Merge pull request #3958 from holta/locale.conf

iiab-diagnostics: Also record /etc/locale.conf (e.g. for Debian 13 Trixie)

.github/workflows/10min-iiab-test-install.yml

@@ -0,0 +1,58 @@
+name: '"10 min" IIAB on Ubuntu 24.04 on x86-64'
+# run-name: ${{ github.actor }} is testing out GitHub Actions 🚀
+
+# https://michaelcurrin.github.io/dev-cheatsheets/cheatsheets/ci-cd/github-actions/triggers.html
+on: [push, pull_request, workflow_dispatch]
+
+# on:
+#   push:
+#
+#   pull_request:
+#
+#   # Allows you to run this workflow manually from the Actions tab
+#   workflow_dispatch:
+#
+#   # Set your workflow to run every day of the week from Monday to Friday at 6:00 UTC
+#   schedule:
+#     - cron: "0 6 * * 1-5"
+
+jobs:
+  test-install:
+    runs-on: ubuntu-24.04
+    steps:
+      - run: echo "🎉 The job was automatically triggered by a ${{ github.event_name }} event."
+      - run: echo "🔎 The name of your branch is ${{ github.ref }} and your repository is ${{ github.repository }}."
+      #- name: Dump GitHub context (typically almost 500 lines)
+      #  env:
+      #    GITHUB_CONTEXT: ${{ toJSON(github) }}
+      #  run: echo "$GITHUB_CONTEXT"
+      - name: Check out repository code
+        uses: actions/checkout@v4
+      - run: echo "🍏 This job's status is ${{ job.status }}."
+      - name: GitHub Actions "runner" environment
+        run: |
+          uname -a    # uname -srm
+          whoami      # Typically 'runner' instead of 'root'
+          pwd         # /home/runner/work/iiab/iiab == $GITHUB_WORKSPACE == ${{ github.workspace }}
+          # ls
+          # ls $GITHUB_WORKSPACE
+          # ls ${{ github.workspace }}
+          # ls -la /opt    # az, containerd, google, hostedtoolcache, microsoft, mssql-tools, pipx, pipx_bin, post-generation, runner, vsts
+          # apt update
+          # apt dist-upgrade -y
+          # apt autoremove -y
+      - name: Set up /opt/iiab/iiab
+        run: |
+          mkdir /opt/iiab
+          mv $GITHUB_WORKSPACE /opt/iiab
+          mkdir $GITHUB_WORKSPACE    # OR SUBSEQUENT STEPS WILL FAIL ('working-directory: /opt/iiab/iiab' hacks NOT worth it!)
+      - name: Set up /etc/iiab/local_vars.yml
+        run: |
+          sudo mkdir /etc/iiab
+          # touch /etc/iiab/local_vars.yml
+          sudo cp /opt/iiab/iiab/vars/local_vars_none.yml /etc/iiab/local_vars.yml
+      - run: sudo /opt/iiab/iiab/scripts/ansible
+      - run: sudo ./iiab-install
+        working-directory: /opt/iiab/iiab
+      - run: iiab-summary
+      - run: cat /etc/iiab/iiab_state.yml

.github/workflows/30min-iiab-test-install-deb12-on-rpi3.yml

@@ -0,0 +1,65 @@
+name: '"30 min" IIAB on Debian 12 on RPi 3'
+# run-name: ${{ github.actor }} is testing out GitHub Actions 🚀
+
+# https://michaelcurrin.github.io/dev-cheatsheets/cheatsheets/ci-cd/github-actions/triggers.html
+on: [push, pull_request, workflow_dispatch]
+
+# on:
+#   push:
+#
+#   pull_request:
+#
+#   # Allows you to run this workflow manually from the Actions tab
+#   workflow_dispatch:
+#
+#   # Set your workflow to run every day of the week from Monday to Friday at 6:00 UTC
+#   schedule:
+#     - cron: "0 6 * * 1-5"
+
+jobs:
+  test-install:
+    runs-on: ubuntu-22.04
+    strategy:
+      matrix:
+        arch: [debian12]
+        include:
+        - arch: debian12
+          cpu: cortex-a7
+          cpu_info: cpuinfo/raspberrypi_3b
+          base_image: https://raspi.debian.net/daily/raspi_3_bookworm.img.xz
+          # source https://raspi.debian.net/daily-images/
+    steps:
+      #- run: echo "🎉 The job was automatically triggered by a ${{ github.event_name }} event."
+      #- run: echo "🔎 The name of your branch is ${{ github.ref }} and your repository is ${{ github.repository }}."
+      #- name: Dump GitHub context (typically almost 500 lines)
+      #  env:
+      #    GITHUB_CONTEXT: ${{ toJSON(github) }}
+      #  run: echo "$GITHUB_CONTEXT"
+      - name: Dump matrix context
+        env:
+          MATRIX_CONTEXT: ${{ toJSON(matrix) }}
+        run: echo "$MATRIX_CONTEXT"
+      - uses: actions/checkout@v3.1.0
+      - uses: pguyot/arm-runner-action@v2
+        with:
+          image_additional_mb: 1024
+          base_image: ${{ matrix.base_image }}
+          cpu: ${{ matrix.cpu }}
+          cpu_info: ${{ matrix.cpu_info }}
+          copy_repository_path: /opt/iiab/iiab
+          commands: |
+              echo "🍏 This job's status is ${{ job.status }}."
+              grep Model /proc/cpuinfo
+              uname -a    # uname -srm
+              whoami      # Typically 'root' instead of 'runner'
+              pwd         # /home/runner/work/iiab/iiab == $GITHUB_WORKSPACE == ${{ github.workspace }}
+              apt-get update -y --allow-releaseinfo-change
+              apt-get install --no-install-recommends -y git
+              ls /opt/iiab/iiab
+              mkdir /etc/iiab
+              cp /opt/iiab/iiab/vars/local_vars_none.yml /etc/iiab/local_vars.yml
+              /opt/iiab/iiab/scripts/ansible
+              ./iiab-install
+              cd /opt/iiab/iiab
+              iiab-summary
+              cat /etc/iiab/iiab_state.yml

