@ -9,10 +9,10 @@
  include_role:
    name: nodejs
- name: Assert that 10.x <= nodejs_version ({{ nodejs_version }}) <= 22.x
+- name: Assert that 10.x <= nodejs_version ({{ nodejs_version }}) <= 18.x
  assert:
-    that: nodejs_version is version('10.x', '>=') and nodejs_version is version('22.x', '<=')
+    that: nodejs_version is version('10.x', '>=') and nodejs_version is version('18.x', '<=')
-    fail_msg: "Internet Archive install cannot proceed, as it currently requires Node.js 10.x - 22.x, and your nodejs_version is set to {{ nodejs_version }}.  Please check the value of nodejs_version in /opt/iiab/iiab/vars/default_vars.yml and possibly also /etc/iiab/local_vars.yml"
+    fail_msg: "Internet Archive install cannot proceed, as it currently requires Node.js 10.x - 18.x, and your nodejs_version is set to {{ nodejs_version }}.  Please check the value of nodejs_version in /opt/iiab/iiab/vars/default_vars.yml and possibly also /etc/iiab/local_vars.yml"
    quiet: yes
 - name: "Set 'yarn_install: True' and 'yarn_enabled: True'"
@ -30,11 +30,6 @@
    state: present
 - name: Record (initial) disk space used
  shell: df -B1 --output=used / | tail -1
  register: df1
 # 2. CREATE 2 DIRS, WIPE /opt/iiab/internetarchive/node_modules & RUN YARN
 - name: mkdir {{ internetarchive_dir }}
@ -69,17 +64,6 @@
 # 4. RECORD Internet Archive AS INSTALLED
 - name: Record (final) disk space used
  shell: df -B1 --output=used / | tail -1
  register: df2
 - name: Add 'internetarchive_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }}
  ini_file:
    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
    section: internetarchive
    option: internetarchive_disk_usage
    value: "{{ df2.stdout|int - df1.stdout|int }}"
 - name: "Set 'internetarchive_installed: True'"
  set_fact:
    internetarchive_installed: True
--- a/roles/jupyterhub/README.md
+++ b/roles/jupyterhub/README.md
@ -1,7 +1,5 @@
 ## JupyterHub programming environment with student Notebooks
 ### CAUTION: Internet-in-a-Box (IIAB) does not support JupyterHub on 32-bit OS's, where installation will likely fail ([#3639](https://github.com/iiab/iiab/issues/3639)).
 #### Secondary schools may want to consider JupyterHub to integrate coding with dynamic interactive graphing — A New Way to Think About Programming — allowing students to integrate science experiment results and program output within their own blog-like "Jupyter Notebooks."
 * Jupyter Notebooks are widely used in the scientific community:
@ -11,11 +9,10 @@
  * [JupyterHub changelog](https://jupyterhub.readthedocs.io/en/stable/changelog.html#changelog)
 * Students create their own accounts on first use — e.g. at http://box.lan/jupyterhub — just as if they're logging in regularly (unfortunately the login screen doesn't make that clear, but the teacher _does not_ need to be involved!)
  * A student can then sign in with their username and password, to gain access to their files (Jupyter Notebooks).
-  * The teacher should set and protect JupyterHub's overall `Admin` password, just in case.  As with student accounts, the login screen unfortunately doesn't make that clear — so just log in with username `Admin` — using any password that you want to become permanent.
+  * The teacher should set and protect JupyterHub's overall `Admin` password, just in case.  As with student accounts, the login screen doesn't make that clear — so just log in with username `Admin` — using any password that you want to become permanent.
-* Individual student folders are created in `/var/lib/private/` on your Internet-in-a-Box (IIAB) server:
+* Individual student folders are created in `/var/lib/private/` on the Internet-in-a-Box (IIAB) server:
  * A student will only be able to see their own work — they do not have privileges outside of their own folder.
  * Students may upload Jupyter Notebooks to the IIAB server, and download the current state of their work via a normal browser.
  * Linux administrators can read more about JupyterHub's [Local Users](https://github.com/jupyterhub/systemdspawner#local-users) and [c.SystemdSpawner.dynamic_users = True](https://github.com/jupyterhub/systemdspawner#dynamic_users)
 ### Settings
@ -29,11 +26,10 @@ In some rare circumstances, it may be necessary to restart JupyterHub's systemd
 sudo systemctl restart jupyterhub
 ```
-FYI `/opt/iiab/jupyterhub` is a Python 3 virtual environment, that can be activated (and deactivated) with the usual:
+FYI `/opt/iiab/jupyterhub` is a Python 3 virtual environment, that can be activated with the usual formula:
 ```
 source /opt/iiab/jupyterhub/bin/activate
 (jupyterhub) root@box:~# deactivate
 ```
 Passwords are hashed using 4096 rounds of the latest Blowfish (bcrypt's $2b$ algorithm) and stored in:
@ -46,19 +42,19 @@ Passwords are hashed using 4096 rounds of the latest Blowfish (bcrypt's $2b$ alg
 Users can change their password by logging in, and then visiting URL: http://box.lan/jupyterhub/auth/change-password
-NOTE: This is the only way to change the password for user `Admin`, because **File > Hub Control Panel > Admin** (below) does not permit deletion of this account.
+NOTE: This is the only way to change the password for user 'Admin', because Control Panel > Admin (below) does not permit deletion of this account.
-### File > Hub Control Panel > Admin, to manage accounts
+### Control Panel > Admin page, to manage other accounts
 The `Admin` user (and any users given `Admin` privilege) can reset user passwords by deleting the user from JupyterHub's **Admin** page (below).  This logs the user out, but does not remove any of their data or home directories.  The user can then set a new password in the usual way — simply by logging in.  Example:
-1. As a user with `Admin` privilege, click **File > Hub Control Panel** in your JupyterHub:
+1. As a user with `Admin` privilege, click **Control Panel** in the top right of your JupyterHub:
-   ![image](https://user-images.githubusercontent.com/2458907/217602766-ab6a9d3c-9f92-496e-a0e8-6c18a084e960.png)
+   ![Control panel button in notebook, top right](control-panel-button1.png)
-2. At the top of the Control Panel, click **Admin**:
+2. In the Control Panel, open the **Admin** link in the top left:
-   ![image](https://user-images.githubusercontent.com/2458907/217602473-f4f9fd40-b4c1-45e1-88c5-54c6d4b604ff.png)
+   ![Admin button in control panel, top left](admin-access-button1.png)
   This opens up the JupyterHub Admin page, where you can add / delete users, start / stop peoples’ servers and see who is online.
@ -74,20 +70,6 @@ The `Admin` user (and any users given `Admin` privilege) can reset user password
 _WARNING: If on login users see "500 : Internal Server Error", you may need to remove ALL files of the form_ `/run/jupyter-johndoe-singleuser`
 ### Logging
 To see JupyterHub's (typically very long!) log, run:
 ```
 journalctl -u jupyterhub
 ```
 Sometimes other logs might also be available, e.g.:
 ```
 journalctl -u jupyter-admin-singleuser
 ```
 ### PAWS/Jupyter Notebooks for Python Beginners
 While PAWS is a little bit off topic, if you have an interest in Wikipedia, please do see this 23m 42s video ["Intro to PAWS/Jupyter notebooks for Python beginners"](https://www.youtube.com/watch?v=AUZkioRI-aA&list=PLeoTcBlDanyNQXBqI1rVXUqUTSSiuSIXN&index=8) by Chico Venancio, from 2021-06-01.
--- a/roles/jupyterhub/tasks/install.yml
+++ b/roles/jupyterhub/tasks/install.yml
@ -13,20 +13,10 @@
  when: nodejs_installed is undefined
- name: Record (initial) disk space used
+- name: "Install package: python3-venv"
-  shell: df -B1 --output=used / | tail -1
+  package:
-  register: df1
+    name: python3-venv
-
+    state: present
 # 2025-02-16
 #- name: "Install package: python3-psutil"
 #  package:
 #    name: python3-psutil
 #    state: present
 - name: Remove previous virtual environment {{ jupyterhub_venv }}
  file:
    path: "{{ jupyterhub_venv }}"
    state: absent
 - name: Make 3 directories to hold JupyterHub config
  file:
@ -43,18 +33,17 @@
    global: yes
    state: latest
- name: "pip install 3 packages into virtual environment: {{ jupyterhub_venv }} (~316 MB total, after 2 Ansible calls)"
+- name: "pip install 3 packages into virtual environment: {{ jupyterhub_venv }} (~271 MB total, after 2 Ansible calls)"
  pip:
    name:
      - pip
      - wheel
      - jupyterhub
    virtualenv: "{{ jupyterhub_venv }}"    # /opt/iiab/jupyterhub
-    #virtualenv_site_packages: no
+    virtualenv_site_packages: no
-    virtualenv_command: python3 -m venv "{{ jupyterhub_venv }}"    # 2025-02-16
+    virtualenv_command: python3 -m venv "{{ jupyterhub_venv }}"    # 2021-07-29: This works on RasPiOS 10, Debian 11, Ubuntu 20.04 and Mint 20 -- however if you absolutely must use the older Debian 10 -- you can work around errors "can't find Rust compiler" and "This package requires Rust >=1.41.0" if you (1) revert this line to 'virtualenv_command: virtualenv' AND (2) uncomment the line just below
    #virtualenv_command: python3 -m venv --system-site-packages "{{ jupyterhub_venv }}"    # 2021-07-29: This works on RasPiOS 10, Debian 11, Ubuntu 20.04 and Mint 20 -- however if you absolutely must use the older Debian 10 -- you can work around errors "can't find Rust compiler" and "This package requires Rust >=1.41.0" if you (1) revert this line to 'virtualenv_command: virtualenv' AND (2) uncomment the line just below
    #virtualenv_python: python3    # 2021-07-29: Was needed when above line was 'virtualenv_command: virtualenv' (generally for Python 2)
-    extra_args: "--no-cache-dir --prefer-binary"    # 2021-11-30, 2022-07-07: The "--pre" flag had earlier been needed, for beta-like pre-releases of JupyterHub 2.0.0
+    extra_args: "--no-cache-dir"    # 2021-11-30, 2022-07-07: The "--pre" flag had earlier been needed, for beta-like pre-releases of JupyterHub 2.0.0
 # 2022-07-07: Attempting to "pip install" all 7 together (3 above + 4 below)
 # fails on OS's like 64-bit RasPiOS (but interestingly works on Ubuntu 22.04!)
@ -68,10 +57,9 @@
      - jupyterhub-systemdspawner
      - ipywidgets
    virtualenv: "{{ jupyterhub_venv }}"
-    #virtualenv_site_packages: no
+    virtualenv_site_packages: no
-    virtualenv_command: python3 -m venv "{{ jupyterhub_venv }}"    # 2025-02-16
+    virtualenv_command: python3 -m venv "{{ jupyterhub_venv }}"    
-    #virtualenv_command: python3 -m venv --system-site-packages "{{ jupyterhub_venv }}"
+    extra_args: "--no-cache-dir"
    extra_args: "--no-cache-dir --prefer-binary"    # 2023-10-01: Lifesaver when recent wheels (e.g. piwheels.org) are inevitably not yet built!  SEE #3560
 - name: "Install from template: {{ jupyterhub_venv }}/etc/jupyterhub/jupyterhub_config.py"
  template:
@ -111,17 +99,6 @@
 # RECORD JupyterHub AS INSTALLED
 - name: Record (final) disk space used
  shell: df -B1 --output=used / | tail -1
  register: df2
 - name: Add 'jupyterhub_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }}
  ini_file:
    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
    section: jupyterhub
    option: jupyterhub_disk_usage
    value: "{{ df2.stdout|int - df1.stdout|int }}"
 - name: "Set 'jupyterhub_installed: True'"
  set_fact:
    jupyterhub_installed: True
--- a/roles/jupyterhub/templates/jupyterhub_config.py.j2
+++ b/roles/jupyterhub/templates/jupyterhub_config.py.j2
--- a/roles/kalite/tasks/install.yml
+++ b/roles/kalite/tasks/install.yml
@ -1,8 +1,3 @@
 - name: Record (initial) disk space used
  shell: df -B1 --output=used / | tail -1
  register: df1
 - name: Download {{ kalite_requirements }} to {{ pip_packages_dir }}/kalite.txt
  get_url:
    url: "{{ kalite_requirements }}"
@ -15,46 +10,36 @@
 #  ignore_errors: yes
 #  when: is_raspbian
- name: 'Install packages: python2, python-setuptools, virtualenv (for Python 2) -- if Ubuntu 22.04 / Mint 21'
+- name: 'Install packages: python2, python-setuptools, virtualenv (for Python 2)'
  package:
    name:
      - python2
      - python-setuptools    # Provides setuptools-44 on recent OS's (last version compatible with python2)
-      - virtualenv           # Drags in 'python3-virtualenv' which in turn drags in 'python3-pip' -- for Ansible module 'pip' when used with 'virtualenv_command: /usr/bin/virtualenv' and 'virtualenv_python: python2.7' -- compare package 'python3-venv' used by roles {calibre-web, jupyterhub, lokole}
+      - virtualenv           # For Ansible module 'pip' when used with 'virtualenv_command: /usr/bin/virtualenv' and 'virtualenv_python: python2.7' -- compare package 'python3-venv' used by roles {calibre-web, jupyterhub, lokole}
    state: present
-  when: is_ubuntu_2204    # Also covers is_linuxmint_21
+  #when: not (is_debian_9 or is_debian_10 or is_ubuntu_16 or is_ubuntu_17 or is_ubuntu_18 or is_ubuntu_19)
  # 2020-03-31: Testing for {is_raspbian_9, is_raspbian_10} is not currently nec, as testing for {is_debian_9, is_debian_10} covers that already.
- name: Run scripts/install_python2.sh to install python2 and virtualenv -- if Debian 12 or RasPiOS 12
+- name: Use pip to pin setuptools to 44 in {{ kalite_venv }}    # WAS: if Raspbian/Debian > 10 or Ubuntu > 19
  command: "{{ iiab_dir }}/scripts/install_python2.sh"
  when: is_debian_12    # Also covers is_raspbian_12
 - name: Use pip to pin setuptools to 44 in {{ kalite_venv }} -- if Ubuntu 22.04 / Mint 21, Ubuntu 23.10, Debian 12 or RasPiOS 12
  pip:
    name: setuptools==44
    virtualenv: "{{ kalite_venv }}"    # /usr/local/kalite/venv
    virtualenv_site_packages: no
-    virtualenv_command: virtualenv    # Traditionally /usr/bin/virtual/env -- but install_python2.sh (for Ubuntu 23.10+) sets up /usr/local/bin/virtualenv
+    virtualenv_command: /usr/bin/virtualenv
    virtualenv_python: python2.7
    extra_args: "--no-use-pep517 --no-cache-dir --no-python-version-warning"
-  when: is_ubuntu_2204 or is_ubuntu_2310 or is_debian_12    # Also covers is_linuxmint_21 and is_raspbian_12
+  #when: not (is_debian_9 or is_debian_10 or is_ubuntu_16 or is_ubuntu_17 or is_ubuntu_18 or is_ubuntu_19)
  # long form of (is_debian_11+ or is_ubuntu_20+)
- name: Use pip to install ka-lite-static to {{ kalite_venv }} -- if Ubuntu 22.04 / Mint 21, Ubuntu 23.10, Debian 12 or RasPiOS 12
+- name: Use pip to install ka-lite-static to {{ kalite_venv }}
  pip:
    name: ka-lite-static
    version: "{{ kalite_version }}"
    virtualenv: "{{ kalite_venv }}"
    virtualenv_site_packages: no
-    virtualenv_command: virtualenv
+    virtualenv_command: /usr/bin/virtualenv
    virtualenv_python: python2.7
    extra_args: "--no-cache-dir"
  when: is_ubuntu_2204 or is_ubuntu_2310 or is_debian_12    # Also covers is_linuxmint_21 and is_raspbian_12
 # 2024-04-30: Sadly no longer works with Ubuntu 24.04 LTS final release (#3731).
 # So roles/kalite is OS-restricted during initial install, SEE: roles/7-edu-apps/tasks/main.yml
 # CLARIF: If install_python2_kalite-venv_u2404.sh proves no longer useful, it will deprecated in coming months.
 - name: Run scripts/install_python2_kalite-venv_u2404.sh -- if Ubuntu 24.04+ or Mint 22
  command: bash "{{ iiab_dir }}/scripts/install_python2_kalite-venv_u2404.sh"
  when: is_ubuntu and not is_linuxmint and os_ver is version('ubuntu-2404', '>=') or is_linuxmint_22
 - name: "Install from templates: venv wrapper /usr/bin/kalite, unit file /etc/systemd/system/kalite-serve.service"
  template:
@ -65,11 +50,30 @@
    - { src: 'kalite.sh.j2', dest: '/usr/bin/kalite', mode: '0755' }
    - { src: 'kalite-serve.service.j2', dest: '/etc/systemd/system/kalite-serve.service', mode: '0644' }
 # Useless stanza, for 2 reasons: (1) http://box/kalite was never made to work
 # (2) /etc/apache2/sites-available does not exist on many IIAB's w/o Apache
 # - name: "Install from template: /etc/{{ apache_conf_dir }}/kalite.conf (useless, as http://box/kalite was never made to work)"
 #   template:
 #     src: kalite.conf
 #     dest: "/etc/{{ apache_conf_dir }}"    # apache2/sites-available on debuntu
 #   when: apache_installed is defined
 - name: Fix KA Lite bug in regex parsing ifconfig output (ifcfg/parser.py) for @m-anish's network names that contain dashes    # WAS: if Raspbian/Debian > 10 or Ubuntu > 19
  replace:
    path: "{{ kalite_venv }}/lib/python2.7/site-packages/kalite/packages/dist/ifcfg/parser.py"    # /usr/local/kalite/venv
    regexp: 'a-zA-Z0-9'
    replace: 'a-zA-Z0-9\-'
  #when: not (is_debian_9 or is_debian_10 or is_ubuntu_16 or is_ubuntu_17 or is_ubuntu_18 or is_ubuntu_19)
  # 2020-03-31: Testing for {is_raspbian_9, is_raspbian_10} is not currently nec, as testing for {is_debian_9, is_debian_10} covers that already.
  # JV: why not just is_ubuntu_20? AH: to make this work on Ubuntu 21+ and ideally Debian/RasPiOS 11+ too?
 # - name: Fix KA Lite bug in regex parsing ifconfig output (ifcfg/parser.py) for @m-anish's network names that contain dashes, if Raspbian/Debian < 11 or Ubuntu < 20
 #   replace:
 #     path: "{{ kalite_venv }}/local/lib/python2.7/site-packages/kalite/packages/dist/ifcfg/parser.py"
 #     regexp: 'a-zA-Z0-9'
 #     replace: 'a-zA-Z0-9\-'
 #   when: is_debian_9 or is_debian_10 or is_ubuntu_16 or is_ubuntu_17 or is_ubuntu_18 or is_ubuntu_19
 #   # 2020-03-31: Testing for {is_raspbian_9, is_raspbian_10} is not currently nec, as testing for {is_debian_9, is_debian_10} covers that already.
 - name: Create dir {{ kalite_root }}
  file:
@ -86,17 +90,6 @@
 # RECORD KA Lite AS INSTALLED
 - name: Record (final) disk space used
  shell: df -B1 --output=used / | tail -1
  register: df2
 - name: Add 'kalite_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }}
  ini_file:
    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
    section: kalite
    option: kalite_disk_usage
    value: "{{ df2.stdout|int - df1.stdout|int }}"
 - name: "Set 'kalite_installed: True'"
  set_fact:
    kalite_installed: True
--- a/roles/kiwix/README.rst
+++ b/roles/kiwix/README.rst
@ -14,7 +14,7 @@ Locations
 - Your ZIM files go in ``/library/zims/content``
 - Your ZIM index files used to go in directories under ``/library/zims/index`` (these index files are increasingly no longer necessary, as most ZIM files produced since 2017 contain an internal search index instead!)
- The URL is http://box/kiwix or http://box.lan/kiwix (both proxied for AWStats, Matomo, ETC)
+- The URL is http://box/kiwix or http://box.lan/kiwix (both proxied for AWStats)
 - Use URL http://box:3000/kiwix if you want to avoid the proxy
 Your ``/library/zims/library.xml`` (containing essential metadata for the ZIM files you've installed) can be regenerated if necessary, by running:
--- a/roles/kiwix/defaults/main.yml
+++ b/roles/kiwix/defaults/main.yml
@ -8,11 +8,11 @@
 # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
-# ONLINE UPGRADE INSTRUCTIONS:
+# INSTRUCTIONS TO REINSTALL Kiwix:
-# (1) VERIFY VARS IN /etc/iiab/local_vars.yml
+# (1) VERIFY THESE VARS IN /etc/iiab/local_vars.yml
 #     kiwix_install: True
 #     kiwix_enabled: True
-# (2) RUN: cd /opt/iiab/iiab; sudo ./runrole --reinstall kiwix
+# (2) RUN: cd /opt/iiab/iiab; ./runrole --reinstall kiwix
 # FYI /library/zims contains 3 important things:
@ -25,13 +25,13 @@ kiwix_base_url: https://download.kiwix.org/release/kiwix-tools/
 #kiwix_base_url: https://download.kiwix.org/nightly/2022-10-04/
 #kiwix_base_url: "{{ iiab_download_url }}/"    # e.g. https://download.iiab.io/packages/
-kiwix_arch_dict:      # 'dpkg --print-architecture' key would be: (to mitigate #3516 in future, if truly nec?)
+kiwix_arch_dict:
-  #i386:              # ?
+  #i386:
-  i686: i586          # ?
+  i686: i586
-  x86_64: x86_64      # amd64
+  x86_64: x86_64
-  armv6l: armv6       # armhf
+  armv6l: armhf
-  armv7l: armv8       # armhf  BEWARE: armhf version of kiwix-tools suddenly FAILS on 64-bit RasPiOS, since 3.5.0 released 2023-04-28 -- #3574, PR #3576
+  armv7l: armhf
-  aarch64: aarch64    # arm64  BEWARE: "32-bit" RasPiOS suddenly boots 64-bit kernel since March 2023 -- #3516, explained at https://github.com/iiab/iiab/pull/3422#issuecomment-1533441463
+  aarch64: armhf
 # ansible_architecture might also work, if not quite as well:
 # https://stackoverflow.com/questions/66828315/what-is-the-difference-between-ansible-architecture-and-ansible-machine-on-a/66828837#66828837
@ -42,7 +42,6 @@ kiwix_arch: "{{ kiwix_arch_dict[ansible_machine] | default('unsupported') }}"
 # Latest official kiwix-tools release, per Kiwix permalink redirects:
 # https://www.kiwix.org/en/downloads/kiwix-serve/
 # https://github.com/kiwix/container-images/issues/236
 # https://github.com/kiwix/kiwix-tools/issues/623
 kiwix_tar_gz: "kiwix-tools_linux-{{ kiwix_arch }}.tar.gz"
 #kiwix_tar_gz: "kiwix-tools_linux-{{ kiwix_arch }}-3.3.0-1.tar.gz"    # Version can be hard-coded if you prefer (as was done til 2022-10-04)
--- a/roles/kiwix/tasks/install.yml
+++ b/roles/kiwix/tasks/install.yml
@ -6,11 +6,6 @@
  when: kiwix_arch == "unsupported"
 - name: Record (initial) disk space used
  shell: df -B1 --output=used / | tail -1
  register: df1
 # 1. PUT IN PLACE: /opt/iiab/downloads/kiwix-tools_linux-*.tar.gz, move /opt/iiab/kiwix/bin aside if nec, create essential dirs, and test.zim if nec (library.xml is created later, by enable-or-disable.yml)
 # 2022-10-04: get_url might be removed in future (unarchive below can handle
@ -24,24 +19,6 @@
    timeout: "{{ download_timeout }}"
  register: kiwix_dl    # PATH /opt/iiab/downloads + ACTUAL filename put in kiwix_dl.dest, for unarchive ~28 lines below
 # - name: "2023-05-14: TEMPORARY PATCH REVERTING TO KIWIX-TOOLS 3.4.0 IF BUGGY 32-BIT (armhf) VERSION 3.5.0 IS DETECTED -- #3574"
 #   get_url:
 #     url: https://download.kiwix.org/release/kiwix-tools/kiwix-tools_linux-armhf-3.4.0.tar.gz
 #     dest: "{{ downloads_dir }}"
 #     timeout: "{{ download_timeout }}"
 #   #register: kiwix_dl    # CLOBBERS kiwix_dl.dest WHEN THIS STANZA DOES NOT RUN :/
 #   when: kiwix_dl.dest == "/opt/iiab/downloads/kiwix-tools_linux-armhf-3.5.0.tar.gz"
 #
 # # Ansible does not allow changing individuals subfields in a dictionary, but
 # # this crude hack works, overwriting the entire kiwix_dl dictionary var with
 # # the single (needed) key/value pair.  (Or "register: tmp_dl" could be set
 # # above, if its other [subfields, key/value pairs, etc] really mattered...)
 # - name: "2023-05-15: TEMPORARY PATCH REVERTING TO KIWIX-TOOLS 3.4.0 IF BUGGY 32-BIT (armhf) VERSION 3.5.0 IS DETECTED -- #3574"
 #   set_fact:
 #     kiwix_dl:
 #       dest: /opt/iiab/downloads/kiwix-tools_linux-armhf-3.4.0.tar.gz
 #   when: kiwix_dl.dest == "/opt/iiab/downloads/kiwix-tools_linux-armhf-3.5.0.tar.gz"
 - name: Does {{ kiwix_path }}/bin already exist? (as a directory, symlink or file)
  stat:
    path: "{{ kiwix_path }}/bin"    # /opt/iiab/kiwix
@ -81,8 +58,6 @@
    src: "{{ kiwix_dl.dest }}"    # See ~28 lines above, e.g. /opt/iiab/downloads/kiwix-tools_linux-x86_64-3.3.0-1.tar.gz
    dest: "{{ kiwix_path }}/bin"
    extra_opts: --strip-components=1
    owner: root    # 2023-05-14: When unpacking let's avoid bogus owner/group,
    group: root    # arising from UID/GID on Kiwix's build machine.
 # 3. ENABLE MODS FOR APACHE PROXY IF DEBUNTU
@ -123,17 +98,6 @@
 # 5. RECORD Kiwix AS INSTALLED
 - name: Record (final) disk space used
  shell: df -B1 --output=used / | tail -1
  register: df2
 - name: Add 'kiwix_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }}
  ini_file:
    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
    section: kiwix
    option: kiwix_disk_usage
    value: "{{ df2.stdout|int - df1.stdout|int }}"
 - name: "Set 'kiwix_installed: True'"
  set_fact:
    kiwix_installed: True
--- a/roles/kolibri/README.rst
+++ b/roles/kolibri/README.rst
@ -24,7 +24,7 @@ Please look in `/opt/iiab/iiab/roles/kolibri/defaults/main.yml <defaults/main.ym
 Automatic Device Provisioning
 -----------------------------
-When kolibri_provision is enabled (e.g. in `/etc/iiab/local_vars.yml <http://FAQ.IIAB.IO#What_is_local_vars.yml_and_how_do_I_customize_it%3F>`_) the installation will set up the following defaults::
+When kolibri_provision is enabled (e.g. in `/etc/iiab/local_vars.yml <http://FAQ.IIAB.IO#What_is_local_vars.yml_and_how_do_I_customize_it.3F>`_) the installation will set up the following defaults::
  kolibri_facility: Kolibri-in-a-Box   
  kolibri_language: en      # See KOLIBRI_SUPPORTED_LANGUAGES at the bottom of https://github.com/learningequality/kolibri/blob/develop/kolibri/utils/i18n.py
--- a/roles/kolibri/defaults/main.yml
+++ b/roles/kolibri/defaults/main.yml
@ -3,21 +3,11 @@
 # kolibri_language: en    # See KOLIBRI_SUPPORTED_LANGUAGES at the bottom of https://github.com/learningequality/kolibri/blob/develop/kolibri/utils/i18n.py
 # Kolibri folder to store its data and configuration files.
 # kolibri_home: "{{ content_base }}/kolibri"    # /library/kolibri
 # kolibri_user: kolibri    # Whereas a vanilla install of Kolibri auto-identifies
 # and saves a 'desktop-like' user like {iiab-admin, pi} to /etc/kolibri/username
 # (generally the user with lowest UID >= 1000) to allow access to USB devices:
 # https://kolibri.readthedocs.io/en/latest/install/ubuntu-debian.html#changing-the-owner-of-kolibri-system-service
 # https://github.com/learningequality/kolibri-installer-debian/issues/115
 # kolibri_http_port: 8009
 # All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml
 # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
 # 2019-09-27: Pinning to a particular version is unfortunately NOT supported
 # with our new apt approach (.deb installer) at this time.
 # 2019-06-21: Uncomment this pinning line if you want a particular version of
@ -26,12 +16,8 @@
 # https://github.com/iiab/iiab/issues/1675
 # https://github.com/learningequality/kolibri/issues/5664
-# 2024-04-08: Kolibri 0.16.1+ restores install via apt
+# 2022-07-30: UNCOMMENT THE FOLLOWING LINE TO TEST A PARTICULAR .deb INSTALL
 # https://github.com/learningequality/kolibri/issues/11892#issuecomment-2043073998
 # 2022-07-30: UNCOMMENT ONE OF THE FOLLOWING LINES TO TEST A PARTICULAR .deb INSTALL
 # kolibri_deb_url: https://learningequality.org/r/kolibri-deb-latest
 # 2024-02-17: https://github.com/learningequality/kolibri/issues/11892
 # kolibri_deb_url: https://learningequality.org/r/kolibri-deb-next
 # 2019-11-21 issue #2045 - above URL had redirected to this broken Kolibri 0.12.9 release:
 # https://storage.googleapis.com/le-releases/downloads/kolibri/v0.12.9/kolibri_0.12.9-0ubuntu1_all.deb
 #
@ -44,11 +30,19 @@
 # Corresponding to:
 # https://launchpad.net/~learningequality/+archive/ubuntu/kolibri
 # Kolibri folder to store its data and configuration files.
 kolibri_home: "{{ content_base }}/kolibri"    # /library/kolibri
 kolibri_url_without_slash: /kolibri
 kolibri_url: "{{ kolibri_url_without_slash }}/"    # /kolibri/
 kolibri_exec_path: /usr/bin/kolibri
 kolibri_user: kolibri    # Whereas a vanilla install of Kolibri auto-identifies
 # and saves a 'desktop' user like {iiab-admin, pi} to /etc/kolibri/username,
 # towards guaranteeing access to USB devices, per:
 # https://kolibri.readthedocs.io/en/latest/install.html#changing-the-owner-of-kolibri-system-service
 # To populate /library/kolibri with essential/minimum files and dirs.  This
 # provisions Kolibri with facility name, admin acnt / password, preset type,
 # and language.  You can set this to 'False' when reinstalling Kolibri:
--- a/roles/kolibri/tasks/install.yml
+++ b/roles/kolibri/tasks/install.yml
@ -4,40 +4,16 @@
 # https://github.com/learningequality/pi-gen/blob/master/stage2/04-hostapd/offline.yml
 # https://github.com/learningequality/pi-gen/blob/master/stage2/04-hostapd/online.yml
 # Install Kolibri » Debian/Ubuntu
 # https://kolibri.readthedocs.io/en/latest/install/ubuntu-debian.html
 # Advanced management
 # https://kolibri.readthedocs.io/en/latest/manage/advanced.html
 # Working with Kolibri from the command line
 # https://kolibri.readthedocs.io/en/latest/manage/command_line.html
 # Customize Kolibri settings with the [ /library/kolibri/options.ini ] file
 # https://kolibri.readthedocs.io/en/latest/manage/options_ini.html
 # Test Kolibri server performance
 # https://kolibri.readthedocs.io/en/latest/manage/performance.html
 # Provisioning many servers
 # https://kolibri.readthedocs.io/en/latest/install/provision.html
 - name: Record (initial) disk space used
  shell: df -B1 --output=used / | tail -1
  register: df1
 - name: Create Linux user {{ kolibri_user }} and add it to groups {{ apache_user }}, disk
  user:
    name: "{{ kolibri_user }}"
-    groups: "{{ apache_user }}"    # 2023-03-29: Not really necessary (Kolibri is demonstrated to work without group 'www-data').  But it likely doesn't hurt.
+    groups:
-      #- disk    # 2023-03-29: Tested to be unnec with USB sticks (with 64-bit RasPiOS).  FWIW group 'disk' is "Mostly equivalent to root access" according to https://wiki.debian.org/SystemGroups
+      - "{{ apache_user }}"
      - disk
    state: present
    shell: /bin/false
    system: yes
    create_home: no
    home: "{{ kolibri_home }}"
 - name: Create directory {{ kolibri_home }} for Kolibri content, configuration, sqlite3 databases ({{ kolibri_user }}:{{ apache_user }}, by default 0755)
  file:
@ -62,98 +38,83 @@
    dest: /etc/kolibri/daemon.conf
-# https://kolibri.readthedocs.io/en/latest/install/ubuntu-debian.html claims:
+- name: apt install latest Kolibri .deb from {{ kolibri_deb_url }} (populates {{ kolibri_home }}, migrates database)    # i.e. /library/kolibri
 # "When you use the PPA installation method, upgrades to newer versions
 # will be automatic, provided there is internet access available."
 #
 # IN REALITY: apt upgrading Kolibri is messy, as up-to-5 debconf screens prompt
 # PPL WHO DON'T KNOW with the wrong default username, instead of 'kolibri' :/
 # https://github.com/learningequality/kolibri-installer-debian/pull/117
 # 2022-08-31: keyring /etc/apt/trusted.gpg DEPRECATED as detailed on #3343
 - name: Download Kolibri's apt key to /usr/share/keyrings/learningequality-kolibri.gpg
  shell: |
    gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys DC5BAA93F9E4AE4F0411F97C74F88ADB3194DD81
    gpg --yes --output /usr/share/keyrings/learningequality-kolibri.gpg --export DC5BAA93F9E4AE4F0411F97C74F88ADB3194DD81
 # 2024-06-25: Strongly consider PPA "kolibri-proposed" in future...
 # https://github.com/learningequality/kolibri/issues/11892
 # https://kolibri.readthedocs.io/en/latest/install/ubuntu-debian.html
 - name: Add signed Kolibri PPA 'jammy'
  apt_repository:
    repo: "deb [signed-by=/usr/share/keyrings/learningequality-kolibri.gpg] http://ppa.launchpad.net/learningequality/kolibri/ubuntu jammy main"
 #   when: is_ubuntu and os_ver is version('ubuntu-2204', '>=') or is_linuxmint_21 or is_debian_12
 #   #when: is_ubuntu_2204 or is_ubuntu_2210 or is_debian_12    # MINT 21 COVERED BY is_ubuntu_2204
 # - name: Add signed Kolibri PPA 'focal' (if other/older OS's)
 #   apt_repository:
 #     repo: "deb [signed-by=/usr/share/keyrings/learningequality-kolibri.gpg] http://ppa.launchpad.net/learningequality/kolibri/ubuntu focal main"
 #   when: not (is_ubuntu and os_ver is version('ubuntu-2204', '>=') or is_linuxmint_21 or is_debian_12)
 #   #when: not (is_ubuntu_2204 or is_ubuntu_2210 or is_debian_12)
 # - name: Add Kolibri PPA repo 'ppa:learningequality/kolibri' (if is_ubuntu and not is_linuxmint)
 #   apt_repository:
 #     repo: ppa:learningequality/kolibri
 #   when: is_ubuntu and not is_linuxmint
 # 2022-08-19: 'add-apt-repository ppa:learningequality/kolibri' works at CLI on
 # Mint 21 (creating /etc/apt/sources.list.d/learningequality-kolibri-jammy.list)
 # BUT equivalent Ansible command (STANZA ABOVE) failed with error...
 # "Failed to update apt cache: E:The repository 'http://ppa.launchpad.net/learningequality/kolibri/ubuntu vanessa Release' does not have a Release file."
 # ...so for now we special case Mint, similar to Debian (BOTH STANZAS BELOW!)
 # 2022-08-19: https://github.com/learningequality/kolibri/issues/9647 also asks
 # about the warning below, arising no matter if codename is 'focal' or 'jammy'
 # with Kolibri 0.15.6 on Mint 21 -- if you run '/usr/bin/kolibri --version':
 #
 # /usr/lib/python3/dist-packages/pkg_resources/__init__.py:116: PkgResourcesDeprecationWarning: 0.1.43ubuntu1 is an invalid version and will not be supported in a future release
 # warnings.warn(
 # 2022-08-19: 'apt-key list' & 'apt-key del 3194 DD81' are useful if you also
 # want to clear out Kolibri's key from the DEPRECATED /etc/apt/trusted.gpg
 # - name: Add Kolibri PPA repo 'ppa:learningequality/kolibri' with codename 'jammy' (if is_linuxmint_21)
 #   apt_repository:
 #     repo: ppa:learningequality/kolibri
 #     codename: jammy    # CONSOLIDATE THIS SPECIAL CASE STANZA WITH UBUNTU ABOVE IN FUTURE?
 #   when: is_linuxmint_21
 # - name: Add Kolibri PPA repo 'ppa:learningequality/kolibri' with codename 'focal' (if is_debian or is_linuxmint_20)
 #   apt_repository:
 #     repo: ppa:learningequality/kolibri
 #     codename: focal    # UPDATE THIS TO 'jammy' AFTER "RasPiOS Bookworm" (based on Debian 12) IS RELEASED! (ETA Q3 2023)
 #   when: is_debian or is_linuxmint_20
 # 2024-08-07: Hack no longer needed!  As Kolibri 0.17.0 now installs via "kolibri" PPA (https://launchpad.net/~learningequality/+archive/ubuntu/kolibri).