.github/workflows/30min-iiab-test-install-raspios-on-zero2w.yml

@@ -0,0 +1,77 @@
+name: '"30 min" IIAB on RasPiOS on Zero 2 W'
+# run-name: ${{ github.actor }} is testing out GitHub Actions 🚀
+
+# https://michaelcurrin.github.io/dev-cheatsheets/cheatsheets/ci-cd/github-actions/triggers.html
+on: [push, pull_request, workflow_dispatch]
+
+# on:
+#   push:
+#
+#   pull_request:
+#
+#   # Allows you to run this workflow manually from the Actions tab
+#   workflow_dispatch:
+#
+#   # Set your workflow to run every day of the week from Monday to Friday at 6:00 UTC
+#   schedule:
+#     - cron: "0 6 * * 1-5"
+
+jobs:
+  test-install:
+    runs-on: ubuntu-22.04
+    strategy:
+      matrix:
+        arch: [aarch64] #[zero_raspbian, zero_raspios, zero2_raspios, aarch64]
+        include:
+        #- arch: zero_raspbian
+        #  cpu: arm1176
+        #  cpu_info: cpuinfo/raspberrypi_zero_w
+        #  base_image: raspbian_lite:latest
+        #- arch: zero_raspios
+        #  cpu: arm1176
+        #  cpu_info: cpuinfo/raspberrypi_zero_w
+        #  base_image: raspios_lite:latest
+        #- arch: zero2_raspios
+        #  cpu: cortex-a7
+        #  cpu_info: cpuinfo/raspberrypi_zero2_w
+        #  base_image: raspios_lite:latest
+        - arch: aarch64
+          cpu: cortex-a53
+          cpu_info: cpuinfo/raspberrypi_zero2_w_arm64
+          base_image: raspios_lite_arm64:latest
+    steps:
+      #- run: echo "🎉 The job was automatically triggered by a ${{ github.event_name }} event."
+      #- run: echo "🔎 The name of your branch is ${{ github.ref }} and your repository is ${{ github.repository }}."
+      #- name: Dump GitHub context (typically almost 500 lines)
+      #  env:
+      #    GITHUB_CONTEXT: ${{ toJSON(github) }}
+      #  run: echo "$GITHUB_CONTEXT"
+      - name: Dump matrix context
+        env:
+          MATRIX_CONTEXT: ${{ toJSON(matrix) }}
+        run: echo "$MATRIX_CONTEXT"
+      - uses: actions/checkout@v3.1.0
+      - uses: pguyot/arm-runner-action@v2
+        with:
+          image_additional_mb: 1024
+          base_image: ${{ matrix.base_image }}
+          cpu: ${{ matrix.cpu }}
+          cpu_info: ${{ matrix.cpu_info }}
+          copy_repository_path: /opt/iiab/iiab
+          commands: |
+              echo "🍏 This job's status is ${{ job.status }}."
+              #test `uname -m` = ${{ matrix.arch }}
+              grep Model /proc/cpuinfo
+              uname -a    # uname -srm
+              whoami      # Typically 'root' instead of 'runner'
+              pwd         # /home/runner/work/iiab/iiab == $GITHUB_WORKSPACE == ${{ github.workspace }}
+              apt-get update -y --allow-releaseinfo-change
+              apt-get install --no-install-recommends -y git
+              ls /opt/iiab/iiab
+              mkdir /etc/iiab
+              cp /opt/iiab/iiab/vars/local_vars_none.yml /etc/iiab/local_vars.yml
+              /opt/iiab/iiab/scripts/ansible
+              ./iiab-install
+              cd /opt/iiab/iiab
+              iiab-summary
+              cat /etc/iiab/iiab_state.yml

CONTRIBUTING.md

@@ -1,3 +1,3 @@
-# SEE THE NEW<br>[github.com/iiab/iiab/wiki/IIAB-Contributors-Guide](https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide)
+# SEE THE NEW<br>[github.com/iiab/iiab/wiki/Contributors-Guide-(EN)](https://github.com/iiab/iiab/wiki/Contributors-Guide-(EN))
 
 # THANKS!

LICENSING.md

@@ -15,6 +15,6 @@ this is to include the following two lines at the top of the file:
     Licensed under the terms of the GNU GPL v2 or later; see LICENSE for details.
 
 All files not containing an explicit copyright notice or terms of license in
-the file are Copyright © 2015-2022, Unleash Kids, and are licensed under the
+the file are Copyright © 2015-2025, Unleash Kids, and are licensed under the
 terms of the GPLv2 license in the file named LICENSE in the root of the
 repository.

README.md

@@ -2,26 +2,26 @@
 
 # Internet-in-a-Box (IIAB)
 
-[Internet-in-a-Box (IIAB)](https://internet-in-a-box.org) is a "learning hotspot" that brings the Internet's crown jewels
+[Internet-in-a-Box (IIAB)](https://internet-in-a-box.org) is a “learning hotspot” that brings the Internet's crown jewels
-(Wikipedia in any language, thousands of Khan Academy videos, zoomable OpenStreetMap, electronic books, WordPress journaling, Toys from Trash electronics projects, ETC) to those without Internet.
+(Wikipedia in any language, thousands of Khan Academy videos, zoomable OpenStreetMap, electronic books, WordPress journaling, “Toys from Trash” electronics projects, ETC) to those without Internet.
 
 You can build your own tiny, affordable server (an offline digital library) for your school, your medical clinic, your prison, your region and/or your very own family — accessible with any nearby smartphone, tablet or laptop.
 
 Internet-in-a-Box gives you the DIY tools to:
 1. Download then drag-and-drop to arrange the [very best of the World’s Free Knowledge](https://internet-in-a-box.org/#quality-content).
-2. Choose among [30+ powerful educational apps](https://wiki.iiab.io/go/FAQ#What_services_.28IIAB_apps.29_are_suggested_during_installation.3F) for your school or learning/teaching community, optionally with a complete LMS (learning management system).
+2. Choose among [30+ powerful educational apps](https://wiki.iiab.io/go/FAQ#What_services_%28IIAB_apps%29_are_suggested_during_installation%3F) for your school or learning/teaching community, optionally with a complete LMS (learning management system).
 3. Exchange local/indigenous knowledge with nearby communities, using our [Manage Content](https://github.com/iiab/iiab-admin-console/blob/master/roles/console/files/help/InstContent.rst#manage-content) interface and possible mesh networking.
 
-FYI this [community product](https://en.wikipedia.org/wiki/Internet-in-a-Box) is enabled by professional volunteers working [side-by-side](https://wiki.iiab.io/go/FAQ#What_are_the_best_places_for_community_support.3F) with schools, clinics and libraries around the world.  *Thank you for being a part of our http://OFF.NETWORK grassroots technology [movement](https://meta.wikimedia.org/wiki/Internet-in-a-Box)!*
+FYI this [community product](https://en.wikipedia.org/wiki/Internet-in-a-Box) is enabled by professional volunteers working [side-by-side](https://wiki.iiab.io/go/FAQ#What_are_the_best_places_for_community_support%3F) with schools, clinics and libraries around the world.  *Thank you for being a part of our http://OFF.NETWORK grassroots technology [movement](https://meta.wikimedia.org/wiki/Internet-in-a-Box)!*
 
 ## Installation
 
-Install Internet-in-a-Box (IIAB) from [download.iiab.io](https://download.iiab.io/)
+Install Internet-in-a-Box (IIAB) from: [**download.iiab.io**](https://download.iiab.io/)
 
-Please see [FAQ.IIAB.IO](https://wiki.iiab.io/go/FAQ) which has 40+ questions and answers to help you along the way, as you put together the <!--digital--> "local learning hotspot" most suitable for your own teaching/learning community.  Here are 2 ways to install IIAB:
+Please see [FAQ.IIAB.IO](https://wiki.iiab.io/go/FAQ) which has 50+ questions and answers to help you along the way (e.g. [“Is a quick installation possible?”](https://wiki.iiab.io/go/FAQ#Is_a_quick_installation_possible%3F)) as you put together the <!--digital--> “local learning hotspot” most suitable for your own teaching/learning community.  Here are 2 ways to install IIAB:
 