 # Hopefully "kolibri-proposed" PPA will install 0.18 pre-releases soon, on Python 3.13 too!  https://github.com/learningequality/kolibri/issues/11892
 # - name: '2024-06-25 TEMPORARY HACK: Hard code kolibri_deb_url to Kolibri 0.17.x (pre-release or final release) if Python >= 3.12 -- kolibri-proposed PPA should do this automatically in future!'
 #   set_fact:
 #     kolibri_deb_url: https://github.com/learningequality/kolibri/releases/download/v0.17.0/kolibri_0.17.0-0ubuntu1_all.deb
 #   when: python_version is version('3.12', '>=')    # For Ubuntu 24.04, Mint 22, pre-releases of Ubuntu 24.10, and Debian 13 (even if/when "Trixie" changes from Python 3.12 to 3.13!)  Regarding PPA kolibri-proposed not quite being ready yet, see: learningequality/kolibri#11316 -> learningequality/kolibri#11892
 - name: apt install kolibri (using apt source specified above, if kolibri_deb_url ISN'T defined)
  apt:
-    name: kolibri
+    deb: "{{ kolibri_deb_url }}"    # https://learningequality.org/r/kolibri-deb-latest
-  when: kolibri_deb_url is undefined
+  environment:
-  # environment:
+    KOLIBRI_HOME: "{{ kolibri_home }}"    # These don't do a thing for now but
-  #   KOLIBRI_HOME: "{{ kolibri_home }}"    # 2023-03-27: These don't do a thing
+    KOLIBRI_USER: "{{ kolibri_user }}"    # both can't hurt & Might Help Later
  #   KOLIBRI_USER: "{{ kolibri_user }}"    # for now.
 - name: apt install {{ kolibri_deb_url }} (if kolibri_deb_url IS defined)
  apt:
    deb: "{{ kolibri_deb_url }}"    # e.g. https://learningequality.org/r/kolibri-deb-latest
  when: kolibri_deb_url is defined
  # environment:
  #   KOLIBRI_HOME: "{{ kolibri_home }}"    # 2023-03-27: These don't do a thing
  #   KOLIBRI_USER: "{{ kolibri_user }}"    # for now.
 - block:    # ELSE...
  # https://kolibri.readthedocs.io/en/latest/install/ubuntu-debian.html says:
  # "When you use the PPA installation method, upgrades to newer versions
  # will be automatic, provided there is internet access available."
  #
  # IN REALITY: apt upgrading Kolibri is risky, as 3 pink/blue screens prompt
  # PPL WHO DON'T KNOW TO TYPE IN things like Linux username 'kolibri' :/ #3356
  # 2022-08-31: keyring /etc/apt/trusted.gpg DEPRECATED as detailed on #3343
  - name: Download Kolibri's apt key to /usr/share/keyrings/learningequality-kolibri.gpg
    shell: |
      gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys DC5BAA93F9E4AE4F0411F97C74F88ADB3194DD81
      gpg --yes --output /usr/share/keyrings/learningequality-kolibri.gpg --export DC5BAA93F9E4AE4F0411F97C74F88ADB3194DD81
  - name: Add signed Kolibri PPA 'jammy' (if Ubuntu 22.04+ or Mint 21 or Debian 12)
    apt_repository:
      repo: "deb [signed-by=/usr/share/keyrings/learningequality-kolibri.gpg] http://ppa.launchpad.net/learningequality/kolibri/ubuntu jammy main"
    when: is_ubuntu and os_ver is version('ubuntu-2204', '>=') or is_linuxmint_21 or is_debian_12
    #when: is_ubuntu_2204 or is_ubuntu_2210 or is_debian_12    # MINT 21 COVERED BY is_ubuntu_2204
  - name: Add signed Kolibri PPA 'focal' (if other/older OS's)
    apt_repository:
      repo: "deb [signed-by=/usr/share/keyrings/learningequality-kolibri.gpg] http://ppa.launchpad.net/learningequality/kolibri/ubuntu focal main"
    when: not (is_ubuntu and os_ver is version('ubuntu-2204', '>=') or is_linuxmint_21 or is_debian_12)
    #when: not (is_ubuntu_2204 or is_ubuntu_2210 or is_debian_12)
  # - name: Add Kolibri PPA repo 'ppa:learningequality/kolibri' (if is_ubuntu and not is_linuxmint)
  #   apt_repository:
  #     repo: ppa:learningequality/kolibri
  #   when: is_ubuntu and not is_linuxmint
  # 2022-08-19: 'add-apt-repository ppa:learningequality/kolibri' works at CLI on
  # Mint 21 (creating /etc/apt/sources.list.d/learningequality-kolibri-jammy.list)
  # BUT equivalent Ansible command (STANZA ABOVE) failed with error...
  # "Failed to update apt cache: E:The repository 'http://ppa.launchpad.net/learningequality/kolibri/ubuntu vanessa Release' does not have a Release file."
  # ...so for now we special case Mint, similar to Debian (BOTH STANZAS BELOW!)
  # 2022-08-19: https://github.com/learningequality/kolibri/issues/9647 also asks
  # about the warning below, arising no matter if codename is 'focal' or 'jammy'
  # with Kolibri 0.15.6 on Mint 21 -- if you run '/usr/bin/kolibri --version':
  #
  # /usr/lib/python3/dist-packages/pkg_resources/__init__.py:116: PkgResourcesDeprecationWarning: 0.1.43ubuntu1 is an invalid version and will not be supported in a future release
  # warnings.warn(
  # 2022-08-19: 'apt-key list' & 'apt-key del 3194 DD81' are useful if you also
  # want to clear out Kolibri's key from the DEPRECATED /etc/apt/trusted.gpg
  # - name: Add Kolibri PPA repo 'ppa:learningequality/kolibri' with codename 'jammy' (if is_linuxmint_21)
  #   apt_repository:
  #     repo: ppa:learningequality/kolibri
  #     codename: jammy    # CONSOLIDATE THIS SPECIAL CASE STANZA WITH UBUNTU ABOVE IN FUTURE?
  #   when: is_linuxmint_21
  # - name: Add Kolibri PPA repo 'ppa:learningequality/kolibri' with codename 'focal' (if is_debian or is_linuxmint_20)
  #   apt_repository:
  #     repo: ppa:learningequality/kolibri
  #     codename: focal    # UPDATE THIS TO 'jammy' AFTER "RasPiOS Bookworm" (based on Debian 12) IS RELEASED! (ETA Q3 2023)
  #   when: is_debian or is_linuxmint_20
  - name: apt install kolibri (populates {{ kolibri_home }}, migrates database)    # i.e. /library/kolibri
    apt:
      name: kolibri
    environment:
      KOLIBRI_HOME: "{{ kolibri_home }}"    # These don't do a thing for now but
      KOLIBRI_USER: "{{ kolibri_user }}"    # both can't hurt & Might Help Later
  when: kolibri_deb_url is undefined
 - name: Run 'rm -rf /root/.kolibri' to remove "unavoidable" pollution created above
  file:
    state: absent
    path: /root/.kolibri
 - name: 'Install from template: /etc/systemd/system/kolibri.service'
  template:
@ -162,8 +123,8 @@
 - name: Stop 'kolibri' systemd service, for Kolibri provisioning (after daemon_reload)
  systemd:
    daemon_reload: yes
    name: kolibri
    daemon_reload: yes
    state: stopped
@ -184,13 +145,9 @@
 #   become_user: "{{ kolibri_user }}"
 #   when: kolibri_provision
 # Run "kolibri manage help provisiondevice" to see CLI options, e.g.:
 #   --facility_settings FACILITY_SETTINGS
 #                         JSON file containing facility settings
 #   --device_settings DEVICE_SETTINGS
 #                         JSON file containing device settings
 - name: 'Provision Kolibri, while setting: facility name, admin acnt / password, preset type, and language'
  shell: >
    export KOLIBRI_HOME="{{ kolibri_home }}" &&
    "{{ kolibri_exec_path }}" manage provisiondevice --facility "{{ kolibri_facility }}"
    --superusername "{{ kolibri_admin_user }}" --superuserpassword "{{ kolibri_admin_password }}"
    --preset "{{ kolibri_preset }}" --language_id "{{ kolibri_language }}"
@ -199,22 +156,15 @@
  become: yes
  become_user: "{{ kolibri_user }}"
  when: kolibri_provision
  environment:
    KOLIBRI_HOME: "{{ kolibri_home }}"     # 2023-03-27: Required!
    #KOLIBRI_USER: "{{ kolibri_user }}"    # 2023-03-27: Not nec due to /etc/kolibri/username ?
 - name: chown -R {{ kolibri_user }}:{{ apache_user }} {{ kolibri_home }} for good measure?
  file:
    path: "{{ kolibri_home }}"     # /library/kolibri
    owner: "{{ kolibri_user }}"    # kolibri
    group: "{{ apache_user }}"     # www-data (on Debian/Ubuntu/Raspbian)
    recurse: yes
  when: kolibri_provision
 # 2023-03-25: Likely overkill (let's strongly consider removing this stanza?)
 # Certainly, setting owner (recursively) is advised when moving /library/kolibri :
 # https://kolibri.readthedocs.io/en/latest/install/ubuntu-debian.html#changing-the-owner-of-kolibri-system-service
 # 2023-03-27: Commented out on a provisional basis (Spring Cleaning)
 # - name: chown -R {{ kolibri_user }}:{{ apache_user }} {{ kolibri_home }} for good measure?
 #   file:
 #     path: "{{ kolibri_home }}"     # /library/kolibri
 #     owner: "{{ kolibri_user }}"    # kolibri
 #     group: "{{ apache_user }}"     # www-data (on Debian/Ubuntu/Raspbian)
 #     recurse: yes
 #   when: kolibri_provision
 # 2019-10-07: Moved to roles/httpd/tasks/main.yml
 # 2019-09-29: roles/kiwix/tasks/kiwix_install.yml installs 4 Apache modules
@ -226,17 +176,6 @@
 # RECORD Kolibri AS INSTALLED
 - name: Record (final) disk space used
  shell: df -B1 --output=used / | tail -1
  register: df2
 - name: Add 'kolibri_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }}
  ini_file:
    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
    section: kolibri
    option: kolibri_disk_usage
    value: "{{ df2.stdout|int - df1.stdout|int }}"
 - name: "Set 'kolibri_installed: True'"
  set_fact:
    kolibri_installed: True
--- a/roles/lokole/tasks/install.yml
+++ b/roles/lokole/tasks/install.yml
@ -2,16 +2,12 @@
 # https://github.com/iiab/iiab/blob/master/roles/www_base/templates/iiab-refresh-wiki-docs.sh#L51-L52
- name: Record (initial) disk space used
+- name: Install 14 packages for Lokole
  shell: df -B1 --output=used / | tail -1
  register: df1
 - name: Install 12 packages for Lokole
  apt:
    name:
      #- python3    # 2022-12-21: IIAB pre-req, see scripts/local_facts.fact
-      #- python3-pip
+      - python3-pip
      - python3-venv
      - python3-dev
      - python3-bcrypt    # 2019-10-14: Should work across modern Linux OS's
      #- bcrypt does not exist on Ubuntu 19.10
@ -138,17 +134,6 @@
 # RECORD Lokole AS INSTALLED
 - name: Record (final) disk space used
  shell: df -B1 --output=used / | tail -1
  register: df2
 - name: Add 'lokole_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }}
  ini_file:
    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
    section: lokole
    option: lokole_disk_usage
    value: "{{ df2.stdout|int - df1.stdout|int }}"
 - name: "Set 'lokole_installed: True'"
  set_fact:
    lokole_installed: True
--- a/roles/matomo/README.adoc
+++ b/roles/matomo/README.adoc
@ -4,7 +4,7 @@ https://matomo.org/[Matomo] is a web analytics alternative to Google Analytics,
 == Install it
-Prior to installing Matomo with IIAB, the default URL (http://box.lan/matomo) can be customized in https://wiki.iiab.io/go/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it%3F[/etc/iiab/local_vars.yml]
+Prior to installing Matomo with IIAB, the default URL (http://box.lan/matomo) can be customized in https://wiki.iiab.io/go/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F[/etc/iiab/local_vars.yml]
 One way to do that is by changing these 2 lines:
--- a/roles/matomo/tasks/install.yml
+++ b/roles/matomo/tasks/install.yml
@ -12,26 +12,6 @@
 # fatal: [127.0.0.1]: FAILED! => {"cache_control": "private, no-cache, no-store", "changed": false, "connection": "close", "content_type": "text/html; charset=utf-8", "date": "Wed, 15 Jun 2022 05:07:41 GMT", "elapsed": 0, "expires": "Thu, 19 Nov 1981 08:52:00 GMT", "msg": "Status code was 500 and not [200]: HTTP Error 500: Internal Server Error", "pragma": "no-cache", "redirected": false, "server": "nginx/1.18.0 (Ubuntu)", "set_cookie": "MATOMO_SESSID=psak3aem27vrdrt8t2f016600f; path=/; HttpOnly; SameSite=Lax", "status": 500, "transfer_encoding": "chunked", "url": "http://box.lan/matomo/index.php?action=welcome", "x_matomo_request_id": "fbfd2"}
 - name: "Set 'mysql_install: True' and 'mysql_enabled: True'"
  set_fact:
    mysql_install: True
    mysql_enabled: True
 - name: MYSQL - run 'mysql' role (attempt to install & enable MySQL / MariaDB)
  include_role:
    name: mysql
 - name: FAIL (STOP THE INSTALL) IF 'mysql_installed is undefined'
  fail:
    msg: "Matomo install cannot proceed, as MySQL / MariaDB is not installed."
  when: mysql_installed is undefined
 - name: Record (initial) disk space used
  shell: df -B1 --output=used / | tail -1
  register: df1
 # https://matomo.org/faq/on-premise/matomo-requirements/
 - name: Install Matomo's recommended PHP extensions
  package:
@ -67,7 +47,7 @@
    priv: "{{ matomo_db_name }}.*:ALL"
    #login_unix_socket: /var/run/mysqld/mysqld.sock
- name: Download and Extract Matomo (~3 min)
+- name: Download and Extract Matomo (~1 min)
  unarchive:
    src: "{{ matomo_dl_url }}"    # e.g. https://builds.matomo.org/matomo.tar.gz
    dest: "{{ matomo_path }}"     # e.g. /library/www
@ -259,17 +239,6 @@
 # RECORD Matomo AS INSTALLED
 - name: Record (final) disk space used
  shell: df -B1 --output=used / | tail -1
  register: df2
 - name: Add 'matomo_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }}
  ini_file:
    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
    section: matomo
    option: matomo_disk_usage
    value: "{{ df2.stdout|int - df1.stdout|int }}"
 - name: "Set 'matomo_installed: True'"
  set_fact:
    matomo_installed: True
--- a/roles/matomo/tasks/main.yml
+++ b/roles/matomo/tasks/main.yml
@ -21,7 +21,7 @@
 - block:
-  - name: Enable/Disable/Reload NGINX for Matomo
+  - name: Enable/Disable/Reload NGINX for OSM, if nginx_enabled
    include_tasks: nginx.yml
  - name: Install Matomo if 'matomo_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
--- a/roles/matomo/tasks/nginx.yml
+++ b/roles/matomo/tasks/nginx.yml
@ -1,10 +1,10 @@
- name: Enable http://box/matomo via NGINX, by installing {{ nginx_conf_dir }}/matomo-nginx.conf from template
+- name: Enable http://box/maps & http://box/matomo via NGINX, by installing {{ nginx_conf_dir }}/matomo-nginx.conf from template
  template:
    src: matomo-nginx.conf.j2
    dest: "{{ nginx_conf_dir }}/matomo-nginx.conf"    # /etc/nginx/conf.d
  when: matomo_enabled
- name: Disable http://box/matomo via NGINX, by removing {{ nginx_conf_dir }}/matomo-nginx.conf
+- name: Disable http://box/maps & http://box/matomo via NGINX, by removing {{ nginx_conf_dir }}/matomo-nginx.conf
  file:
    path: "{{ nginx_conf_dir }}/matomo-nginx.conf"    # /etc/nginx/conf.d
    state: absent
--- a/roles/matomo/templates/matomo-nginx.conf.j2
+++ b/roles/matomo/templates/matomo-nginx.conf.j2
@ -1,5 +1,3 @@
 location ~ ^/matomo/(config|tmp|core|lang) { deny all; return 403; }
 location ~ ^/matomo(.*)\.php(.*)$ {
    alias /library/www/matomo$1.php$2;    # /library/www/matomo
    proxy_set_header X-Real-IP  $remote_addr;
--- a/roles/mediawiki/defaults/main.yml
+++ b/roles/mediawiki/defaults/main.yml
@ -4,7 +4,7 @@
 # All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml
 # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
-mediawiki_major_version: "1.43"    # "1.40" quotes nec if trailing zero
+mediawiki_major_version: 1.39    # "1.35" also works
 mediawiki_minor_version: 0
 mediawiki_version: "{{ mediawiki_major_version }}.{{ mediawiki_minor_version }}"
--- a/roles/mediawiki/tasks/install.yml
+++ b/roles/mediawiki/tasks/install.yml
@ -1,23 +1,3 @@
 - name: "Set 'mysql_install: True' and 'mysql_enabled: True'"
  set_fact:
    mysql_install: True
    mysql_enabled: True
 - name: MYSQL - run 'mysql' role (attempt to install & enable MySQL / MariaDB)
  include_role:
    name: mysql
 - name: FAIL (STOP THE INSTALL) IF 'mysql_installed is undefined'
  fail:
    msg: "MediaWiki install cannot proceed, as MySQL / MariaDB is not installed."
  when: mysql_installed is undefined
 - name: Record (initial) disk space used
  shell: df -B1 --output=used / | tail -1
  register: df1
 # https://www.mediawiki.org/wiki/Manual:Installation_requirements#PHP
 - name: 'Install packages: php{{ php_version }}-intl, php{{ php_version }}-mbstring, php{{ php_version }}-xml'
  package:
@ -115,17 +95,6 @@
 # RECORD MediaWiki AS INSTALLED
 - name: Record (final) disk space used
  shell: df -B1 --output=used / | tail -1
  register: df2
 - name: Add 'mediawiki_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }}
  ini_file:
    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
    section: mediawiki
    option: mediawiki_disk_usage
    value: "{{ df2.stdout|int - df1.stdout|int }}"
 - name: "Set 'mediawiki_installed: True'"
  set_fact:
    mediawiki_installed: True
--- a/roles/minetest/tasks/install.yml
+++ b/roles/minetest/tasks/install.yml
@ -1,8 +1,3 @@
 - name: Record (initial) disk space used
  shell: df -B1 --output=used / | tail -1
  register: df1
 - name: Check for Minetest world file ({{ minetest_world_dir }}/world.mt)
  stat:
    path: "{{ minetest_world_dir }}/world.mt"
@ -12,6 +7,9 @@
  file:
    state: directory
    path: /library/games
    # owner: root
    # group: root
    # mode: '0755'
 - include_tasks: minetest_install.yml
  when: not minetest_world.stat.exists
@ -37,20 +35,8 @@
      url: https://content.minetest.net/packages/sfan5/worldedit/releases/13367/download/
  when: minetest_default_game == "minetest"
 # RECORD Minetest AS INSTALLED
 - name: Record (final) disk space used
  shell: df -B1 --output=used / | tail -1
  register: df2
 - name: Add 'minetest_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }}
  ini_file:
    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
    section: minetest
    option: minetest_disk_usage
    value: "{{ df2.stdout|int - df1.stdout|int }}"
 - name: "Set 'minetest_installed: True'"
  set_fact:
    minetest_installed: True
--- a/roles/mongodb/defaults/main.yml
+++ b/roles/mongodb/defaults/main.yml
@ -20,18 +20,7 @@
 # All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml
 # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
-mongodb_arch_dict:
+mongodb_64bit_version: 6.0    # 2022-10-23: 4.4 fails on Debian 12 x86_64:
  armv6l: unsupported    # WAS: 3.0
  armv7l: unsupported    # WAS: 3.0
  aarch64: 5.0
  i386: unsupported
  x86_64: 6.0
 mongodb_version: "{{ mongodb_arch_dict[ansible_machine] | default('unknown') }}"    # A bit safer than ansible_architecture (see kiwix/defaults/main.yml)
 #mongodb_arm64_version: 5.0    # 2023-02-24: MongoDB 6.0.4 fails to install on
 #                              # 64-bit RasPiOS 11, as it doesn't offer libssl3.
 #mongodb_amd64_version: 6.0    # 2022-10-23: 4.4 fails on Debian 12 x86_64:
 # "No package matching 'mongodb-org' is available".  5.0+ fail on "pre-2011"
 # CPU's w/o AVX, and on RPi due to MongoDB compiling these for v8.2-A (RPi 4 is
 # ARM v8-A).  SO IIAB ALWAYS OVERLAYS andyfelong.com's 5.0.5 IF 5.0+ SPECIFIED.
--- a/roles/mongodb/tasks/install.yml
+++ b/roles/mongodb/tasks/install.yml
@ -1,14 +1,8 @@
 # MongoDB Install Docs:
 # https://www.mongodb.com/community/forums/t/installing-mongodb-over-ubuntu-22-04/159931/90
 # https://www.mongodb.com/docs/manual/tutorial/install-mongodb-on-ubuntu/
 # https://www.mongodb.com/docs/manual/installation/
 - name: Record (initial) disk space used
  shell: df -B1 --output=used / | tail -1
  register: df1
 # 1. INSTALL MongoDB PACKAGES AND/OR BINARIES
 # 2019-02-02: Sugarizer with Node.js 10.x requires MongoDB 2.6+ so
@ -21,316 +15,232 @@
 # CLARIF: mongodb_stretch_3_0_14_core.zip IS IN FACT 3.0.14 (core) BUT...
 #         mongodb_stretch_3_0_14_tools.zip IS REALLY 3.0.15 (tools)
-# - debug:
+- block:
-#     msg: '9-STANZA BLOCK BELOW, RUNS *IF* 32-BIT -- i.e. not (ansible_architecture == "aarch64" or ansible_architecture == "x86_64") -- WILL LIKELY BE REMOVED SOON IN 2023, as MongoDB 3.0.1 is insufficient for Sugarizer Server 1.5.0''s new MongoDB 3.2+ REQUIREMENT: https://github.com/iiab/iiab/pull/3478#issuecomment-1444395170'
+  - name: Create dir /tmp/mongodb-3.0.1x (aarch32)
    file:
      path: /tmp/mongodb-3.0.1x
      state: directory
-# - block:
+  - name: Download & unzip 20MB https://download.iiab.io/packages/mongodb_stretch_3_0_14_core.zip to /tmp/mongodb-3.0.1x (aarch32)
-#   - name: Create dir /tmp/mongodb-3.0.1x (aarch32)
+    unarchive:
-#     file:
+      remote_src: yes
-#       path: /tmp/mongodb-3.0.1x
+      src: "{{ iiab_download_url }}/mongodb_stretch_3_0_14_core.zip"    # https://download.iiab.io/packages
-#       state: directory
+      dest: /tmp/mongodb-3.0.1x
-#   - name: Download & unzip 20MB https://download.iiab.io/packages/mongodb_stretch_3_0_14_core.zip to /tmp/mongodb-3.0.1x (aarch32)
+  - name: Install (move) its 3 CORE binaries from /tmp/mongodb-3.0.1x/core to /usr/bin (aarch32)
-#     unarchive:
+    shell: mv /tmp/mongodb-3.0.1x/core/* /usr/bin
 #       remote_src: yes
 #       src: "{{ iiab_download_url }}/mongodb_stretch_3_0_14_core.zip"    # https://download.iiab.io/packages
 #       dest: /tmp/mongodb-3.0.1x
-#   - name: Install (move) its 3 CORE binaries from /tmp/mongodb-3.0.1x/core to /usr/bin (aarch32)
+  - name: Download & unzip 15MB https://download.iiab.io/packages/mongodb_stretch_3_0_14_tools.zip [IN FACT THIS ONE'S 3.0.15] to /tmp/mongodb-3.0.1x (aarch32)
-#     shell: mv /tmp/mongodb-3.0.1x/core/* /usr/bin
+    unarchive:
      remote_src: yes
      src: "{{ iiab_download_url }}/mongodb_stretch_3_0_14_tools.zip"
      dest: /tmp/mongodb-3.0.1x
-#   - name: Download & unzip 15MB https://download.iiab.io/packages/mongodb_stretch_3_0_14_tools.zip [IN FACT THIS ONE'S 3.0.15] to /tmp/mongodb-3.0.1x (aarch32)
+  - name: Install (move) its 9 TOOLS binaries from /opt/iiab/downloads/mongodb-3.0.1x/tools to /usr/bin (aarch32)
-#     unarchive:
+    shell: mv /tmp/mongodb-3.0.1x/tools/* /usr/bin
 #       remote_src: yes
 #       src: "{{ iiab_download_url }}/mongodb_stretch_3_0_14_tools.zip"
 #       dest: /tmp/mongodb-3.0.1x
-#   - name: Install (move) its 9 TOOLS binaries from /opt/iiab/downloads/mongodb-3.0.1x/tools to /usr/bin (aarch32)
+  - name: Create Linux group mongodb (aarch32)
-#     shell: mv /tmp/mongodb-3.0.1x/tools/* /usr/bin
+    group:
      name: mongodb
      state: present
-#   - name: Create Linux group mongodb (aarch32)
+  - name: Create Linux user mongodb (aarch32)
-#     group:
+    user:
-#       name: mongodb
+      name: mongodb
-#       state: present
+      group: mongodb    # primary group
      groups: mongodb
      home: /var/lib/mongodb
      shell: /usr/sbin/nologin
-#   - name: Create Linux user mongodb (aarch32)
+  - name: Install {{ mongodb_conf }} from template (aarch32)
-#     user:
+    template:
-#       name: mongodb
+      src: mongod.conf.j2
-#       group: mongodb    # primary group
+      dest: "{{ mongodb_conf }}"    # /etc/mongod.conf
 #       groups: mongodb
 #       home: /var/lib/mongodb
 #       shell: /usr/sbin/nologin
-#   - name: Install {{ mongodb_conf }} from template (aarch32)
+  - name: 'Create 2 dirs: /var/lib/mongodb, /var/log/mongodb (mongodb:mongodb)'
-#     template:
+    file:
-#       src: mongod.conf.j2
+      state: directory
-#       dest: "{{ mongodb_conf }}"    # /etc/mongod.conf
+      path: "{{ item }}"
      owner: mongodb
      group: mongodb
    with_items:
      - /var/lib/mongodb
      - /var/log/mongodb
-#   - name: 'Create 2 dirs: /var/lib/mongodb, /var/log/mongodb (mongodb:mongodb)'
+  # end block
-#     file:
+  when: not (ansible_architecture == "x86_64" or ansible_architecture == "aarch64")
 #       state: directory
 #       path: "{{ item }}"
 #       owner: mongodb
 #       group: mongodb
 #     with_items:
 #       - /var/lib/mongodb
 #       - /var/log/mongodb
-#   # end block
+# 32-bit OS's are handled above: this should handle aarch32 including 32-bit
 #   when: not (ansible_architecture == "x86_64" or ansible_architecture == "aarch64")    # ansible_machine is a bit safer than ansible_architecture (see kiwix/defaults/main.yml)
 # - debug:
 #     msg: 9-STANZA BLOCK ABOVE, RAN *IF* 32-BIT -- i.e. not (ansible_architecture == "aarch64" or ansible_architecture == "x86_64")
 # 32-bit OS's [WERE] handled above: this should handle aarch32 including 32-bit
 # Ubuntu from https://ubuntu.com/download/raspberry-pi but Ubuntu 20.04+ and
 # 22.04+ 32-bit might fail untested, and 32-bit Intel might puke as this was
 # orginally deployed for Raspbian.  (Haven't seen bootable 32-bit Intel
 # installers for a while now.)  64-bit OS's proceed below.
 # - debug:
 #     msg: 16-STANZA BLOCK BELOW, RUNS *IF* 64-BIT -- i.e. ansible_architecture == "aarch64" or ansible_architecture == "x86_64"
 # - block:
 - name: Add mongodb.org signing key (only 64-bit available) for MongoDB version {{ mongodb_version }}
  # https://www.mongodb.com/community/forums/t/installing-mongodb-over-ubuntu-22-04/159931/90
  shell: wget -qO - https://www.mongodb.org/static/pgp/server-{{ mongodb_version }}.asc | gpg --dearmor > /usr/share/keyrings/mongodb.gpg
  #shell: wget -qO - https://www.mongodb.org/static/pgp/server-{{ mongodb_version }}.asc | apt-key add -
  #shell: wget -qO - https://pgp.mongodb.com/server-{{ mongodb_version }}.asc | apt-key add -
  #args:
  #  warn: no
  # Ansible 2.14 ERROR:
  # "Unsupported parameters for (ansible.legacy.command) module: warn.
  # Supported parameters include: removes, strip_empty_ends, _raw_params,
  # _uses_shell, stdin_add_newline, creates, chdir, executable, argv, stdin."
 # 2023-01-19: MongoDB only offers x86_64 for Debian, AND IN ANY CASE all their
 # MongoDB 6.0's are ONLY COMPILED FOR ARM v8.2-A i.e. FAIL ON ARM v8-A RPi 4,
 # LIKE THEIR MongoDB 5.0 tested 2022-06-07 ~137 lines below.  Tested on Deb 11.
 # -> DELETE THIS STANZA AFTER DEBIAN 12 IS SOLID -- USING UBUNTU REPO BELOW ?
 - name: Install mongodb-org's Debian bullseye source/repo [ arch=amd64 ] for MongoDB version {{ mongodb_version }}, if x86_64 Debian < 12
  apt_repository:
    # 2020-10-28 and 2022-06-09: https://repo.mongodb.org/apt/debian/dists/
    # supports only {Buster 10, Stretch 9, Jessie 8, Wheezy 7}.  So Bullseye
    # 11 and Bookworm 12 (testing branch) revert to buster for now:
    # 2022-09-27: Changed from 'buster' to 'bullseye' (i.e. Debian 11) as
    # this was recently added to https://repo.mongodb.org/apt/debian/dists/
    repo: deb [ arch=amd64 signed-by=/usr/share/keyrings/mongodb.gpg ] https://repo.mongodb.org/apt/debian bullseye/mongodb-org/{{ mongodb_version }} main
    #repo: deb https://repo.mongodb.org/apt/debian bullseye/mongodb-org/{{ mongodb_version }} main
    #repo: deb https://repo.mongodb.org/apt/debian {{ ansible_distribution_release }}/mongodb-org/4.4 main
    #filename: mongodb-org
  when: is_debian and os_ver is version('debian-12', '<') and ansible_architecture == "x86_64"
 - name: Install mongodb-org's Ubuntu jammy source/repo [ arch=amd64 ] for MongoDB version {{ mongodb_version }}, if other x86_64 OS
  apt_repository:
    repo: deb [ arch=amd64 signed-by=/usr/share/keyrings/mongodb.gpg ] https://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/{{ mongodb_version }} multiverse
  when: not (is_debian and os_ver is version('debian-12', '<')) and ansible_architecture == "x86_64"
 # 2023-01-19: Tested on x86_64 VM's with Ubuntu 22.04 & Debian 12.  Based on
 # MongoDB 6.0.3 (released 2022-11-15) instructions here:
 # https://www.mongodb.com/community/forums/t/installing-mongodb-over-ubuntu-22-04/159931/90
 # WHEREAS 64-bit Raspberry Pi is likely NOT supported for now, as MongoDB 6.0
 # IS ONLY COMPILED FOR ARM v8.2-A i.e. FAIL ON ARM v8-A RPi 4 (JUST LIKE THEIR
 # MongoDB 5.0, tested 2022-06-07 ~116 lines below).  Though MongoDB 6.0.3+ on
 # 64-bit Ubuntu on Raspberry Pi hardware (MIGHT) hypothetically be possible:
 # https://www.mongodb.com/developer/products/mongodb/mongodb-on-raspberry-pi/
 # So IIAB overlays MongoDB 5.0.5 64-bit RPi binaries for now (~141 LINES BELOW!)
 - name: Otherwise, install mongodb-org's Ubuntu focal source/repo [ arch=arm64 ] for MongoDB version {{ mongodb_version }}
  apt_repository:
    repo: deb [ arch=arm64 signed-by=/usr/share/keyrings/mongodb.gpg ] https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/{{ mongodb_version }} multiverse
    #repo: deb [ arch=amd64,arm64 signed-by=/usr/share/keyrings/mongodb.gpg ] https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/{{ mongodb_version }} multiverse
    #repo: deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/{{ mongodb_version }} multiverse
    #filename: mongodb-org
  when: not ansible_architecture == "x86_64"
  #when: is_ubuntu or is_debian and os_ver is version('debian-12', '>=')
  #when: is_ubuntu and os_ver is version('ubuntu-2204', '>=') or is_linuxmint and os_ver is version('linuxmint-12', '>=') or is_debian and os_ver is version('debian-12', '>=')
  #when: not (is_debian and ansible_architecture == "x86_64")
 # 2022-10-23: Force-install MongoDB on Ubuntu 22.04+, Mint 21 & Debian 12;
 # as each includes libssl3 not libssl1.1 (#3190).  LATER REMOVE ALL 7 STANZAS
 # BELOW, IF/WHEN MongoDB ONE DAY FINALLY SUPPORTS libssl3 ?  (MongoDB 6.2 fix
 # may be backported to 6.0, according to 2022-09-29 "official" gossip here...)
 # https://www.mongodb.com/community/forums/t/installing-mongodb-over-ubuntu-22-04/159931/58
 # https://askubuntu.com/questions/1403619/mongodb-install-fails-on-ubuntu-22-04-depends-on-libssl1-1-but-it-is-not-insta/1403683#1403683
 # echo "deb http://security.ubuntu.com/ubuntu focal-security main" | sudo tee /etc/apt/sources.list.d/focal-security.list
 # sudo apt-get update
 # sudo apt-get install libssl1.1
 # rm /etc/apt/sources.list.d/focal-security.list
 # 2023-02-25: RETROFITTING libssl1.1 STILL NEC on Ubuntu 22.04+ and Debian 12+
 # *IF* MongoDB < 6.0 (e.g. RPi, where MongoDB 6.0 is a complete non-starter!)
 #
 # Whereas libssl1.1 is thankfully NO LONGER NEC on x86_64, where MongoDB can
 # finally use libssl3 instead, since 2022-11-15:
 # https://www.mongodb.com/community/forums/t/installing-mongodb-over-ubuntu-22-04/159931/90
 - debug:
    msg: 5-STANZA BLOCK FOLLOWS, TO FORCE INSTALL libssl1.1 -- runs *IF* mandated mongodb_version ({{ mongodb_version }}) < 6.0 (i.e. for aarch64/arm64) on Ubuntu 22.04+ or Debian 12+ -- whereas Linux Mint should never need libssl1.1
 - block:
  - name: Add mongodb.org signing key (only 64-bit support available) for MongoDB version {{ mongodb_64bit_version }}
    shell: wget -qO - https://www.mongodb.org/static/pgp/server-{{ mongodb_64bit_version }}.asc | apt-key add -
    #shell: wget -qO - https://pgp.mongodb.com/server-{{ mongodb_64bit_version }}.asc | apt-key add -
    #args:
    #  warn: no
    # Ansible 2.14 ERROR:
    # "Unsupported parameters for (ansible.legacy.command) module: warn.
    # Supported parameters include: removes, strip_empty_ends, _raw_params,
    # _uses_shell, stdin_add_newline, creates, chdir, executable, argv, stdin."
-  - name: Install OLD source/repo "deb http://ports.ubuntu.com/ubuntu-ports focal-security main" at /etc/apt/sources.list.d/ports_ubuntu_com_ubuntu_ports.list if Ubuntu