 - Our [1-line installer](https://download.iiab.io/) gets you the very latest, typically within about an hour, on [different Linux distributions](https://github.com/iiab/iiab/wiki/IIAB-Platforms#operating-systems).
-- [Prefab disk images](https://github.com/iiab/iiab/wiki/Raspberry-Pi-Images:-Summary#iiab-images-for-raspberry-pi) ([.img files](https://archive.org/search.php?query=iiab%20.img&sort=-publicdate)) are sometimes a few months out of date, but can be flashed directly onto a microSD card, for insertion into Raspberry Pi.
+- [Prefab disk images](https://github.com/iiab/iiab/wiki/Raspberry-Pi-Images-~-Summary#iiab-images-for-raspberry-pi) ([.img files](https://archive.org/search.php?query=iiab%20.img&sort=-publicdate)) are sometimes a few months out of date, but can be flashed directly onto a microSD card, for insertion into Raspberry Pi.
 
 Our [HOW-TO videos](https://www.youtube.com/channel/UC0cBGCxr_WPBPa3IqPVEe3g) can be very helpful and the [Installation](https://github.com/iiab/iiab/wiki/IIAB-Installation) wiki page has more intricate details e.g. if you're trying to install Internet-in-a-Box (IIAB) onto a [another Linux](https://github.com/iiab/iiab/wiki/IIAB-Platforms) that has not yet been tried.
 
@@ -29,22 +29,22 @@ See our [Tech Docs Wiki](https://github.com/iiab/iiab/wiki) for more about the u
 
 After you've installed the software, you should [add content](https://github.com/iiab/iiab/wiki/IIAB-Installation#add-content), which can of course take time when downloading multi-gigabyte Content Packs!
 
-Finally, you can [customize your Internet-in-a-Box home page](https://wiki.iiab.io/go/FAQ#How_do_I_customize_my_Internet-in-a-Box_home_page.3F) (typically http://box or http://box.lan) using our **drag-and-drop** Admin Console (http://box.lan/admin) &mdash; to arrange Content Packs and IIAB Apps (services) for your local community's needs.
+Finally, you can [customize your Internet-in-a-Box home page](https://wiki.iiab.io/go/FAQ#How_do_I_customize_my_Internet-in-a-Box_home_page%3F) (typically http://box or http://box.lan) using our **drag-and-drop** Admin Console (http://box.lan/admin) &mdash; to arrange Content Packs and IIAB Apps (services) for your local community's needs.
 
 ## Community
 
 Global community updates and videos are regularly posted to: **[@internet_in_box](https://twitter.com/internet_in_box)**
 
-_Internet-in-a-Box (IIAB) greatly welcomes contributions from educators, librarians and [IT/UX/QA people](https://github.com/iiab/iiab/wiki/Technical-Contributors-Guide) of all kinds!_
+_Internet-in-a-Box (IIAB) greatly welcomes contributions from educators, librarians and [IT/UX/QA people](https://github.com/iiab/iiab/wiki/Contributors-Guide-(EN)) ([versión en español](https://github.com/iiab/iiab/wiki/Gu%C3%ADa-para-Contribuidores-(ES))) of all kinds!_
 
-If you would like to volunteer, please [make contact](https://internet-in-a-box.org/contributing.html) after looking over "[How can I help?](https://wiki.iiab.io/go/FAQ#How_can_I_help.3F)" at: [FAQ.IIAB.IO](https://wiki.iiab.io/go/FAQ)
+If you would like to volunteer, please [make contact](https://internet-in-a-box.org/contributing.html) after looking over [“How can I help?”](https://wiki.iiab.io/go/FAQ#How_can_I_help%3F) at: [FAQ.IIAB.IO](https://wiki.iiab.io/go/FAQ)
 
 <!-- To learn about our software architecture, check out our [Contributors Guide](https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide).-->
 
-To learn more about our open community architecture for "offline" learning, check out "[What technical documentation exists?](https://wiki.iiab.io/go/FAQ#What_technical_documentation_exists.3F)"
+To learn more about our open community architecture for “offline” learning, check out [“What technical documentation exists?”](https://wiki.iiab.io/go/FAQ#What_technical_documentation_exists%3F)
-FYI we use [Ansible](https://wiki.iiab.io/go/FAQ#What_is_Ansible_and_what_version_should_I_use.3F) <!--as the underlying technology--> to install, deploy, configure and manage the various software components.
+FYI we use [Ansible](https://wiki.iiab.io/go/FAQ#What_is_Ansible_and_what_version_should_I_use%3F) <!--as the underlying technology--> to install, deploy, configure and manage the various software components.
 
-*Thank you for helping us enable offline access to the Internet's free/open knowledge jewels, as well as "Sneakernet-of-Alexandria" distribution of local/indigenous content, when mass media channels do not serve grassroots voices.*
+*Thank you for helping us enable offline access to the Internet's free/open knowledge jewels, as well as “Sneakernet-of-Alexandria” distribution of local/indigenous content, when mass media channels do not serve grassroots voices.*
 
 ## Versions
 

ansible.cfg

@@ -5,4 +5,4 @@
 # Disallowed by Ansible 2.11+ -- see https://docs.ansible.com/ansible/devel/porting_guides/porting_guide_2.7.html#using-a-loop-on-a-package-module-via-squash-actions
 #squash_actions = apk, apt, dnf, homebrew, openbsd_pkg, pacman, pkgng, yum, zypper, package
 [defaults]
-interpreter_python=/usr/bin/python3
+interpreter_python=/usr/local/ansible/bin/python3

iiab-install

@@ -11,7 +11,7 @@ CWD=`pwd`
 OS=`grep ^ID= /etc/os-release | cut -d= -f2`
 OS=${OS//\"/}    # Remove all '"'
 MIN_RPI_KERN=5.4.0         # Do not use 'rpi-update' unless absolutely necessary: https://github.com/iiab/iiab/issues/1993
-MIN_ANSIBLE_VER=2.11.12    # 2022-11-09: Raspberry Pi 3 (and 3 B+ etc?) apparently install (and require?) ansible-core 2.11 for now -- @deldesir can explain more on PR #3419.  Historical: Ansible 2.8.3 and 2.8.6 had serious bugs, preventing their use with IIAB.
+MIN_ANSIBLE_VER=2.16.14    # 2024-11-08: ansible-core 2.15 EOL is November 2024 per https://docs.ansible.com/ansible/latest/reference_appendices/release_and_maintenance.html#ansible-core-support-matrix  2022-11-09: Raspberry Pi 3 (and 3 B+ etc?) apparently install (and require?) ansible-core 2.11 for now -- @deldesir can explain more on PR #3419.  Historical: Ansible 2.8.3 and 2.8.6 had serious bugs, preventing their use with IIAB.
 