+  # 2022-10-23: MongoDB only allows auto-install of Debian's x86_64, AND IN ANY
  # CASE all their MongoDB 6.0's are ONLY COMPILED FOR ARM v8.2-A i.e. FAIL ON
  # ARM v8-A RPi 4, LIKE THEIR MongoDB 5.0 tested 2022-06-07 ~120 lines below.
  # -> CAN THIS ENTIRE STANZA BE *DELETED* -- ALWAYS USING UBUNTU REPO BELOW ?
  - name: Install mongodb-org's Debian bullseye source/repo [ arch=amd64 ] for MongoDB version {{ mongodb_64bit_version }}
    apt_repository:
      # 2020-10-28 and 2022-06-09: https://repo.mongodb.org/apt/debian/dists/
      # supports only {Buster 10, Stretch 9, Jessie 8, Wheezy 7}.  So Bullseye
      # 11 and Bookworm 12 (testing branch) revert to buster for now:
      # 2022-09-27: Changed from 'buster' to 'bullseye' (i.e. Debian 11) as
      # this was recently added to https://repo.mongodb.org/apt/debian/dists/
      repo: deb https://repo.mongodb.org/apt/debian bullseye/mongodb-org/{{ mongodb_64bit_version }} main
      #repo: deb https://repo.mongodb.org/apt/debian {{ ansible_distribution_release }}/mongodb-org/4.4 main
      #filename: mongodb-org
    when: is_debian and ansible_architecture == "x86_64"
  # 2022-10-23: RasPiOS Bullseye *MAY* FAIL when 'focal' changed to 'jammy' ?
  - name: Otherwise install mongodb-org's Ubuntu focal source/repo [ arch=amd64,arm64 ] for MongoDB version {{ mongodb_64bit_version }}
    apt_repository:
      repo: deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/{{ mongodb_64bit_version }} multiverse
      #filename: mongodb-org
    when: not (is_debian and ansible_architecture == "x86_64")
  # 2022-10-23: Force-install MongoDB on Ubuntu 22.04+, Mint 21 & Debian 12;
  # as each includes libssl3 not libssl1.1 (#3190).  LATER REMOVE ALL 7 STANZAS
  # BELOW, IF/WHEN MongoDB ONE DAY FINALLY SUPPORTS libssl3 ?  (MongoDB 6.2 fix
  # may be backported to 6.0, according to 2022-09-29 "official" gossip here...)
  # https://www.mongodb.com/community/forums/t/installing-mongodb-over-ubuntu-22-04/159931/58
  # https://askubuntu.com/questions/1403619/mongodb-install-fails-on-ubuntu-22-04-depends-on-libssl1-1-but-it-is-not-insta/1403683#1403683
  # echo "deb http://security.ubuntu.com/ubuntu focal-security main" | sudo tee /etc/apt/sources.list.d/focal-security.list
  # sudo apt-get update
  # sudo apt-get install libssl1.1
  # rm /etc/apt/sources.list.d/focal-security.list
  - name: Install source/repo "deb http://security.ubuntu.com/ubuntu focal-security main" at /etc/apt/sources.list.d/security_ubuntu_com_ubuntu.list if Ubuntu 22.04+ x86_64 or Mint 21
    apt_repository:
      repo: deb http://security.ubuntu.com/ubuntu focal-security main
      #filename: focal-security    # If filename focal-security.list is preferred
    when: is_ubuntu and os_ver is version('ubuntu-2204', '>=') and ansible_architecture == "x86_64" or is_linuxmint_21
  - name: Install source/repo "deb http://ports.ubuntu.com/ubuntu-ports focal-security main" at /etc/apt/sources.list.d/ports_ubuntu_com_ubuntu_ports.list if ubuntu 22.04+ aarch64
    apt_repository:
      repo: deb http://ports.ubuntu.com/ubuntu-ports focal-security main
-    when: is_ubuntu
+    when: is_ubuntu and os_ver is version('ubuntu-2204', '>=') and ansible_architecture == "aarch64"
-  - name: Install OLD source/repo "deb http://security.debian.org/debian-security bullseye-security main" at /etc/apt/sources.list.d/security_debian_org_debian_security.list if Debian
+  - name: Install source/repo "deb http://security.debian.org/debian-security bullseye-security main" at /etc/apt/sources.list.d/security_debian_org_debian_security.list if Debian 12
    apt_repository:
      repo: deb http://security.debian.org/debian-security bullseye-security main
      #repo: deb https://deb.debian.org/debian-security bullseye-security main    # New way, likely equivalent
-    when: is_debian
+    when: is_debian_12
-  - name: Force install libssl1.1
+  - name: Install libssl1.1 if Ubuntu 22.04+ or Mint 21 or Debian 12 (required by MongoDB below)
    package:
      name: libssl1.1
      state: present
    when: is_ubuntu and os_ver is version('ubuntu-2204', '>=') or is_linuxmint_21 or is_debian_12
-  - name: Remove OLD source/repo "deb http://security.debian.org/debian-security bullseye-security main" at /etc/apt/sources.list.d/security_debian_org_debian_security.list if Debian
+  - name: Remove source/repo "deb http://security.debian.org/debian-security bullseye-security main" at /etc/apt/sources.list.d/security_debian_org_debian_security.list if Debian 12
    apt_repository:
      repo: deb http://security.debian.org/debian-security bullseye-security main
      #repo: deb https://deb.debian.org/debian-security bullseye-security main    # New way, likely equivalent
      state: absent
-    when: is_debian
+    when: is_debian_12
-  - name: Remove OLD source/repo "deb http://ports.ubuntu.com/ubuntu-ports focal-security main" at /etc/apt/sources.list.d/ports_ubuntu_com_ubuntu_ports.list if Ubuntu
+  - name: Remove source/repo "deb http://ports.ubuntu.com/ubuntu-ports focal-security main" at /etc/apt/sources.list.d/ports_ubuntu_com_ubuntu_ports.list if ubuntu 22.04+ aarch64
    apt_repository:
      repo: deb http://ports.ubuntu.com/ubuntu-ports focal-security main
      state: absent
-    when: is_ubuntu
+    when: is_ubuntu and os_ver is version('ubuntu-2204', '>=') and ansible_architecture == "aarch64"
-  when: mongodb_version is version('6.0', '<') and (is_ubuntu and os_ver is version('ubuntu-2204', '>=') or is_debian and os_ver is version('debian-12', '>='))
+  - name: Remove source/repo "deb http://security.ubuntu.com/ubuntu focal-security main" at /etc/apt/sources.list.d/security_ubuntu_com_ubuntu.list if Ubuntu 22.04+ x86_64 or Mint 21
    apt_repository:
      repo: deb http://security.ubuntu.com/ubuntu focal-security main
      state: absent
      #filename: focal-security    # 100% IGNORED during repo deletion
    when: is_ubuntu and os_ver is version('ubuntu-2204', '>=') and ansible_architecture == "x86_64" or is_linuxmint_21
- debug:
+  # # Debian 10 aarch64 might work below but is blocked in main.yml
-    msg: 5-STANZA BLOCK ABOVE, RAN *IF* FORCED INSTALL OF libssl1.1 WAS NEEDED
+  # - name: Use mongodb-org's Ubuntu focal repo for RasPiOS-aarch64
  #   apt_repository:
  #     repo: deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/5.0 multiverse
  #     filename: mongodb-org
  #   when: is_raspbian and ansible_architecture == "aarch64"
-# - name: Install source/repo "deb http://security.ubuntu.com/ubuntu focal-security main" at /etc/apt/sources.list.d/security_ubuntu_com_ubuntu.list if Ubuntu 22.04+ x86_64 or Mint 21
+  # - name: Use mongodb-org's Ubuntu focal repo for Linux Mint - 64bit only
-#   apt_repository:
+  #   apt_repository:
-#     repo: deb http://security.ubuntu.com/ubuntu focal-security main
+  #     repo: deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/5.0 multiverse
-#     #filename: focal-security    # If filename focal-security.list is preferred
+  #     filename: mongodb-org
-#   when: is_ubuntu and os_ver is version('ubuntu-2204', '>=') and ansible_architecture == "x86_64" or is_linuxmint_21
+  #   when: is_linuxmint
-# - name: Install source/repo "deb http://ports.ubuntu.com/ubuntu-ports focal-security main" at /etc/apt/sources.list.d/ports_ubuntu_com_ubuntu_ports.list if ubuntu 22.04+ aarch64
+  # - name: Use mongodb-org's Ubuntu repo for all non-Mint Ubuntu - 64bit only
-#   apt_repository:
+  #   apt_repository:
-#     repo: deb http://ports.ubuntu.com/ubuntu-ports focal-security main
+  #     # 2020-10-27: https://repo.mongodb.org/apt/ubuntu/dists/ supports only
-#   when: is_ubuntu and os_ver is version('ubuntu-2204', '>=') and ansible_architecture == "aarch64"
+  #     # {focal 20.04, bionic 18.04, xenial 16.04, trusty 14.04, precise 12.04}
  #     # so other Ubuntu's like groovy 20.10 need to revert to recent LTS repo:
  #     repo: deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/5.0 multiverse
  #     #repo: deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu {{ ansible_distribution_release }}/mongodb-org/4.4 multiverse
  #     filename: mongodb-org
  #   when: is_ubuntu and not is_linuxmint
-# - name: Install source/repo "deb http://security.debian.org/debian-security bullseye-security main" at /etc/apt/sources.list.d/security_debian_org_debian_security.list if Debian 12
+  - name: "Install packages: mongodb-org, mongodb-org-server"
-#   apt_repository:
+    package:
-#     repo: deb http://security.debian.org/debian-security bullseye-security main
+      name:
-#     #repo: deb https://deb.debian.org/debian-security bullseye-security main    # New way, likely equivalent
+        - mongodb-org    # Meta-package that's auto-installed anyway (SO PROB UNNEC HERE?)
-#   when: is_debian_12
+        - mongodb-org-server
      state: present
-# - name: Install libssl1.1 if Ubuntu 22.04+ or Mint 21 or Debian 12 (required by MongoDB below)
+  - name: Establish {{ mongodb_conf }} dbPath {{ mongodb_db_path }} -- instead of /var/lib/mongodb default -- takes effect on next (re)start of mongodb.service -- via enable-or-disable.yml or via sugarizer.service auto-starting MongoDB on demand
-#   package:
+    lineinfile:
-#     name: libssl1.1
+      path: "{{ mongodb_conf }}"    # /etc/mongod.conf
-#     state: present
+      regexp: '^\s*dbPath:'    # \s = any whitespace char. stackoverflow.com/a/38491899
-#   when: is_ubuntu and os_ver is version('ubuntu-2204', '>=') or is_linuxmint_21 or is_debian_12
+      line: "  dbPath: {{ mongodb_db_path }}"    # /library/dbdata/mongodb
-# - name: Remove source/repo "deb http://security.debian.org/debian-security bullseye-security main" at /etc/apt/sources.list.d/security_debian_org_debian_security.list if Debian 12
+  # GRATUITOUS (port 27017 is already the default)
-#   apt_repository:
+  - name: Establish {{ mongodb_conf }} port {{ mongodb_port }} -- takes effect on next (re)start of mongodb.service -- via enable-or-disable.yml or via sugarizer.service auto-starting MongoDB on demand
-#     repo: deb http://security.debian.org/debian-security bullseye-security main
+    lineinfile:
-#     #repo: deb https://deb.debian.org/debian-security bullseye-security main    # New way, likely equivalent
+      path: "{{ mongodb_conf }}"
-#     state: absent
+      regexp: '^\s*port:'
-#   when: is_debian_12
+      line: "  port: {{ mongodb_port }}"    # 27017
-# - name: Remove source/repo "deb http://ports.ubuntu.com/ubuntu-ports focal-security main" at /etc/apt/sources.list.d/ports_ubuntu_com_ubuntu_ports.list if ubuntu 22.04+ aarch64
+  # 2022-06-07 #3236 MongoDB 5.0.9 "Illegal instruction" on RPi 4...
-#   apt_repository:
+  # https://www.mongodb.com/community/forums/t/core-dump-on-mongodb-5-0-on-rpi-4/115291/14
-#     repo: deb http://ports.ubuntu.com/ubuntu-ports focal-security main
+  # ...as ARM v8-A < ARM v8.2-A ...also reveals:
-#     state: absent
+  #
-#   when: is_ubuntu and os_ver is version('ubuntu-2204', '>=') and ansible_architecture == "aarch64"
+  # (1) For Intel x86_64, MongoDB 5.x requires Sandy Bridge or later.
  #     For AMD x86_64, MongoDB 5.x requires Bulldozer or later.
  #     Roughly speaking, this means post-2011 CPUs with AVX instructions:
  #     https://github.com/docker-library/mongo/issues/485#issuecomment-891991814
  # (2) dbPath needed fixing in /etc/mongod.conf (~16 lines above) from
  #     /var/lib/mongodb to /library/dbdata/mongodb
  # (3) mongod.lock is effectively NO LONGER A LOCK FILE -- but rather a PID
  #     file (it may be zero bytes, but never goes away) as confirmed with
  #     MongoDB 4.4.14 on RPi 4 and 5.0.9 Ubuntu 22.04 on x86_64.  And now
  #     'mongod --repair --dbpath /library/dbdata/mongodb/' IGNORES mongod.lock
  # (4) mongodb.service needed a more graceful way to shut down than
  #     'killall mongod' (MongoDB 5+ shuts down w/ 15sec quiesce period).
  # (5) MongoDB 6.0 is likely imminent; meantime a 2022-01-12 option (~12
  #     lines below) is MongoDB 5.0.5 compiled for 64-bit RPi 4 and RPi 400:
  # https://andyfelong.com/downloads/raspbian_mongodb_5.0.5.gz
  # https://andyfelong.com/2021/08/mongodb-4-4-under-raspberry-pi-os-64-bit-raspbian64/
-# - name: Remove source/repo "deb http://security.ubuntu.com/ubuntu focal-security main" at /etc/apt/sources.list.d/security_ubuntu_com_ubuntu.list if Ubuntu 22.04+ x86_64 or Mint 21
+  - name: If hardware is Raspberry Pi and mongodb_64bit_version >= 5.0, run 'apt-mark hold mongodb-org mongodb-org-server' -- so MongoDB 5.0.5 binaries {mongo, mongod, mongos} can be installed without apt interfering in future
-#   apt_repository:
+    command: apt-mark hold mongodb-org mongodb-org-server
-#     repo: deb http://security.ubuntu.com/ubuntu focal-security main
+    when: rpi_model != "none" and mongodb_64bit_version is version('5.0', '>=')
 #     state: absent
 #     #filename: focal-security    # 100% IGNORED during repo deletion
 # when: is_ubuntu and os_ver is version('ubuntu-2204', '>=') and ansible_architecture == "x86_64" or is_linuxmint_21
  - name: If hardware is Raspberry Pi and mongodb_64bit_version >= 5.0, unarchive 76MB {{ iiab_download_url }}//packages/raspbian_mongodb_5.0.5.gz OVERWRITING 5.0.9+ {mongo, mongod, mongos} in /usr/bin
    unarchive:
      remote_src: yes
      src: "{{ iiab_download_url }}/raspbian_mongodb_5.0.5.gz"
      dest: /usr/bin
    when: rpi_model != "none" and mongodb_64bit_version is version('5.0', '>=')
-# # Debian 10 aarch64 might work below but is blocked in main.yml
+  # end block
-# - name: Use mongodb-org's Ubuntu focal repo for RasPiOS-aarch64
+  when: ansible_architecture == "aarch64" or ansible_architecture == "x86_64"
 #   apt_repository:
 #     repo: deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/5.0 multiverse
 #     filename: mongodb-org
 #   when: is_raspbian and ansible_architecture == "aarch64"
 # - name: Use mongodb-org's Ubuntu focal repo for Linux Mint - 64bit only
 #   apt_repository:
 #     repo: deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/5.0 multiverse
 #     filename: mongodb-org
 #   when: is_linuxmint
 # - name: Use mongodb-org's Ubuntu repo for all non-Mint Ubuntu - 64bit only
 #   apt_repository:
 #     # 2020-10-27: https://repo.mongodb.org/apt/ubuntu/dists/ supports only
 #     # {focal 20.04, bionic 18.04, xenial 16.04, trusty 14.04, precise 12.04}
 #     # so other Ubuntu's like groovy 20.10 need to revert to recent LTS repo:
 #     repo: deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/5.0 multiverse
 #     #repo: deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu {{ ansible_distribution_release }}/mongodb-org/4.4 multiverse
 #     filename: mongodb-org
 #   when: is_ubuntu and not is_linuxmint
 - name: "Install packages: mongodb-org, mongodb-org-server"
  package:
    name:
      - mongodb-org    # Meta-package that's auto-installed anyway (SO PROB UNNEC HERE?)
      - mongodb-org-server
    state: present
 - name: Establish {{ mongodb_conf }} dbPath {{ mongodb_db_path }} -- instead of /var/lib/mongodb default -- takes effect on next (re)start of mongodb.service -- via enable-or-disable.yml or via sugarizer.service auto-starting MongoDB on demand
  lineinfile:
    path: "{{ mongodb_conf }}"    # /etc/mongod.conf
    regexp: '^\s*dbPath:'    # \s = any whitespace char. stackoverflow.com/a/38491899
    line: "  dbPath: {{ mongodb_db_path }}"    # /library/dbdata/mongodb
 # GRATUITOUS (port 27017 is already the default)
 - name: Establish {{ mongodb_conf }} port {{ mongodb_port }} -- takes effect on next (re)start of mongodb.service -- via enable-or-disable.yml or via sugarizer.service auto-starting MongoDB on demand
  lineinfile:
    path: "{{ mongodb_conf }}"
    regexp: '^\s*port:'
    line: "  port: {{ mongodb_port }}"    # 27017
 # 2022-06-07 #3236 MongoDB 5.0.9 "Illegal instruction" on RPi 4...
 # https://www.mongodb.com/community/forums/t/core-dump-on-mongodb-5-0-on-rpi-4/115291/14
 # ...as ARM v8-A < ARM v8.2-A ...also reveals:
 #
 # (1) For Intel x86_64, MongoDB 5.x requires Sandy Bridge or later.
 #     For AMD x86_64, MongoDB 5.x requires Bulldozer or later.
 #     Roughly speaking, this means post-2011 CPUs with AVX instructions:
 #     https://github.com/docker-library/mongo/issues/485#issuecomment-891991814
 # (2) dbPath needed fixing in /etc/mongod.conf (~16 lines above) from
 #     /var/lib/mongodb to /library/dbdata/mongodb
 # (3) mongod.lock is effectively NO LONGER A LOCK FILE -- but rather a PID
 #     file (it may be zero bytes, but never goes away) as confirmed with
 #     MongoDB 4.4.14 on RPi 4 and 5.0.9 Ubuntu 22.04 on x86_64.  And now
 #     'mongod --repair --dbpath /library/dbdata/mongodb/' IGNORES mongod.lock
 # (4) mongodb.service needed a more graceful way to shut down than
 #     'killall mongod' (MongoDB 5+ shuts down w/ 15sec quiesce period).
 # (5) MongoDB 6.0 is likely imminent; meantime a 2022-01-12 option (~12
 #     lines below) is MongoDB 5.0.5 compiled for 64-bit RPi 4 and RPi 400:
 # https://andyfelong.com/downloads/raspbian_mongodb_5.0.5.gz
 # https://andyfelong.com/2021/08/mongodb-4-4-under-raspberry-pi-os-64-bit-raspbian64/
 - name: If hardware is Raspberry Pi and mongodb_version >= 5.0, run 'apt-mark hold mongodb-org mongodb-org-server' -- so MongoDB 5.0.5 binaries {mongo, mongod, mongos} can be installed without apt interfering in future
  command: apt-mark hold mongodb-org mongodb-org-server
  when: rpi_model != "none" and mongodb_version is version('5.0', '>=')
 - name: If hardware is Raspberry Pi and mongodb_version >= 5.0, unarchive 76MB {{ iiab_download_url }}//packages/raspbian_mongodb_5.0.5.gz OVERWRITING 5.0.9+ {mongo, mongod, mongos} in /usr/bin
  unarchive:
    remote_src: yes
    src: "{{ iiab_download_url }}/raspbian_mongodb_5.0.5.gz"
    dest: /usr/bin
  when: rpi_model != "none" and mongodb_version is version('5.0', '>=')
 #   # end block
 #   when: ansible_architecture == "aarch64" or ansible_architecture == "x86_64"
 # - debug:
 #     msg: 16-STANZA BLOCK ABOVE, RAN *IF* 64-BIT -- i.e. ansible_architecture == "aarch64" or ansible_architecture == "x86_64"    # ansible_machine is a bit safer than ansible_architecture (see kiwix/defaults/main.yml)
 # 2. CONFIGURE MongoDB FOR IIAB
@ -372,17 +282,6 @@
 # 3. RECORD MongoDB AS INSTALLED
 - name: Record (final) disk space used
  shell: df -B1 --output=used / | tail -1
  register: df2
 - name: Add 'mongodb_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }}
  ini_file:
    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
    section: mongodb
    option: mongodb_disk_usage
    value: "{{ df2.stdout|int - df1.stdout|int }}"
 - name: "Set 'mongodb_installed: True'"
  set_fact:
    mongodb_installed: True
--- a/roles/mongodb/tasks/main.yml
+++ b/roles/mongodb/tasks/main.yml
@ -34,25 +34,19 @@
    var: is_debian
 - debug:
    var: is_raspbian
 - debug:
    var: mongodb_version
-# WARNING: Since March 2023, 32-bit RasPiOS can act as 64-bit on RPi 4 and
+# # might be able to lift this once we know using bionic would work
-# RPi 400 (unlike RPi 3!)  SEE: https://github.com/iiab/iiab/pull/3422 and #3516
+# - name: EXIT 'mongodb' ROLE & CONTINUE, IF 'is_debian_10 and aarch64 and not is_raspbian' i.e. TRUE DEBIAN with arch64
- name: Run command 'dpkg --print-architecture' to identify OS architecture (CPU arch as revealed by ansible_architecture ~= ansible_machine is NO LONGER enough!)