 REINSTALL=false
 DEBUG=false

iiab-network

@@ -42,7 +42,7 @@ fi
 echo "Ansible will now run iiab-network.yml -- log file is iiab-network.log"
 Start=`date`
 ansible -m setup -i ansible_hosts localhost --connection=local | grep python
-ansible-playbook -i ansible_hosts iiab-network.yml --connection=local
+ansible-playbook -i ansible_hosts iiab-network.yml --extra-vars "{\"skip_role_on_error\":false}" --connection=local
 End=`date`
 
 

roles/0-DEPRECATED-ROLES/httpd/defaults/main.yml

@@ -8,7 +8,7 @@
 # apache_interface: 127.0.0.1
 
 # Make this False to disable http://box/common/services/power_off.php button:
-# apache_allow_sudo: True
+# allow_www_data_poweroff: False
 
 # All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml
 # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!

roles/0-DEPRECATED-ROLES/openvpn/defaults/main.yml

@@ -1,13 +1,17 @@
+# SECURITY WARNING: https://wiki.iiab.io/go/Security
+
 # openvpn_install: True
 # openvpn_enabled: False
 
-# For /etc/iiab/openvpn_handle
+# Empty string on purpose since ~2016, for /etc/iiab/uuid
+# SEE https://github.com/iiab/iiab/blob/master/roles/openvpn/tasks/main.yml#L5-L20
 # openvpn_handle: ""
 
 # cron seems necessary on CentOS:
 # openvpn_cron_enabled: False
 
 # openvpn_server: xscenet.net
+# openvpn_server_real_ip: 3.89.148.185
 # openvpn_server_virtual_ip: 10.8.0.1
 # openvpn_server_port: 1194
 

roles/0-DEPRECATED-ROLES/openvpn/tasks/install.yml

@@ -1,3 +1,8 @@
+- name: Record (initial) disk space used
+  shell: df -B1 --output=used / | tail -1
+  register: df1
+
+
 - name: "Install packages: ncat, nmap, openvpn, sudo"
   package:
     name:
@@ -100,6 +105,17 @@
 
 # RECORD OpenVPN AS INSTALLED
 
+- name: Record (final) disk space used
+  shell: df -B1 --output=used / | tail -1
+  register: df2
+
+- name: Add 'openvpn_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }}
+  ini_file:
+    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+    section: openvpn
+    option: openvpn_disk_usage
+    value: "{{ df2.stdout|int - df1.stdout|int }}"
+
 - name: "Set 'openvpn_installed: True'"
   set_fact:
     openvpn_installed: True

roles/0-DEPRECATED-ROLES/openvpn/templates/iiab-support

@@ -10,11 +10,11 @@ DEBUG=false    # Using /usr/bin/true or /usr/bin/false
 PLAYBOOK="install-support.yml"
 INVENTORY="ansible_hosts"
 
-# 2021-08-18: bash scripts using default_vars.yml &/or local_vars.yml
+# 2023-02-25: bash scripts using default_vars.yml &/or local_vars.yml
 # https://github.com/iiab/iiab-factory/blob/master/iiab
 # https://github.com/iiab/iiab/blob/master/roles/firmware/templates/iiab-check-firmware#L10-14
 # https://github.com/iiab/iiab/blob/master/roles/network/templates/gateway/iiab-gen-iptables#L48-L52
-# https://github.com/iiab/maps/blob/master/osm-source/pages/viewer/scripts/iiab-install-map-region#L25-L34
+# https://github.com/iiab/maps/blob/master/osm-source/pages/viewer/scripts/iiab-install-map-region#L23-L39
 # https://github.com/iiab/iiab/blob/master/roles/openvpn/templates/iiab-support READS AND WRITES, INCL NON-BOOLEAN
 
 # PARSE local_vars.yml JUST AS Ansible & /etc/openvpn/scripts/announcer DO:

roles/0-init/tasks/create_iiab_ini.yml

@@ -1,13 +1,26 @@
-# workaround for fact that auto create does not work on iiab_ini_file (/etc/iiab/iiab.ini)
+- name: Record disk_used_a_priori (permanently, into {{ iiab_ini_file }} below) to later estimate iiab_software_disk_usage
+  shell: df -B1 --output=used / | tail -1
+  register: df1
+
+# workaround for fact that auto create does not work on iiab_ini_file
 - name: Create {{ iiab_ini_file }}
   file:
-    path: "{{ iiab_ini_file }}"
+    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
     state: touch
 
-- name: Add 'location' variable values to {{ iiab_ini_file }}
+- name: Run command 'dpkg --print-architecture' to identify OS architecture (CPU arch as revealed by ansible_architecture ~= ansible_machine is NOT enough!)
+  command: dpkg --print-architecture
+  register: dpkg_arch
+
+- name: Run command 'dpkg --print-foreign-architectures' (secondary OS arch, if available)
+  command: dpkg --print-foreign-architectures
+  register: dpkg_foreign_arch
+
+
+- name: Add 'summary' variable values to {{ iiab_ini_file }}
   ini_file:
     path: "{{ iiab_ini_file }}"
-    section: location
+    section: summary
     option: "{{ item.option }}"
     value: "{{ item.value | string }}"
   with_items:
@@ -15,18 +28,30 @@
       value: "{{ iiab_base }}"
     - option: iiab_dir
       value: "{{ iiab_dir }}"
+    - option: disk_used_a_priori
+      value: "{{ df1.stdout }}"
 
-- name: Add 'version' variable values to {{ iiab_ini_file }}
+- name: Add 'initial' variable values to {{ iiab_ini_file }}
   ini_file:
     path: "{{ iiab_ini_file }}"
-    section: version
+    section: initial
     option: "{{ item.option }}"
     value: "{{ item.value | string }}"
   with_items:
+    - option: os_ver
+      value: "{{ os_ver }}"
     - option: distribution
-      value: "{{ ansible_distribution }}"
+      value: "{{ ansible_facts['distribution'] }}"
     - option: arch
       value: "{{ ansible_architecture }}"
+    - option: dpkg_arch
+      value: "{{ dpkg_arch.stdout }}"
+    - option: dpkg_foreign_arch
+      value: "{{ dpkg_foreign_arch.stdout }}"
+    - option: rpi_model
+      value: "{{ rpi_model }}"
+    - option: devicetree_model
+      value: "{{ devicetree_model }}"
     - option: iiab_base_ver
       value: "{{ iiab_base_ver }}"
     - option: iiab_remote_url
@@ -39,7 +64,3 @@
       value: "{{ ansible_local.local_facts.iiab_recent_tag }}"
     - option: install_date
       value: "{{ ansible_date_time.iso8601 }}"
-    - option: rpi_model
-      value: "{{ rpi_model }}"
-    - option: devicetree_model
-      value: "{{ devicetree_model }}"

roles/0-init/tasks/main.yml

@@ -34,14 +34,23 @@
 
 # Copies the latest/known version of iiab-diagnostics into /usr/bin (so it can
 # be run even if local source tree /opt/iiab/iiab is deleted to conserve disk).
-- name: Copy iiab-summary & iiab-diagnostics from /opt/iiab/iiab/scripts/ to /usr/bin/
+- name: Copy iiab-update & iiab-summary & iiab-diagnostics & iiab-root-login from /opt/iiab/iiab/scripts/ to /usr/bin/
   copy:
     src: "{{ iiab_dir }}/scripts/{{ item }}"
     dest: /usr/bin/
     mode: '0755'
   with_items:
+    - iiab-update
     - iiab-summary
     - iiab-diagnostics
+    - iiab-root-login
+
+- name: Symlink /usr/bin/iiab-upgrade -> /usr/bin/iiab-update
+  file:
+    src: /usr/bin/iiab-update
+    path: /usr/bin/iiab-upgrade
+    state: link
+    #force: yes
 
 - name: Create globally-writable directory /etc/iiab/diag (0777) so non-root users can run 'iiab-diagnostics'
   file:

roles/0-init/tasks/validate_vars.yml

@@ -64,19 +64,19 @@
 # 2020-11-04: Fix validation of 5 [now 4] core dependencies, for ./runrole etc
 
 
-- name: Set vars_checklist for 44 + 44 + 40 vars ("XYZ_install" + "XYZ_enabled" + "XYZ_installed") to be checked
+- name: Set vars_checklist for 45 + 45 + 40 vars ("XYZ_install" + "XYZ_enabled" + "XYZ_installed") to be checked
   set_fact:
     vars_checklist:
       - hostapd
       - dnsmasq
       - bluetooth
       - sshd
-      - openvpn
+      #- openvpn            # Deprecated
+      - tailscale
       - remoteit
       - admin_console
       #- nginx              # MANDATORY
       #- apache             # Unmaintained - former dependency
-      #- mysql              # MANDATORY
       - squid
       - cups
       - samba
@@ -85,6 +85,7 @@
       - gitea
       - jupyterhub
       - lokole
+      - mysql               # Dependency - excluded from _installed check below
       - mediawiki
       - mosquitto
       - nodejs              # Dependency - excluded from _installed check below
@@ -155,15 +156,13 @@
     that: "{{ item }}_install or {{ item }}_installed is undefined"
     fail_msg: "DISALLOWED: '{{ item }}_install: False' (e.g. in /etc/iiab/local_vars.yml) WHEN '{{ item }}_installed' is defined (e.g. in /etc/iiab/iiab_state.yml) -- IIAB DOES NOT SUPPORT UNINSTALLS -- please verify those 2 files especially, and other places variables are defined?"
     quiet: yes
-  when: item != 'nodejs' and item != 'postgresql' and item != 'mongodb' and item != 'yarn'    # Exclude auto-installed dependencies
+  when: item != 'mysql' and item != 'postgresql' and item != 'mongodb' and item != 'nodejs' and item != 'yarn'    # Exclude auto-installed dependencies
   loop: "{{ vars_checklist }}"
 
-- name: 'DISALLOW "XYZ_install: True" if deprecated'
+
-  assert:
+- name: Set vars_deprecated_list for 4+ vars ("XYZ_install") to be checked
-    that: "{{ item }}_install is undefined or not {{ item }}_install"
+  set_fact:
-    fail_msg: "DISALLOWED: '{{ item }}_install: True' (e.g. in /etc/iiab/local_vars.yml)"
+    vars_deprecated_list:
-    quiet: yes
-  with_items:
       - dhcpd               # Deprecated
       - named               # Deprecated
       - wondershaper        # Deprecated
@@ -175,3 +174,23 @@
       #- dokuwiki           # Unmaintained
       #- ejabberd           # Unmaintained
       #- elgg               # Unmaintained
+
+- name: 'DISALLOW "XYZ_install: True" if deprecated'
+  assert:
+    that: "{{ item }}_install is undefined or not {{ item }}_install"
+    fail_msg: "DISALLOWED: '{{ item }}_install: True' (e.g. in /etc/iiab/local_vars.yml)"
+    quiet: yes
+  loop: "{{ vars_deprecated_list }}"
+  # 2023-12-04: ansible-core 2.16.1 suddenly no longer allows 'assert' with
+  # 'with_items' below (whereas 'loop' construct above works!)  BACKGROUND:
+  #
+  #  'due to mitigation of security issue CVE-2023-5764 in ansible-core 2.16.1,
+  #  conditional expressions with embedded template blocks can fail with the
+  #  message “Conditional is marked as unsafe, and cannot be evaluated.”'
+  #  https://docs.ansible.com/ansible-core/2.16/porting_guides/porting_guide_core_2.16.html#playbook
+  #
+  # with_items:
+  #   - dhcpd               # Deprecated
+  #   - named               # Deprecated
+  #   - wondershaper        # Deprecated
+  #   - dansguardian        # Deprecated

roles/1-prep/README.adoc

@@ -6,7 +6,7 @@ https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide#ansible[stage]
 hardware, low-level OS quirks, and basic security:
 
 * SSHD
-* OpenVPN if/as needed later for remote support
+* Tailscale if/as needed later for remote support
 * https://github.com/iiab/iiab/tree/master/roles/iiab-admin#iiab-admin-readme[iiab-admin]
 username and group, to log into Admin Console
 * dnsmasq (install now, configure later!)

roles/1-prep/tasks/hardware.yml

@@ -7,17 +7,18 @@
   when: first_run and rpi_model != "none"
 
 
-- name: Check if the identifier for Intel's NUC6 built-in WiFi is present
+# 2024-02-09: Code below appears stale for Shanti's #3707 hardware
-  shell: "lsusb | grep 8087:0a2b | wc | awk '{print $1}'"
+#- name: Check if the identifier for Intel's NUC6 built-in WiFi is present
-  register: usb_NUC6
+#  shell: "lsusb | grep 8087:0a2b | wc | awk '{print $1}'"
-  ignore_errors: True
+#  register: usb_NUC6
-
+#  ignore_errors: True
-- name: Download {{ iiab_download_url }}/iwlwifi-8000C-13.ucode to /lib/firmware for built-in WiFi on NUC6
+#
-  get_url:
+#- name: Download {{ iiab_download_url }}/iwlwifi-8000C-13.ucode to /lib/firmware for built-in WiFi on NUC6
-    url: "{{ iiab_download_url }}/iwlwifi-8000C-13.ucode"    # https://download.iiab.io/packages
+#  get_url:
-    dest: /lib/firmware
+#    url: "{{ iiab_download_url }}/Old/iwlwifi-8000C-13.ucode"    # https://download.iiab.io/packages
-    timeout: "{{ download_timeout }}"
+#    dest: /lib/firmware
-  when: usb_NUC6.stdout|int > 0
+#    timeout: "{{ download_timeout }}"
+#  when: usb_NUC6.stdout|int > 0
 
 
 - name: "Look for any WiFi devices present: ls -la /sys/class/net/*/phy80211 | cut -d/ -f5"

roles/1-prep/tasks/main.yml

@@ -3,22 +3,22 @@
 - name: ...IS BEGINNING ============================================
   meta: noop
 
-- name: SSHD -- required by OpenVPN below -- also run by roles/4-server-options/tasks/main.yml
+- name: SSHD
   include_role:
     name: sshd
   when: sshd_install
 