+#   fail:    # FORCE IT RED THIS ONCE!
-  command: dpkg --print-architecture
+#     msg: ATTEMPTED MongoDB INSTALLATION WITH (TRUE) DEBIAN aarch64, which is not supported upstream.  Nevertheless IIAB will continue (consider this a warning!)
-  register: dpkg_arch
+#   when: (ansible_architecture == "aarch64") and is_debian_10 and not is_raspbian
- debug:
+#   ignore_errors: yes
-    msg: "'dpkg --print-architecture' output: {{ dpkg_arch.stdout }}"
+
 # ELSE...
 - block:
  - name: EXIT 'mongodb' ROLE, if 'dpkg --print-architecture' appears to be 32-bit (i.e. does not contain "64") or mongodb_version == "unsupported" or ansible_machine not found
    fail:    # FORCE IT RED THIS ONCE!
      msg: MongoDB 3.2+ (as needed by Sugarizer Server 1.5.0) is NO LONGER SUPPORTED on 32-bit Raspberry Pi OS.
    when: not dpkg_arch.stdout is search("64") or mongodb_version == "unsupported" or mongodb_version == "unknown"
    #when: dpkg_arch.stdout == "armhf" or mongodb_version == "unsupported" or mongodb_version == "unknown"
  - name: Install MongoDB if 'mongodb_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
    include_tasks: install.yml
    when: mongodb_installed is undefined
--- a/roles/monit/tasks/install.yml
+++ b/roles/monit/tasks/install.yml
@ -1,8 +1,3 @@
 - name: Record (initial) disk space used
  shell: df -B1 --output=used / | tail -1
  register: df1
 - name: Install 'monit' package
  package:
    name: monit
@ -40,17 +35,6 @@
 # RECORD Monit AS INSTALLED
 - name: Record (final) disk space used
  shell: df -B1 --output=used / | tail -1
  register: df2
 - name: Add 'monit_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }}
  ini_file:
    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
    section: monit
    option: monit_disk_usage
    value: "{{ df2.stdout|int - df1.stdout|int }}"
 - name: "Set 'monit_installed: True'"
  set_fact:
    monit_installed: True
--- a/roles/moodle/defaults/main.yml
+++ b/roles/moodle/defaults/main.yml
@ -8,11 +8,11 @@
 # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
-# October 2024: Currently testing Moodle's main branch is mandatory if your
+# 2022-11-27: Currently testing Moodle's master branch is mandatory if your
-# OS PHP >= 8.4, see moodle/tasks/install.yml for detail!  OR, *IF* your
+# OS PHP >= 8.2, see moodle/tasks/install.yml for detail!  OR, *IF* your
-# OS PHP < 8.4, then {{ moodle_version }} will be attempted:
+# OS PHP < 8.2, then {{ moodle_version }} will be attempted:
-moodle_version: MOODLE_405_STABLE    # Moodle 4.5
+moodle_version: MOODLE_401_STABLE    # Moodle 4.1 LTS
-#moodle_version: main                # e.g. to try Moodle's "weekly" 5.0dev pre-release *EVEN IF* OS PHP < 8.4
+#moodle_version: master              # e.g. to try Moodle's "weekly" 4.2dev pre-release *EVEN IF* OS PHP < 8.2
 moodle_repo_url: https://github.com/moodle/moodle
 #moodle_repo_url: git://git.moodle.org/moodle.git    # 2020-10-16: VERY Slow!
--- a/roles/moodle/tasks/install.yml
+++ b/roles/moodle/tasks/install.yml
@ -6,20 +6,6 @@
 # 2021-06-28: This ALSO now happens in /etc/php/{{ php_version }}/cli/php.ini
 # (as required by Moodle's CLI installer, DESPITE it using fpm/php.ini later!)
 # 2023-12-17: Upgrade instructions via CLI
 # https://docs.moodle.org/en/Administration_via_command_line
 #
 # EXAMPLE:
 # cd /opt/iiab/moodle
 # sudo -u www-data /usr/bin/php admin/cli/maintenance.php --enable
 # cd /opt/iiab
 # mv moodle moodle.bkp
 # git clone https://github.com/moodle/moodle -b MOODLE_403_STABLE --depth 1    # As a regular 'git pull' will likely fail, due to original clone's '--depth 1' -- but no worries: total clone download is just ~100 MB, which expands to ~400 MB
 # cp moodle.bkp/config.php moodle/
 # cd moodle
 # sudo -u www-data /usr/bin/php admin/cli/upgrade.php    # Or later log in to Moodle, to complete the upgrade (i.e. click "Continue" 4-5 times)
 # sudo -u www-data /usr/bin/php admin/cli/maintenance.php --disable
 - name: "Set 'postgresql_install: True' and 'postgresql_enabled: True'"
  set_fact:
@ -31,11 +17,6 @@
    name: postgresql
 - name: Record (initial) disk space used
  shell: df -B1 --output=used / | tail -1
  register: df1
 # 2021-07-02: Let's monitor & learn from these 2 pages year-by-year:
 # https://docs.moodle.org/19/en/PHP_settings_by_Moodle_version#PHP_Extensions_and_libraries
 # https://github.com/moodlebox/moodlebox/blob/master/roles/packages/vars/main.yml
@ -49,7 +30,7 @@
      #- php{{ php_version }}-common     # 2021-06-27: Auto-installed as an apt dependency.  REGARDLESS: php{{ php_version }}-common superset php{{ php_version }}-cli is auto-installed by php{{ php_version }}-fpm in nginx/tasks/install.yml
      #- php{{ php_version }}-cli        # 2021-06-27: Compare to php{{ php_version }}-common just above!  2020-06-15: In the past this included (below) mbstring?  However this is not true on Ubuntu Server 20.04 LTS.
      - php{{ php_version }}-curl        # 2021-06-27: Likewise installed in nextcloud/tasks/install.yml, pbx/tasks/freepbx_dependencies.yml, wordpress/tasks/install.yml
-      #- php{{ php_version }}-exif       # 2022-11-27: Recommended by Moodle 4.1, possibly required by Moodle 4.2 (for image metadata, rotation, etc?)  apt package(s) NOT REQUIRED as it's somehow already installed with PHP's core, as confirmed by 'php -m' & 'php -i' on Ubuntu 22.04 and RasPiOS.
+      #- php{{ php_version }}-exif       # 2022-11-27: Recommended by Moodle 4.1, required by Moodle 4.2 (for image metadata, rotation, etc?)  apt package(s) NOT REQUIRED as it's somehow already installed with PHP's core, as confirmed by 'php -m' & 'php -i' on Ubuntu 22.04 and RasPiOS.
      - php{{ php_version }}-gd          # 2021-06-27: Likewise installed in nextcloud/tasks/install.yml, pbx/tasks/freepbx_dependencies.yml
      - php{{ php_version }}-intl        # 2020-12-03: Required by Moodle 3.10+ -- Likewise installed in mediawiki/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml
      - php{{ php_version }}-mbstring    # 2020-06-15: Required by Moodle 3.9+ -- Likewise installed in mediawiki/tasks/install.yml, nextcloud/tasks/install.yml, pbx/tasks/freepbx_dependencies.yml, wordpress/tasks/install.yml
@ -68,49 +49,21 @@
  when: php_settings_done is undefined
- name: Does /opt/iiab/moodle exist?
+- name: "MOODLE PRE-RELEASE TESTING: Download (clone) {{ moodle_repo_url }} branch 'master' to {{ moodle_base }} (~389 MB initially, ~416 MB later) if OS PHP {{ php_version }} >= 8.2"
  stat:
    path: /opt/iiab/moodle
  register: opt_iiab_moodle
 # 2023-04-30: Allows re-running (e.g. 'sudo iiab') if git clone was already
 # begun, avoiding this error: (arises from 'www-data' ownership)
 #   "Failed to set a new url https://github.com/moodle/moodle for origin:
 #   fatal: detected dubious ownership in repository at '/opt/iiab/moodle'
 #   To add an exception for this directory, call:
 #   git config --global --add safe.directory /opt/iiab/moodle"
 - name: If /opt/iiab/moodle exists, move it to /tmp/opt-iiab-moodle.old (TO BE DELETED ON NEXT BOOT) -- allows re-running if git clone (below) was already begun
  shell: rm -rf /tmp/opt-iiab-moodle.old && mv /opt/iiab/moodle /tmp/opt-iiab-moodle.old
  when: opt_iiab_moodle.stat.exists
 # WARNING: Since March 2023, 32-bit RasPiOS can act as 64-bit on RPi 4 and
 # RPi 400 (unlike RPi 3!)  SEE: https://github.com/iiab/iiab/pull/3516
 - name: Run command 'dpkg --print-architecture' to identify OS architecture (CPU arch as revealed by ansible_architecture ~= ansible_machine is NO LONGER enough!)
  command: dpkg --print-architecture
  register: dpkg_arch
 - name: "2023-04-30: MOODLE 4.2+ REQUIRES PHP 8 AND *FULL* 64-BIT OPERATION -- SO WE REVERT TO TRYING THE OLDER MOODLE 4.1 LTS WHEN NECESSARY -- NOTE PHP 7.x END-OF-LIFE WAS NOVEMBER 2022"
  set_fact:
    moodle_version: MOODLE_401_STABLE    # i.e. Moodle 4.1 LTS
  when: php_version is version('8.0', '<') or not dpkg_arch.stdout is search("64")
 - name: Download (clone) {{ moodle_repo_url }} branch '{{ moodle_version }}' to {{ moodle_base }} (~476 MB initially, ~504 MB later) if OS PHP {{ php_version }} < 8.4
  git:
    repo: "{{ moodle_repo_url }}"    # https://github.com/moodle/moodle
    dest: "{{ moodle_base }}"        # /opt/iiab/moodle
    depth: 1
-    version: "{{ moodle_version }}"    # e.g. MOODLE_404_STABLE (Moodle 4.4)
+    version: master    # For "weekly" Moodle pre-releases: https://download.moodle.org/releases/development/ (e.g. 3.5beta+ in May 2018, 4.1dev in Sept 2022, 4.2dev in Dec 2022)
-  when: php_version is version('8.4', '<')
+  when: php_version is version('8.2', '>=')
- name: "MOODLE PRE-RELEASE TESTING: Download (clone) {{ moodle_repo_url }} branch 'main' to {{ moodle_base }} (~476 MB initially, ~504 MB later) if OS PHP {{ php_version }} >= 8.4"
+- name: Download (clone) {{ moodle_repo_url }} branch '{{ moodle_version }}' to {{ moodle_base }} (~389 MB initially, ~416 MB later) if OS PHP {{ php_version }} < 8.2
  git:
-    repo: "{{ moodle_repo_url }}"
+    repo: "{{ moodle_repo_url }}"    # https://github.com/moodle/moodle
-    dest: "{{ moodle_base }}"
+    dest: "{{ moodle_base }}"        # /opt/iiab/moodle
    depth: 1
-    version: main    # For "weekly" Moodle pre-releases: https://download.moodle.org/releases/development/ (e.g. 3.5beta+ in May 2018, 4.1dev in Sept 2022, 4.2dev in Dec 2022, 4.3dev in May 2023, 4.4dev in Oct 2023, 4.5dev in Apr 2024, 5.0dev in Oct 2024)
+    version: "{{ moodle_version }}"    # e.g. MOODLE_401_STABLE (Moodle 4.1)
-  when: php_version is version('8.4', '>=')
+  when: php_version is version('8.2', '<')
 - name: chown -R {{ apache_user }}:{{ apache_user }} {{ moodle_base }} (by default dirs 755 & files 644)
  file:
@ -188,7 +141,7 @@
 # 2021-11-19: Resolves Moodle error https://github.com/iiab/iiab/issues/3024
 - name: Set cron job to run /opt/iiab/moodle/admin/cli/cron.php every minute (* * * * *) in /var/spool/cron/crontabs/www-data -- per https://docs.moodle.org/310/en/Cron
  cron:
-    name: https://docs.moodle.org/en/Cron
+    name: https://docs.moodle.org/310/en/Cron
    user: www-data
    job: "/usr/bin/php /opt/iiab/moodle/admin/cli/cron.php >/dev/null"
@ -214,17 +167,6 @@
 # RECORD Moodle AS INSTALLED
 - name: Record (final) disk space used
  shell: df -B1 --output=used / | tail -1
  register: df2
 - name: Add 'moodle_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }}
  ini_file:
    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
    section: moodle
    option: moodle_disk_usage
    value: "{{ df2.stdout|int - df1.stdout|int }}"
 - name: "Set 'moodle_installed: True'"
  set_fact:
    moodle_installed: True
--- a/roles/moodle/templates/moodle-nginx.conf.j2
+++ b/roles/moodle/templates/moodle-nginx.conf.j2
@ -29,7 +29,7 @@ location ~ ^/moodle(.*)\.php(.*)$ {
    # Uncomment to override /etc/php/<VERSION>/fpm/php.ini -- FYI Stage 4's
    # roles/www_options/tasks/main.yml FORCES these same settings and more
    # (equivalent to 'nginx_high_php_limits: True') when 'moodle_install: True' 
-    #fastcgi_param PHP_VALUE "max_execution_time=300\n upload_max_filesize=10000M\n post_max_size=10000M\n max_input_vars=5000";
+    #fastcgi_param PHP_VALUE "max_execution_time=300\n upload_max_filesize=500M\n post_max_size=500M\n max_input_vars=5000";
 }
 location ~ ^/moodle {
--- a/roles/mosquitto/tasks/install.yml
+++ b/roles/mosquitto/tasks/install.yml
@ -1,8 +1,3 @@
 - name: Record (initial) disk space used
  shell: df -B1 --output=used / | tail -1
  register: df1
 - name: "Install packages: mosquitto, mosquitto-clients"
  package:
    name: "{{ item }}"
@ -37,17 +32,6 @@
 # RECORD Mosquitto AS INSTALLED
 - name: Record (final) disk space used
  shell: df -B1 --output=used / | tail -1
  register: df2
 - name: Add 'mosquitto_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }}
  ini_file:
    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
    section: mosquitto
    option: mosquitto_disk_usage
    value: "{{ df2.stdout|int - df1.stdout|int }}"
 - name: "Set 'mosquitto_installed: True'"
  set_fact:
    mosquitto_installed: True
--- a/roles/munin/tasks/enable-or-disable.yml
+++ b/roles/munin/tasks/enable-or-disable.yml
@ -1,9 +1,3 @@
 # SEE ALSO roles/network/tasks/install.yml
 - name: TEMPORARILY REVERT net.ipv6.conf.all.disable_ipv6 to 0 in /etc/sysctl.conf for #3434
  sysctl:
    name: net.ipv6.conf.all.disable_ipv6
    value: 0
 - name: Enable & Start 'munin-node' systemd service
  systemd:
    name: munin-node
@ -12,12 +6,6 @@
    state: started
  when: munin_enabled
 # SEE ALSO roles/network/tasks/install.yml
 - name: RESTORE net.ipv6.conf.all.disable_ipv6 to 1 in /etc/sysctl.conf for #3434
  sysctl:
    name: net.ipv6.conf.all.disable_ipv6
    value: 1
 - name: Disable & Stop 'munin-node' systemd service
  systemd:
    name: munin-node
--- a/roles/munin/tasks/install.yml
+++ b/roles/munin/tasks/install.yml
@ -1,15 +1,4 @@
- name: Record (initial) disk space used
+- name: "Install 5 packages: libcgi-fast-perl, munin, munin-node, munin-plugins-extra, python3-passlib"
  shell: df -B1 --output=used / | tail -1
  register: df1
 # SEE ALSO roles/network/tasks/install.yml
 - name: "TEMPORARILY REVERT net.ipv6.conf.all.disable_ipv6 to 0 in /etc/sysctl.conf for #3434"
  sysctl:
    name: net.ipv6.conf.all.disable_ipv6
    value: 0
 - name: "Install 4 packages: libcgi-fast-perl, munin, munin-node, munin-plugins-extra"
  package:
    name:
      #- libapache2-mod-fcgid
@ -17,28 +6,16 @@
      - munin
      - munin-node
      - munin-plugins-extra
-      #- python3-passlib    # For Ansible module 'htpasswd' in Ansible collection community.general -- used just below
+      - python3-passlib    # For Ansible module 'htpasswd' in Ansible collection community.general -- used just below
    state: present
 - name: pip install 'passlib' into venv /usr/local/ansible -- for Ansible module 'htpasswd' in Ansible collection community.general -- used just below
  pip:
    name: passlib
    virtualenv: /usr/local/ansible
    extra_args: "--upgrade --no-cache-dir --prefer-binary"    # 2023-10-01: Lifesaver when recent wheels (e.g. piwheels.org) are inevitably not yet built!  SEE #3560
 # SEE ALSO roles/network/tasks/install.yml
 - name: RESTORE net.ipv6.conf.all.disable_ipv6 to 1 in /etc/sysctl.conf for #3434
  sysctl:
    name: net.ipv6.conf.all.disable_ipv6
    value: 1
 - name: Establish username/password Admin/changeme in /etc/munin/munin-htpasswd
  htpasswd:
    path: /etc/munin/munin-htpasswd
    name: "{{ munin_username}}"         # Admin
    password: "{{ munin_password }}"    # changeme
- name: If MySQL is installed, let Munin monitor it
+- name: If MySQL is enabled, let Munin monitor it
  copy:
    src: "{{ item }}"
    dest: /etc/munin/plugins/
@ -50,23 +27,11 @@
    - /usr/share/munin/plugins/mysql_queries
    - /usr/share/munin/plugins/mysql_slowqueries
    - /usr/share/munin/plugins/mysql_threads
-  when: mysql_installed
+  when: mysql_enabled
  #when: mysql_enabled
 # RECORD Munin AS INSTALLED
 - name: Record (final) disk space used
  shell: df -B1 --output=used / | tail -1
  register: df2
 - name: Add 'munin_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }}
  ini_file:
    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
    section: munin
    option: munin_disk_usage
    value: "{{ df2.stdout|int - df1.stdout|int }}"
 - name: "Set 'munin_installed: True'"
  set_fact:
    munin_installed: True
--- a/roles/mysql/tasks/enable-or-disable.yml
+++ b/roles/mysql/tasks/enable-or-disable.yml
@ -1,15 +0,0 @@
 - name: Enable & Start MySQL ({{ mysql_service }}) systemd service, if mysql_enabled
  systemd:
    name: "{{ mysql_service }}"
    daemon_reload: yes
    state: started
    enabled: yes