-- name: OPENVPN
+- name: TAILSCALE (VPN)
   include_role:
-    name: openvpn
+    name: tailscale
-  when: openvpn_install
+  when: tailscale_install
 
 - name: REMOTE.IT
   include_role:
     name: remoteit
   when: remoteit_install
 
-- name: IIAB-ADMIN -- includes roles/iiab-admin/tasks/access.yml
+- name: IIAB-ADMIN -- includes {lynx, screen, sudo-prereqs.yml, admin-user.yml, pwd-warnings.yml}
   include_role:
     name: iiab-admin
   #when: iiab_admin_install    # Flag might be created in future?

roles/1-prep/templates/iiab-expand-rootfs

@@ -8,12 +8,21 @@
 
 # Verifies that rootfs is the last partition.
 
+# RELATED:
+# 1. https://github.com/iiab/iiab-factory/blob/master/box/rpi/min-sd
+# 2. https://github.com/iiab/iiab-factory/blob/master/box/rpi/cp-sd
+# 3. https://github.com/iiab/iiab-factory/blob/master/box/rpi/xz-json-sd
+# OR https://github.com/iiab/iiab-factory/blob/master/box/rpi/exp-sd
+
 if [ -f /.expand-rootfs ] || [ -f /.resize-rootfs ]; then
     echo "$0: Expanding rootfs partition"
 
-    if [ -x /usr/bin/raspi-config ]; then    # Raspberry Pi OS
+    if [ -x /usr/bin/raspi-config ]; then    # Raspberry Pi OS -- WARNING: their fdisk-centric approach of course FAILS with "Hybrid MBR" or GPT partition tables, as required by any drive > 2TB :/
         # 2022-02-17: Uses do_expand_rootfs() from:
         # https://github.com/RPi-Distro/raspi-config/blob/master/raspi-config
+        # 2023-10-05: Official new RPi instructions:
+        # sudo raspi-config nonint do_expand_rootfs
+        # https://www.raspberrypi.com/documentation/computers/configuration.html#expand-filesystem-nonint
         raspi-config --expand-rootfs    # REQUIRES A REBOOT
         rm -f /.expand-rootfs /.resize-rootfs
         reboot                          # In future, we might warn interactive users that a reboot is coming?
@@ -32,7 +41,7 @@ if [ -f /.expand-rootfs ] || [ -f /.resize-rootfs ]; then
         fi
 
         # Expand partition
-        growpart $ROOT_DEV $ROOT_PART_NUM || true    # raspi-config instead uses fdisk.  WARNING: growpart RC 2 is more severe than RC 1, and should possibly be handled separately in future?
+        growpart $ROOT_DEV $ROOT_PART_NUM || true    # raspi-config instead uses fdisk (assuming MBR).  They really should transition to gdisk, as required by any drive > 2TB.  WARNING: growpart RC 2 is more severe than RC 1, and should possibly be handled separately in future?
         rc=$?    # Make Return Code visible, for 'bash -x'
         resize2fs $ROOT_PART
         rc=$?    # Make RC visible (as above)

roles/2-common/tasks/packages.yml

@@ -1,6 +1,6 @@
 # 2022-03-16: 'apt show <pkg> | grep Size' revealed download sizes, on 64-bit RasPiOS with desktop.
 
-- name: "Install 17 common packages: acpid, bzip2, cron, curl, gawk, htop, i2c-tools, logrotate, plocate, pandoc, pastebinit, rsync, sqlite3, tar, unzip, usbutils, wget"
+- name: "Install 19 common packages: acpid, bzip2, cron, curl, gawk, gpg, htop, i2c-tools, logrotate, lshw, pandoc, pastebinit, plocate, rsync, sqlite3, tar, unzip, usbutils, wget"
   package:
     name:
       - acpid              #   55kB download: Daemon for ACPI (power mgmt) events
@@ -11,23 +11,24 @@
       #- exfat-fuse        #   28kB download: 2021-07-27: Should no longer be nec with 5.4+ kernels, so let's try commenting it out
       #- exfat-utils       #   41kB download: Ditto!  See also 'ntfs-3g' below
       - gawk               #  533kB download
+      - gpg                #  884kB download: Debian 12+ (especially!) require this for apt installs of gitea, kolibri, mongodb, yarn
       - htop               #  109kB download: RasPiOS installs this regardless
-      - i2c-tools          #   78kB download: RasPiOS installs this regardless -- Low-level bus/chip/register/EEPROM tools e.g. for RTC
+      - i2c-tools          #   78kB download: Low-level bus/chip/register/EEPROM tools e.g. for RTC
       - logrotate          #   67kB download: RasPiOS installs this regardless
+      - lshw               #  257kB download: For 'lshw -C network' in iiab-diagnostics
       #- lynx              #  505kB download: Installed by 1-prep's roles/iiab-admin/tasks/main.yml
       #- make              #  376kB download: 2021-07-27: Currently used by roles/pbx and no other roles
-      #- mlocate           #   92kB download
-      - plocate            #   97kB download: Faster & smaller than locate & mlocate
       #- ntfs-3g           #  379kB download: RasPiOS installs this regardless -- 2021-07-31: But this should no longer be nec with 5.4+ kernels, similar to exfat packages above -- however, see also this symlink warning: https://superuser.com/questions/1050544/mount-with-kernel-ntfs-and-not-ntfs-3g -- and upcoming kernel 5.15 improvements: https://www.phoronix.com/scan.php?page=news_item&px=New-NTFS-Likely-For-Linux-5.15
       #- openssh-server    #  318kB download: RasPiOS installs this regardless -- this is also installed by 1-prep's roles/sshd/tasks/main.yml to cover all OS's
       - pandoc             #   19kB download: For /usr/bin/iiab-refresh-wiki-docs
       - pastebinit         #   47kB download: For /usr/bin/iiab-diagnostics
-      #- python3-pip       #  337kB download: RasPiOS installs this regardless -- 2021-07-29: And already installed by /opt/iiab/iiab/scripts/ansible -- this auto-installs 'python3-setuptools' and 'python3' etc
+      #- mlocate           #   92kB download
-      #- python3-venv      # 1188kB download: RasPiOS installs this regardless -- 2021-07-30: For Ansible module 'pip' used in roles like {calibre-web, jupyterhub, lokole} -- whereas roles/kalite uses (virtual) package 'virtualenv' for Python 2 -- all these 3+1 IIAB roles install 'python3-venv' for themselves.  FYI: Debian 11 auto-installs 'python3-venv' when you install 'python3' -- whereas Ubuntu (e.g. 20.04 & 21.10) and RasPiOS 10 did not.
+      - plocate            #   97kB download: Faster & smaller than locate & mlocate
+      #- python3-pip       #  337kB download: 2023-03-22: Used to be installed by /opt/iiab/iiab/scripts/ansible -- which would auto-install 'python3-setuptools' and 'python3' etc
+      #- python3-venv      # 1188kB download: 2023-03-22: Already installed by /opt/iiab/iiab/scripts/ansible -- used by roles like {calibre-web, jupyterhub, lokole} -- whereas roles/kalite uses (virtual) package 'virtualenv' for Python 2 -- all these 3+1 IIAB roles install 'python3-venv' for themselves.  FYI: Debian 11 no longer auto-installs 'python3-venv' when you install 'python3'
       - rsync              #  351kB download: RasPiOS installs this regardless
       #- screen            #  551kB download: Installed by 1-prep's roles/iiab-admin/tasks/main.yml
       - sqlite3            # 1054kB download
-      #- sudo              #  991kB download: RasPiOS installs this regardless -- (2) Can also be installed by roles/1-prep's roles/openvpn/tasks/install.yml, (3) Is definitely installed by 1-prep's roles/iiab-admin/tasks/sudo-prereqs.yml
       - tar                #  799kB download: RasPiOS installs this regardless
       - unzip              #  151kB download: RasPiOS installs this regardless
       #- usbmount          #   18kB download: Moved to roles/usb_lib/tasks/install.yml

roles/3-base-server/README.rst

@@ -1,10 +1,21 @@
+.. |ss| raw:: html
+
+   <strike>
+
+.. |se| raw:: html
+
+   </strike>
+
+.. |nbsp| unicode:: 0xA0
+   :trim:
+
 ====================
 3-base-server README
 ====================
 
 This 3rd `stage <https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide#ansible>`_ installs base server infra that `Internet-in-a-Box (IIAB) <https://internet-in-a-box.org/>`_ requires, including:
 
-- `MySQL <https://github.com/iiab/iiab/blob/master/roles/mysql>`_ (database underlying many/most user-facing apps).  This IIAB role also installs apt package:
+- |ss| `MySQL <https://github.com/iiab/iiab/blob/master/roles/mysql>`_ (database underlying many/most user-facing apps). |se| |nbsp|  *As of 2023-11-05, MySQL / MariaDB is NO LONGER INSTALLED by 3-base-server — instead it's installed on-demand — as a dependency of Matomo, MediaWiki, Nextcloud, PBX (for FreePBX), WordPress &/or Admin Console.*  This IIAB role (roles/mysql) also installs apt package:
    - **php{{ php_version }}-mysql** — which forcibly installs **php{{ php_version }}-common**
 - `NGINX <https://github.com/iiab/iiab/blob/master/roles/nginx>`_ web server (with Apache in some lingering cases).  This IIAB role also installs apt package:
    - **php{{ php_version }}-fpm** — which forcibly installs **php{{ php_version }}-cli**, **php{{ php_version }}-common** and **libsodium23**

roles/3-base-server/tasks/main.yml

@@ -3,10 +3,13 @@
 - name: ...IS BEGINNING =====================================
   meta: noop
 
-- name: MYSQL + CORE PHP
+# 2023-11-05: MySQL (actually MariaDB) had been mandatory, installed on every
-  include_role:
+# IIAB by 3-base-server.  Now installed on demand -- as a dependency of Matomo,
-    name: mysql
+# MediaWiki, Nextcloud, PBX (for FreePBX), WordPress &/or Admin Console.
-  #when: mysql_install
+# - name: MYSQL + CORE PHP
+#   include_role:
+#     name: mysql
+#   #when: mysql_install
 
 # 2021-05-21: Apache role 'httpd' is installed as nec by any of these 6 roles:
 #

roles/4-server-options/README.rst

@@ -2,7 +2,7 @@
 4-server-options README
 =======================
 
-Whereas 3-base-server installs critical packages needed by all, this 4th `stage <https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide#ansible>`_ installs a broad array of *options* ⁠— depending on which server apps will be installed in later stages ⁠— as specified in `/etc/iiab/local_vars.yml <http://FAQ.IIAB.IO#What_is_local_vars.yml_and_how_do_I_customize_it.3F>`_
+Whereas 3-base-server installs critical packages needed by all, this 4th `stage <https://github.com/iiab/iiab/wiki/IIAB-Contributors-Guide#ansible>`_ installs a broad array of *options* ⁠— depending on which server apps will be installed in later stages ⁠— as specified in `/etc/iiab/local_vars.yml <http://FAQ.IIAB.IO#What_is_local_vars.yml_and_how_do_I_customize_it%3F>`_
 
 This includes more networking fundamentals, that may further be configured later on.
 
@@ -11,7 +11,7 @@ Specifically, these might be installed:
 - Python libraries
 - SSH daemon
 - Bluetooth for Raspberry Pi
-- Instant-sharing of `USB stick content <https://wiki.iiab.io/go/FAQ#Can_teachers_display_their_own_content.3F>`_
+- Instant-sharing of `USB stick content <https://wiki.iiab.io/go/FAQ#Can_teachers_display_their_own_content%3F>`_
 - CUPS Printing
 - Samba for Windows filesystems
 - `www_options <https://github.com/iiab/iiab/blob/master/roles/www_options/tasks/main.yml>`_

roles/4-server-options/tasks/main.yml

@@ -19,11 +19,6 @@
   #when: pylibs_installed is undefined
   #when: pylibs_install    # Flag might be created in future?
 
-- name: SSHD -- also run by roles/1-prep/tasks/main.yml as required by OpenVPN
-  include_role:
-    name: sshd
-  when: sshd_install
-
 - name: Install Bluetooth - only on Raspberry Pi
   include_role:
     name: bluetooth

roles/6-generic-apps/tasks/main.yml

@@ -29,7 +29,7 @@
 - name: JUPYTERHUB
   include_role:
     name: jupyterhub
-  when: jupyterhub_install and ansible_machine is search("64")    # 2022-11-10: Avoid installing on 32-bit, until RasPiOS fixes Rust (PR #3421)
+  when: jupyterhub_install
 
 # UNMAINTAINED
 - name: LOKOLE

roles/7-edu-apps/tasks/main.yml

@@ -6,12 +6,13 @@
 - name: KALITE
   include_role:
     name: kalite
-  when: kalite_install
+  when: kalite_install and (is_ubuntu_2204 or is_ubuntu_2310 or is_debian_12)    # Also covers is_linuxmint_21 and is_raspbian_12
 
 - name: KOLIBRI
   include_role:
     name: kolibri
   when: kolibri_install
+  #when: kolibri_install and python_version is version('3.12', '<')    # Debian 13 still uses Python 3.11 (for now!) so really this just avoids Ubuntu 24.04 and 24.10 pre-releases during initial iiab-install.  CLARIF: This is all TEMPORARY until learningequality/kolibri#11316 brings Python 3.12 support to Kolibri 0.17 pre-releases (expected very soon).
 