  when: mysql_enabled
 # We had to start MySQL in order to configure it, now turn if off if not enabled
 - name: Disable & Stop MySQL ({{ mysql_service }}) systemd service, if not mysql_enabled
  systemd:
    name: "{{ mysql_service }}"
    enabled: no
    state: stopped
  when: not mysql_enabled
--- a/roles/mysql/tasks/install.yml
+++ b/roles/mysql/tasks/install.yml
@ -1,24 +1,13 @@
- name: Record (initial) disk space used
+- name: 'Install MySQL packages: mariadb-server, mariadb-client, php{{ php_version }}-mysql, python3-pymysql'
  shell: df -B1 --output=used / | tail -1
  register: df1
 - name: 'Install MySQL packages: mariadb-server, mariadb-client, php{{ php_version }}-mysql'
  package:
    name:
      - mariadb-server
      - mariadb-client
      #- php{{ php_version }}-common    # Auto-installed as an apt dependency.  REGARDLESS: php{{ php_version }}-common superset php{{ php_version }}-cli is auto-installed by php{{ php_version }}-fpm in nginx/tasks/install.yml
      - php{{ php_version }}-mysql      # Likewise installed in nextcloud/tasks/install.yml, pbx/tasks/freepbx.yml, wordpress/tasks/install.yml
-      #- python3-pymysql                # For Ansible modules {mysql_db, mysql_user} in Ansible collection community.mysql -- used in MySQL roles {mediawiki, nextcloud, wordpress} and possibly {elgg, pbx}
+      - python3-pymysql                 # For Ansible modules {mysql_db, mysql_user} in Ansible collection community.mysql -- used in MySQL roles {mediawiki, nextcloud, wordpress} and possibly {elgg, pbx}
    state: present
 - name: pip install 'PyMySQL' into venv /usr/local/ansible -- for Ansible modules {mysql_db, mysql_user} in Ansible collection community.mysql -- used in roles {mediawiki, nextcloud, wordpress, matomo, pbx}
  pip:
    name: PyMySQL
    virtualenv: /usr/local/ansible
    extra_args: "--upgrade --no-cache-dir --prefer-binary"    # 2023-10-01: Lifesaver when recent wheels (e.g. piwheels.org) are inevitably not yet built!  SEE #3560
 # 2020-07-11: 10 PHP package installs moved to roles/www_base/tasks/main.yml
 # php{{ php_version }}-sqlite3 install moved to roles/osm-vector-maps/tasks/install.yml
@ -72,17 +61,6 @@
 # RECORD MySQL AS INSTALLED
 - name: Record (final) disk space used
  shell: df -B1 --output=used / | tail -1
  register: df2
 - name: Add 'mysql_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }}
  ini_file:
    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
    section: mysql
    option: mysql_disk_usage
    value: "{{ df2.stdout|int - df1.stdout|int }}"
 - name: "Set 'mysql_installed: True'"
  set_fact:
    mysql_installed: True
--- a/roles/mysql/tasks/main.yml
+++ b/roles/mysql/tasks/main.yml
@ -26,33 +26,40 @@
    var: mysql_installed
- block:
+- name: Install MySQL if 'mysql_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
  include_tasks: install.yml
  when: mysql_installed is undefined
  - name: Install MySQL if 'mysql_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
    include_tasks: install.yml
    when: mysql_installed is undefined
-  - include_tasks: enable-or-disable.yml
+- name: Enable & Start MySQL ({{ mysql_service }}) systemd service, if mysql_enabled
  systemd:
    name: "{{ mysql_service }}"
    daemon_reload: yes
    state: started
    enabled: yes
  when: mysql_enabled
-  - name: Add 'mysql' variable values to {{ iiab_ini_file }}
+# We had to start MySQL in order to configure it, now turn if off if not enabled
-    ini_file:
+- name: Disable & Stop MySQL ({{ mysql_service }}) systemd service, if not mysql_enabled
-      path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+  systemd:
-      section: mysql
+    name: "{{ mysql_service }}"
-      option: "{{ item.option }}"
+    enabled: no
-      value: "{{ item.value | string }}"
+    state: stopped
-    with_items:
+  when: not mysql_enabled
      - option: name
        value: MySQL
      - option: description
        value: '"MySQL is a widely used free and open source (GPLv2) database, offered by most web hosting services, on a diversity of platforms."'
      - option: mysql_install
        value: "{{ mysql_install }}"
      - option: mysql_enabled
        value: "{{ mysql_enabled }}"
  rescue:
-  - name: 'SEE ERROR ABOVE (skip_role_on_error: {{ skip_role_on_error }})'
+- name: Add 'mysql' variable values to {{ iiab_ini_file }}
-    fail:
+  ini_file:
-      msg: ""
+    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
-    when: not skip_role_on_error
+    section: mysql
    option: "{{ item.option }}"
    value: "{{ item.value | string }}"
  with_items:
    - option: name
      value: MySQL
    - option: description
      value: '"MySQL is a widely used free and open source (GPLv2) database, offered by most web hosting services, on a diversity of platforms."'
    - option: mysql_install
      value: "{{ mysql_install }}"
    - option: mysql_enabled
      value: "{{ mysql_enabled }}"
--- a/roles/network/defaults/main.yml
+++ b/roles/network/defaults/main.yml
@ -55,7 +55,7 @@ strict_networking: False
 iiab_demo_mode: False
 gui_static_wan: False
 wan_cidr: ""
-virtual_network_devices: "-e wwlan -e ppp -e ap0 -e lo -e br0 -e tun -e br- -e docker -e bridge0 -e veth -e tailscale0"
+virtual_network_devices: "-e wwlan -e ppp -e ap0 -e lo -e br0 -e tun -e br- -e docker -e bridge0 -e veth"
 # Set defaults for discovery process as strings
 wifi1: "not found-1"
@ -71,8 +71,6 @@ iiab_lan_iface: none
 discovered_lan_iface: none
 discovered_wired_iface: none
 discovered_wireless_iface: none
 # use the same case as what `iw reg get` would return with 00 present
 host_country_code_found: UNSET
 # Red Hat
 #iiab_wired_lan_iface: "none"
--- a/roles/network/tasks/NM-debian.yml
+++ b/roles/network/tasks/NM-debian.yml
@ -22,7 +22,7 @@
    dest: /etc/NetworkManager/conf.d/ap0-manage.conf
    src: network/ap0-manage.conf
    mode: 0644
-  when: discovered_wireless_iface != "none" and wifi_up_down
+  when: wifi_up_down
 - name: Copy manage.conf for NetworkManager when wifi_up_down False
  template:
@ -71,14 +71,13 @@
  when: wan_ip != "dhcp"
 - name: Use systemd-networkd to handle br0
-  set_fact:
+  include_tasks: sysd-netd-debian.yml
-    systemd_networkd_active: True
+  when: iiab_lan_iface == "br0" and not systemd_networkd_active
  when: iiab_lan_iface == "br0"
 - name: Reload systemd
  systemd:
    daemon_reload: yes
-  when: not no_net_restart or not iiab_lan_iface == "br0"
+  when: not iiab_lan_iface == "br0"
 - name: Restart the NetworkManager service
  systemd:
--- a/roles/network/tasks/computed_services.yml
+++ b/roles/network/tasks/computed_services.yml
@ -81,3 +81,22 @@
      value: "{{ dnsmasq_enabled }}"
    - option: no_net_restart
      value: "{{ no_net_restart }}"
    - option: hostapd_enabled
      value: "{{ hostapd_enabled }}"
    - option: host_ssid
      value: "{{ host_ssid }}"
    - option: host_wifi_mode
      value: "{{ host_wifi_mode }}"
    - option: host_channel
      value: "{{ host_channel }}"
 - name: Add 'network' variable 'current_client_channel' value if defined, to {{ iiab_ini_file }}
  ini_file:
    dest: "{{ iiab_ini_file }}"
    section: network
    option: "{{ item.option }}"
    value: "{{ item.value | string }}"
  with_items:
    - option: client_wifi_channel
      value: "{{ current_client_channel.stdout }}"
  when: current_client_channel.stdout is defined
--- a/roles/network/tasks/detected_network.yml
+++ b/roles/network/tasks/detected_network.yml
@ -239,41 +239,6 @@
    iiab_lan_iface: "{{ iiab_wireless_lan_iface }}"
  when: iiab_wireless_lan_iface is defined and nobridge is defined
 - name: Detect WiFi country code in use
  shell: iw reg get | grep country | grep -v UNSET | awk '{print $2}' | sed "s|:||"
  register: REG_DOM
  ignore_errors: True
 - name: Set host_country_code_found
  set_fact:
    host_country_code_found: "{{ REG_DOM.stdout }}"
  when: REG_DOM.stdout is defined and REG_DOM.stdout | length > 0
 - name: Set Wifi Region country to {{ REG_DOM.stdout }} for hostapd when present
  set_fact:
    host_country_code: "{{ REG_DOM.stdout }}"
  when: REG_DOM.stdout is defined and REG_DOM.stdout | length > 0 and wifi_up_down and can_be_ap and has_wifi_gateway is defined
 - name: Detect current Wifi channel
  shell: iw {{ discovered_wireless_iface }} info | grep channel | cut -d' ' -f2
  register: current_client_channel
  when: wifi_up_down and can_be_ap and has_wifi_gateway is defined
 - name: Forcing wifi_up_down to False based on firmware selection "24"
  set_fact:
    wifi_up_down: False
  when: rpi3bplus_rpi4_wifi_firmware == "24"
 - name: Detect "Firmware rejected country setting" in dmesg (invert return code, for intentional red error)
  shell: '! dmesg | grep ieee80211 | grep "Firmware rejected country setting"'
  register: FW_rejected_country
  ignore_errors: True
 - name: Detect country code passed from cmdline in dmesg
  shell: dmesg | grep -om1 'cfg80211\.ieee80211_regdom=\S*' | cut -d= -f2
  register: cmdline_country_code
  ignore_errors: True
 - name: In VM disable LAN - needs local_vars entry to activate
  set_fact:
    iiab_lan_iface: none
@ -330,36 +295,6 @@
      value: "{{ iiab_wan_iface }}"
    - option: can_be_ap
      value: "{{ can_be_ap }}"
    - option: host_country_code_found
      value: "{{ host_country_code_found }}"
    - option: wifi_firmware_43430
      value: "{{ rpizerow_rpi3_wifi_firmware }}"
    - option: wifi_firmware_43455
      value: "{{ rpi3bplus_rpi4_wifi_firmware }}"
 - name: Add 'detected_network' variable 'current_client_channel_found' stdout value ({{ current_client_channel.stdout }}) if defined and non-empty, to {{ iiab_ini_file }}
  ini_file:
    dest: "{{ iiab_ini_file }}"
    section: detected_network
    option: client_wifi_channel_found
    value: "{{ current_client_channel.stdout }}"
  when: current_client_channel.stdout is defined and current_client_channel.stdout != ""
 - name: Add 'detected_network' variable 'FW_rejected_country' stdout value ({{ FW_rejected_country.stdout }}) if defined and non-empty, to {{ iiab_ini_file }}
  ini_file:
    dest: "{{ iiab_ini_file }}"
    section: detected_network
    option: FW_rejected_country
    value: "{{ FW_rejected_country.stdout }}"
  when: FW_rejected_country.stdout is defined and FW_rejected_country.stdout != ""
 - name: Add 'detected_network' variable 'cmdline_country_code' stdout value ({{ cmdline_country_code.stdout }}) if defined and non-empty, to {{ iiab_ini_file }}
  ini_file:
    dest: "{{ iiab_ini_file }}"
    section: detected_network
    option: cmdline_country_code
    value: "{{ cmdline_country_code.stdout }}"
  when: cmdline_country_code.stdout is defined and cmdline_country_code.stdout != ""
 # well if there ever was a point to tell the user things are FUBAR this is it.
 # limit 2 network adapters wifi wired
--- a/roles/network/tasks/hostapd.yml
+++ b/roles/network/tasks/hostapd.yml
@ -3,12 +3,17 @@
    hostapd_enabled: False
  when: (not wifi_up_down and discovered_wireless_iface == iiab_wan_iface) or discovered_wireless_iface == "none" or not can_be_ap
- name: Disable the Access Point 'hostapd' service if hostapd_enabled False
+- name: Disable the Access Point 'hostapd' service
  systemd:
    name: hostapd
    enabled: no
  when: not hostapd_enabled
 - name: Detect current Wifi channel
  shell: iw {{ discovered_wireless_iface }} info | grep channel | cut -d' ' -f2
  register: current_client_channel
  when: discovered_wireless_iface != "none"
 - name: Setting WiFi channel to {{ current_client_channel.stdout }}
  set_fact:
    host_channel: "{{ current_client_channel.stdout }}"
@ -83,35 +88,3 @@
    regexp: '^HOSTAPD_ENABLED=*'
    line: 'HOSTAPD_ENABLED={{ hostapd_enabled }}'
    state: present
 - name: Create /etc/hostapd/hostapd.conf and backup .iiab from template if needed
  template:
    owner: root
    group: root
    mode: 0644
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
  with_items:
    - { src: 'hostapd/hostapd.conf.j2', dest: '/etc/hostapd/hostapd.conf' }
    - { src: 'hostapd/hostapd.conf.j2', dest: '/etc/hostapd/hostapd.conf.iiab' }
  when: can_be_ap
 - name: Record host_country_code_applied and host_channel in network of {{ iiab_ini_file }}
  ini_file:
    dest: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
    section: network
    option: "{{ item.option }}"
    value: "{{ item.value | string }}"
  with_items:
    - option: hostapd_enabled
      value: "{{ hostapd_enabled }}"
    - option: host_ssid
      value: "{{ host_ssid }}"
    - option: host_wifi_mode
      value: "{{ host_wifi_mode }}"
    - option: wifi_up_down
      value: "{{ wifi_up_down }}"
    - option: host_country_code_applied
      value: "{{ host_country_code }}"
    - option: host_channel
      value: "{{ host_channel }}"
--- a/roles/network/tasks/install.yml
+++ b/roles/network/tasks/install.yml
@ -1,8 +1,3 @@
 - name: Record (initial) disk space used
  shell: df -B1 --output=used / | tail -1
  register: df1
 # 2022-03-16: 'apt show <pkg> | grep Size' revealed download sizes, on 64-bit RasPiOS with desktop.
 - name: Install dnsmasq -- configure LATER in 'network', after Stage 9
@ -18,7 +13,7 @@
 # total download size) and they can help IIAB field operators with BOTH
 # (1) internal WiFi AND (2) USB WiFi devices inserted anytime/later.
- name: 'Install 11 network packages: avahi-daemon, hostapd, iproute2, iptables-persistent, iw, libnss-mdns, netmask, net-tools, networkd-dispatcher, rfkill, wpasupplicant -- later used by https://github.com/iiab/iiab/tree/master/roles/network'
+- name: 'Install 12 network packages: avahi-daemon, hostapd, iproute2, iptables-persistent, iw, libnss-mdns, netmask, net-tools, networkd-dispatcher, rfkill, wireless-tools, wpasupplicant -- later used by https://github.com/iiab/iiab/tree/master/roles/network'
  package:
    name:
      - avahi-daemon           #   97kB download: RasPiOS (and package libnss-mnds, below) install this regardless -- holdover from the XO days and used to advertise ssh/admin-console being available via avahi-daemon -- used with https://github.com/iiab/iiab/blob/master/roles/network/tasks/avahi.yml
@ -31,19 +26,12 @@
      - libnss-mdns            #   27kB download: RasPiOS (and package avahi-daemon, above) install this regardless -- client-side library -- provides name resolution via mDNS (Multicast DNS) using Zeroconf/Bonjour e.g. Avahi
      - netmask                #   25kB download: Handy utility -- helps determine network masks
      - net-tools              #  248kB download: RasPiOS installs this regardless -- @jvonau suggests possibly deleting this...unless oldtimers really want these older commands in iiab-diagnostics output?
      - networkd-dispatcher    #   15kB download: Dispatcher service for systemd-networkd connection status changes
      - rfkill                 #   87kB download: RasPiOS installs this regardless -- enable & disable wireless devices
      - wireless-tools         #  112kB download: RasPiOS installs this regardless -- manipulate Linux Wireless Extensions
      - wpasupplicant          # 1188kB download: RasPiOS installs this regardless -- client library for connections to a WiFi AP
    state: present
 # 2024-10-02: Legacy apt package 'wireless-tools' no longer offered by Ubuntu
 # 24.10+ (#3805) but FYI: https://en.wikipedia.org/wiki/Wireless_tools_for_Linux
 - name: "Install legacy apt package wireless-tools, if OS still supports it -- or intentionally show (HARMLESS!) red error -- helping to monitor Linux's evolution"
  package:
    name: wireless-tools       #  112kB download: RasPiOS installs this regardless -- manipulate Linux Wireless Extensions
    state: present
  ignore_errors: True    # Intentionally show red error, and continue.
  #failed_when: False    # Hides red errors (stronger than 'ignore_errors: yes')
 # 2021-08-17: Debian ignores this, according to 2013 post:
 # https://serverfault.com/questions/511099/debian-ignores-etc-network-if-pre-up-d-iptables
 # - name: Install /etc/network/if-pre-up.d/iptables from template (0755)
@ -67,11 +55,11 @@
    name: "{{ item.name }}"
    value: "{{ item.value }}"
  with_items:
-    - { name: 'net.ipv4.ip_forward', value: '1' }                          # Default: 0.  Masquerading LAN->Internet
+    - { name: 'net.ipv4.ip_forward', value: '1' }  # Masquerading LAN->Internet
-    - { name: 'net.ipv4.conf.default.rp_filter', value: '1' }              # Default: 2.  Enable Spoof protection (reverse-path filter)
+    - { name: 'net.ipv4.conf.default.rp_filter', value: '1' }
-    - { name: 'net.ipv4.conf.default.accept_source_route', value: '0' }    # Default: 1.  Do not accept IP source route packets (we are not a router)
+    - { name: 'net.ipv4.conf.default.accept_source_route', value: '0' }
-    #- { name: 'net.ipv4.tcp_syncookies', value: '1' }               # Very standard in 2020
+    #- { name: 'net.ipv4.tcp_syncookies', value: '1' }  # Very standard in 2020
-    - { name: 'net.ipv6.conf.all.disable_ipv6', value: '1' }               # Default: 0.  Disable IPv6.  SEE ALSO: roles/munin/tasks/install.yml & enable-and-disable.yml
+    - { name: 'net.ipv6.conf.all.disable_ipv6', value: '1' }    # IPv6 disabled
    #- { name: 'net.ipv6.conf.default.disable_ipv6', value: '1' }    # AUTO-SET
    #- { name: 'net.ipv6.conf.lo.disable_ipv6', value: '1' }         # BY ABOVE
@ -107,23 +95,12 @@
    - roles/network/templates/gateway/iiab-internet-on     # Invoked by 1-prep (so full path needed)
    - roles/network/templates/gateway/iiab-internet-off    # Invoked by 1-prep (so full path needed)
- name: 'Install /usr/local/sbin/iiab-netwarn for pop-ups on boot, if iiab-network should be run'
+- name: 'Install /usr/local/sbin/netwarn for pop-ups on boot, if iiab-network should be run'
  include_tasks: roles/network/tasks/netwarn.yml    # Invoked by 1-prep (so full path needed)
 # RECORD Network AS INSTALLED
 - name: Record (final) disk space used
  shell: df -B1 --output=used / | tail -1
  register: df2
 - name: Add 'network_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }}
  ini_file:
    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
    section: network
    option: network_disk_usage
    value: "{{ df2.stdout|int - df1.stdout|int }}"
 - name: "Set 'network_installed: True'"
  set_fact:
    network_installed: True
--- a/roles/network/tasks/main.yml
+++ b/roles/network/tasks/main.yml
@ -1,3 +1,8 @@
 - name: Select RPi firmware mode
  include_role:
    name: firmware
  when: rpi_model != "none"
 - name: detected_network
  include_tasks: detected_network.yml
@ -56,6 +61,8 @@
  #  when: squid_install and FQDN_changed and iiab_stage|int == 9
  #### Start services
  - name: hostapd
    include_tasks: hostapd.yml
  - name: computed_services
    include_tasks: computed_services.yml
  - name: enable_services
@ -63,13 +70,6 @@
  #### End services
  #### Start network layout
  # 2024-12-18: As `rfkill unblock wifi` formerly in rpi_debian.yml wasn't enough, especially with NM (NetworkManager)
  - name: Run 'raspi-config nonint do_wifi_country {{ host_country_code }}' (using var host_country_code) to unblock WiFi, if RasPiOS
    command: raspi-config nonint do_wifi_country {{ host_country_code }}
    when: is_raspbian
    #ignore_errors: True
  #- name: Redhat networking
  #  include_tasks: ifcfg_mods.yml
  #  when: is_redhat
@ -77,13 +77,13 @@
  - name: NetworkManager in use
    include_tasks: NM-debian.yml
    when: network_manager_active
    #when: is_debuntu and network_manager_active
  - name: systemd-networkd in use
    include_tasks: sysd-netd-debian.yml
    when: systemd_networkd_active
-    #when: systemd_networkd_active and not network_manager_active    # 2023-10-11: NOT the right way to solve #3657 (systemd-resolved issue on RasPiOS 12+) as this would damage Ubuntu/Mint.
+    #when: is_debuntu and systemd_networkd_active
  # 2023-10-11: Should rpi_debian.yml go away in future, now that RasPiOS Bookworm uses NetworkManager?
  - name: Raspbian can use dhcpcd only with no N-M or SYS-NETD active
    include_tasks: rpi_debian.yml
    when: is_raspbian and not network_manager_active
@ -94,20 +94,12 @@
    #when: (not is_raspbian and not network_manager_active and not systemd_networkd_active and is_debuntu) or is_ubuntu_16
  #### end network layout
  - name: hostapd
    include_tasks: hostapd.yml
  - name: Restart services
    include_tasks: restart.yml
  # end block
  when: network_installed is defined and network_enabled
 - name: Select RPi firmware mode
  include_role:
    name: firmware
  when: rpi_model != "none"
 - name: Create {{ iiab_etc_path }}/install-flags/iiab-network-complete on second pass of network role.
  file:
--- a/roles/network/tasks/netwarn.yml
+++ b/roles/network/tasks/netwarn.yml
@ -1,21 +1,21 @@
 # 2022-07-22: SIMILAR TO roles/iiab-admin/tasks/pwd-warnings.yml FOR passwords
 #                    AND roles/www_options/tasks/main.yml        FOR browser
-# 2022-07-22: An /etc/profile.d/ version like /etc/local/sbin/iiab-netwarn but for
+# 2022-07-22: An /etc/profile.d/ version like /etc/local/sbin/netwarn but for
-# shell / ssh logins (across all OS's/distros/window managers) might also make sense?
+# ssh sessions (across all OS's/distros/window managers) might also make sense?
- name: Does directory /home/{{ iiab_admin_user }}/.config/labwc/ exist?
+- name: Does /etc/xdg/lxsession/LXDE-pi/autostart exist?
  stat:
-    path: /home/{{ iiab_admin_user }}/.config/labwc/
+    path: /etc/xdg/lxsession/LXDE-pi/autostart
-  register: labwc_dir
+  register: lxde_pi_autostart_present
- name: If so, add '/usr/local/sbin/iiab-netwarn &' to /home/{{ iiab_admin_user }}/.config/labwc/autostart
+- name: If so, add /usr/local/sbin/netwarn to /etc/xdg/lxsession/LXDE-pi/autostart
  lineinfile:
-    path: /home/{{ iiab_admin_user }}/.config/labwc/autostart    # iiab-admin
+    path: /etc/xdg/lxsession/LXDE-pi/autostart
-    create: yes
+    regexp: '^/usr/local/sbin/netwarn$'
-    line: '/usr/local/sbin/iiab-netwarn &'
+    line: '/usr/local/sbin/netwarn'
-  when: labwc_dir.stat.exists and labwc_dir.stat.isdir
+  when: lxde_pi_autostart_present.stat.exists
 # mate desktop detection based on 'register: nd_dir' in enable_services
@ -39,9 +39,9 @@
 # (Let's insert those here if so, and refine the 'when:' line below.)
- name: 'If a supported graphical OS is detected, install from template: /usr/local/sbin/iiab-netwarn'
+- name: 'If a supported graphical OS is detected, install from template: /usr/local/sbin/netwarn'
  template:
-    src: roles/network/templates/netwarn/iiab-netwarn    # Invoked by 1-prep (so full path needed)
+    src: roles/network/templates/netwarn/netwarn    # Invoked by 1-prep (so full path needed)
    dest: /usr/local/sbin/
    mode: 0755
-  when: (labwc_dir.stat.exists and labwc_dir.stat.isdir) or (mate_dir.stat.exists and mate_dir.stat.isdir)
+  when: lxde_pi_autostart_present or (mate_dir.stat.exists and mate_dir.stat.isdir)
--- a/roles/network/tasks/restart.yml
+++ b/roles/network/tasks/restart.yml
@ -12,32 +12,26 @@
    state: restarted
  with_items:
    - wpa_supplicant
-  when: wifi_up_down and hostapd_enabled and not network_manager_active
+  when: wifi_up_down and hostapd_enabled
- name: Enable & Restart networkd-dispatcher.service
+- name: Create /etc/hostapd/hostapd.conf and backup .iiab from template if needed
-  systemd:
+  template:
-    name: networkd-dispatcher
+    owner: root
-    state: restarted
+    group: root
-    enabled: yes
+    mode: 0644
-    masked: no
+    src: "{{ item.src }}"
-  when: systemd_networkd_active
+    dest: "{{ item.dest }}"
  with_items:
    - { src: 'hostapd/hostapd.conf.j2', dest: '/etc/hostapd/hostapd.conf' }
    - { src: 'hostapd/hostapd.conf.j2', dest: '/etc/hostapd/hostapd.conf.iiab' }
  when: can_be_ap
- name: Clone wifi if needed
+- name: Restart hostapd when WiFi is present but not when using WiFi as gateway with wifi_up_down False
  systemd:
    name: iiab-clone-wifi
    state: restarted
  when: wifi_up_down and can_be_ap and ansible_ap0 is undefined
 - name: Waiting {{ hostapd_wait }} seconds for network to stabilize for ap0
  shell: sleep {{ hostapd_wait }}
  when: ansible_ap0 is undefined
 - name: Restart hostapd when WiFi is present but not when using WiFi as gateway
  systemd:
    name: hostapd
    state: restarted
    daemon_reload: yes
-  when: hostapd_enabled and not no_net_restart
+  when: hostapd_enabled and (wifi_up_down or not no_net_restart)
 # 2022-07-22: @jvonau suggests commenting this out as: "we really don't touch
 # any of the config files... netplan.yml renames one file if it's a container
@ -111,7 +105,7 @@
  systemd:
    name: hostapd
    state: restarted
-  when: hostapd_enabled and not no_net_restart and wifi_slave.stdout is defined and wifi_slave.stdout == 0
+  when: hostapd_enabled and wifi_slave.stdout is defined and wifi_slave.stdout == 0
 #both interfaces.d and systemd-networkd should have br0 available and Appliance lacks br0
 #keep an eye on legacy wifi installs where br0 is present but not 'online' with an ip address
--- a/roles/network/tasks/rpi_debian.yml
+++ b/roles/network/tasks/rpi_debian.yml
@ -39,25 +39,22 @@
  shell: grep country /etc/wpa_supplicant/wpa_supplicant.conf | awk -F = '{print $2}'
  register: country_code
  ignore_errors: True
  when: wifi_up_down and can_be_ap
 - name: Set country code for hostapd to value found in /etc/wpa_supplicant/wpa_supplicant.conf
  set_fact:
    host_country_code: "{{ country_code.stdout }}"
-  when: country_code.stdout is defined and country_code.stdout | length > 0
+  when: country_code is defined and country_code.stdout | length > 0
 - name: Put country code ({{ host_country_code }}) in /etc/wpa_supplicant/wpa_supplicant.conf if nec
  lineinfile:
    path: /etc/wpa_supplicant/wpa_supplicant.conf
    regexp: "^country.*"
    line: country={{ host_country_code }}
-  when: country_code.stdout is defined and country_code.stdout | length == 0
+  when: country_code is defined and country_code.stdout | length == 0
-# 2024-12-18: SEE 'raspi-config nonint do_wifi_country {{ host_country_code }}' in roles/network/tasks/main.yml
+- name: Enable the WiFi with rfkill
-# # This should go away, should only be unblocked by raspi-config
+  shell: rfkill unblock 0
-# - name: Enable the WiFi with rfkill
+  ignore_errors: True
 #   shell: rfkill unblock wifi
 #   ignore_errors: True
 - name: Copy the bridge script for RPi
  template:
@ -79,6 +76,12 @@
  systemd:
    daemon_reload: yes
 - name: Clone wifi if needed
  systemd:
    name: iiab-clone-wifi
    state: restarted
  when: wifi_up_down and can_be_ap and ansible_ap0 is undefined
 - name: Restart the networking service if appropriate
  systemd:
    name: networking
--- a/roles/network/tasks/sysd-netd-debian.yml
+++ b/roles/network/tasks/sysd-netd-debian.yml
@ -1,20 +1,4 @@
 # sysd-netd-debian.yml
 - name: Install networkd-dispatcher
  package:
    name: networkd-dispatcher    #  15kB download: Dispatcher service for systemd-networkd connection status changes
 # 2023-10-14 #3657, #3658, #3659: New RasPiOS 12/Bookworm issue.
 # FWIW Ubuntu >= 22.10 offers 'systemd-resolved' as a distinct apt package.
 # Whereas Ubuntu <= 22.04 bundled the functionality within apt package 'systemd'
 # Debian 12/Bookworm (like Ubuntu >= 22.10) offers it as a distinct package:
 # https://www.debian.org/releases/bookworm/amd64/release-notes/ch-information.en.html#systemd-resolved
 - name: Install systemd-resolved (or intentionally show red error then continue, if apt package not available)
  package:
    name: systemd-resolved       # 278kB download: For RasPiOS 12/Bookworm
  ignore_errors: yes
  #shell: apt -y install systemd-resolved || true
  #when: is_raspbian and os_ver is version('raspbian-12', '>=')
 - name: Copy the bridge script - Creates br0
  template:
    dest: /etc/systemd/network/IIAB-Bridge.netdev
@ -103,6 +87,12 @@
  systemd:
    daemon_reload: yes
 - name: Clone wifi if needed
  systemd:
    name: iiab-clone-wifi
    state: restarted
  when: wifi_up_down and can_be_ap and ansible_ap0 is undefined
 - name: Enable & Restart systemd-networkd.service
  systemd:
    name: systemd-networkd
@ -116,3 +106,10 @@
    state: restarted
    enabled: yes
    masked: no
 - name: Enable & Restart networkd-dispatcher.service
  systemd:
    name: networkd-dispatcher
    state: restarted
    enabled: yes
    masked: no
--- a/roles/network/templates/gateway/iiab-gen-iptables
+++ b/roles/network/templates/gateway/iiab-gen-iptables
@ -34,12 +34,12 @@ IPTABLES=/usr/sbin/iptables
 IPTABLES_DATA=/etc/sysconfig/iptables
 {% endif %}
-# 2023-02-25: bash scripts using default_vars.yml &/or local_vars.yml
+# 2021-08-18: bash scripts using default_vars.yml &/or local_vars.yml
 # https://github.com/iiab/iiab-factory/blob/master/iiab
 # https://github.com/iiab/iiab/blob/master/roles/firmware/templates/iiab-check-firmware#L10-14
 # https://github.com/iiab/iiab/blob/master/roles/network/templates/gateway/iiab-gen-iptables#L48-L52
-# https://github.com/iiab/maps/blob/master/osm-source/pages/viewer/scripts/iiab-install-map-region#L23-L39
+# https://github.com/iiab/maps/blob/master/osm-source/pages/viewer/scripts/iiab-install-map-region#L25-L34
-# https://github.com/iiab/iiab/blob/master/roles/0-DEPRECATED-ROLES/openvpn/templates/iiab-support READS AND WRITES, INCL NON-BOOLEAN
+# https://github.com/iiab/iiab/blob/master/roles/openvpn/templates/iiab-support READS AND WRITES, INCL NON-BOOLEAN
 # "awk '{print $2}'" almost works, but: (1) Fails to remove outer quotes, and
 # (2) Chops up Ansible vars containing multiple words w/o surrounding quotes.
--- a/roles/network/templates/hostapd/iiab-hotspot-off
+++ b/roles/network/templates/hostapd/iiab-hotspot-off
@ -3,7 +3,7 @@
 echo -e "Networking role disabled\n"
 echo -e "For details, see: https://github.com/iiab/iiab/pull/3302\n"
 {% else %}
-sed -i "s/^HOSTAPD_ENABLED.*/HOSTAPD_ENABLED=False/" {{ iiab_env_file }}
+sed -i -e "s/^HOSTAPD_ENABLED.*/HOSTAPD_ENABLED=False/" {{ iiab_env_file }}
 systemctl disable hostapd
 systemctl stop hostapd
 {% if wifi_up_down %}
@ -11,12 +11,13 @@ systemctl disable iiab-clone-wifi.service
 systemctl disable iiab-wifi-test.service
 systemctl stop iiab-clone-wifi.service
 echo " IIAB hotspot access point Disabled"
-#exit 0
+exit 0
 {% else %}
-echo " IIAB hotspot access point Disabled"
+{% if is_raspbian %}
 {% if dhcpcd_result == "enabled" %}
 # hotspot-off before ap0_updown
-sed -i "s/^denyinterfaces/#denyinterfaces/" /etc/dhcpcd.conf
+sed -i -e "s/^denyinterfaces/#denyinterfaces/" /etc/dhcpcd.conf
 systemctl disable hostapd
 systemctl stop hostapd
 #systemctl disable dnsmasq
 #systemctl stop dnsmasq
 systemctl daemon-reload
@ -30,15 +31,13 @@ systemctl restart dhcpcd
 #    ip link set dev wlan0 promisc on
 #fi
 {% else %}
-#ubuntu (or Mint, or pure Debian?)
+#ubuntu
 if [ -f /etc/NetworkManager/conf.d/wifi-manage.conf ]; then
-    sed -i "s|managed=0|managed=1|" /etc/NetworkManager/conf.d/wifi-manage.conf
+    sed -i -e "s|managed=0|managed=1|" /etc/NetworkManager/conf.d/wifi-manage.conf
 fi
-echo -e "\nIf you're enabling upstream WiFi, please reboot now.\n"
+echo -e "\nPlease reboot to enable upstream WiFi access.\n"
-#exit 0
+exit 0
 {% endif %}
 #if dhcpcd_result == "enabled"
 {% endif %}
 #wifi_up_down
 {% endif %}
-#network_enabled
+{% endif %}
--- a/Show more
+++ b/Show more
`@ -1,3 +1,3 @@`
	`# SEE THE NEW<br>[github.com/iiab/iiab/wiki/Contributors-Guide-(EN)](https://github.com/iiab/iiab/wiki/Contributors-Guide-(EN))`	`# SEE THE NEW<br>[github.com/iiab/iiab/wiki/IIAB-Contributors-Guide](https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide)`

	`# THANKS!`	`# THANKS!`