 - name: KIWIX
   include_role:
@@ -40,10 +41,23 @@
     name: pathagar
   when: pathagar_install is defined and pathagar_install
 
+# WARNING: Since March 2023, 32-bit RasPiOS can act as 64-bit on RPi 4 and
+# RPi 400 (unlike RPi 3!)  SEE: https://github.com/iiab/iiab/pull/3422 and #3516
+- name: Run command 'dpkg --print-architecture' to identify OS architecture (CPU arch as revealed by ansible_architecture ~= ansible_machine is NO LONGER enough!)
+  command: dpkg --print-architecture
+  register: dpkg_arch
+  when: sugarizer_install
+
+- name: Explain bypassing of Sugarizer install if 32-bit OS
+  fail:    # FORCE IT RED THIS ONCE!
+    msg: "BYPASSING SUGARIZER INSTALL ATTEMPT, as Sugarizer Server 1.5.0 requires MongoDB 3.2+ which is NO LONGER SUPPORTED on 32-bit Raspberry Pi OS.  'dpkg --print-architecture' output for your OS: {{ dpkg_arch.stdout }}"
+  when: sugarizer_install and not dpkg_arch.stdout is search("64")
+  ignore_errors: True
+
 - name: SUGARIZER
   include_role:
     name: sugarizer
-  when: sugarizer_install
+  when: sugarizer_install and dpkg_arch.stdout is search("64")
 
 - name: Recording STAGE 7 HAS COMPLETED ========================
   lineinfile:

roles/8-mgmt-tools/tasks/main.yml

@@ -6,7 +6,7 @@
 - name: TRANSMISSION
   include_role:
     name: transmission
-  when: transmission_install
+  when: transmission_install and not (is_ubuntu_2404 or is_ubuntu_2410 or is_ubuntu_2504)    # Also excludes is_linuxmint_22, for #3756 (whereas Debian 13 works great!)
 
 - name: AWSTATS
   include_role:
@@ -23,11 +23,6 @@
     name: monit
   when: monit_install
 
-- name: MUNIN
-  include_role:
-    name: munin
-  when: munin_install
-
 - name: PHPMYADMIN
   include_role:
     name: phpmyadmin

roles/9-local-addons/tasks/main.yml

@@ -14,10 +14,23 @@
     name: captiveportal
   when: captiveportal_install
 
+# WARNING: Since March 2023, 32-bit RasPiOS can act as 64-bit on RPi 4 and
+# RPi 400 (unlike RPi 3!)  SEE: https://github.com/iiab/iiab/pull/3516
+- name: Run command 'dpkg --print-architecture' to identify OS architecture (CPU arch as revealed by ansible_architecture ~= ansible_machine is NO LONGER enough!)
+  command: dpkg --print-architecture
+  register: dpkg_arch
+  when: internetarchive_install
+
+- name: Explain bypassing of Internet Archive install if 32-bit OS
+  fail:    # FORCE IT RED THIS ONCE!
+    msg: "BYPASSING INTERNET ARCHIVE PER https://github.com/iiab/iiab/issues/3641 -- 'dpkg --print-architecture' output for your OS: {{ dpkg_arch.stdout }}"
+  when: internetarchive_install and not dpkg_arch.stdout is search("64")
+  ignore_errors: True
+
 - name: INTERNETARCHIVE
   include_role:
     name: internetarchive
-  when: internetarchive_install
+  when: internetarchive_install and dpkg_arch.stdout is search("64")
 
 - name: MINETEST
   include_role:
@@ -27,7 +40,7 @@
 - name: CALIBRE-WEB
   include_role:
     name: calibre-web
-  when: calibreweb_install and ansible_machine is search("64")    # 2022-11-10: Avoid installing on 32-bit, until RasPiOS fixes Rust (PR #3421)
+  when: calibreweb_install
 
 # KEEP NEAR THE VERY END as this installs dependencies from Debian's 'testing' branch!
 - name: CALIBRE
@@ -42,6 +55,46 @@
     name: pbx
   when: pbx_install
 
+
+- name: '2023-11-05 / TEMPORARY UNTIL ADMIN CONSOLE DECLARES ITS DEPENDENCY: Install MySQL (MariaDB) if admin_console_install (for setup-feedback and record_feedback.php)'
+  set_fact:
+    mysql_install: True
+    mysql_enabled: True
+  when: admin_console_install
+
+- name: '2023-11-05 / TEMPORARY UNTIL ADMIN CONSOLE DECLARES ITS DEPENDENCY: Install MySQL (MariaDB) if admin_console_install (for setup-feedback and record_feedback.php)'
+  include_role:
+    name: mysql
+  when: admin_console_install
+
+- name: '2023-11-05 / TEMPORARY UNTIL ADMIN CONSOLE DECLARES ITS DEPENDENCY: Install MySQL (MariaDB) if admin_console_install (for setup-feedback and record_feedback.php)'
+  fail:
+    msg: "Admin Console install cannot proceed, as MySQL / MariaDB is not installed."
+  when: admin_console_install and mysql_installed is undefined
+
+
+# 2023-11-05: Moved from Stage 8, as it acts on mysql_installed (that might be set just above!)
+- name: MUNIN
+  include_role:
+    name: munin
+  when: munin_install
+
+
+- name: Read 'disk_used_a_priori' from /etc/iiab/iiab.ini
+  set_fact:
+    df1: "{{ lookup('ansible.builtin.ini', 'disk_used_a_priori', section='summary', file=iiab_ini_file) }}"
+
+- name: Record currently used disk space, to compare with original 'disk_used_a_priori'
+  shell: df -B1 --output=used / | tail -1
+  register: df2
+
+- name: Add ESTIMATED 'iiab_software_disk_usage = {{ df2.stdout|int - df1|int }}' to {{ iiab_ini_file }}
+  ini_file:
+    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+    section: summary
+    option: iiab_software_disk_usage
+    value: "{{ df2.stdout|int - df1|int }}"
+
 - name: Recording STAGE 9 HAS COMPLETED ====================
   lineinfile:
     path: "{{ iiab_env_file }}"

roles/awstats/tasks/install.yml

@@ -1,3 +1,8 @@
+- name: Record (initial) disk space used
+  shell: df -B1 --output=used / | tail -1
+  register: df1
+
+
 - name: 'Install package: awstats'
   package:
     name: awstats
@@ -93,6 +98,17 @@
 
 # RECORD AWStats AS INSTALLED
 
+- name: Record (final) disk space used
+  shell: df -B1 --output=used / | tail -1
+  register: df2
+
+- name: Add 'awstats_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }}
+  ini_file:
+    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+    section: awstats
+    option: awstats_disk_usage
+    value: "{{ df2.stdout|int - df1.stdout|int }}"
+
 - name: "Set 'awstats_installed: True'"
   set_fact:
     awstats_installed: True

roles/azuracast/tasks/install.yml

@@ -25,6 +25,11 @@
 # 5. Run './runrole --reinstall azuracast' in /opt/iiab/iiab
 
 
+- name: Record (initial) disk space used
+  shell: df -B1 --output=used / | tail -1
+  register: df1
+
+
 - name: AzuraCast - Make config directory {{ azuracast_host_dir }}
   file:
     path: "{{ azuracast_host_dir }}"
@@ -102,6 +107,17 @@
 
 # RECORD AzuraCast AS INSTALLED
 
+- name: Record (final) disk space used
+  shell: df -B1 --output=used / | tail -1
+  register: df2
+
+- name: Add 'azuracast_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }}
+  ini_file:
+    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+    section: azuracast
+    option: azuracast_disk_usage
+    value: "{{ df2.stdout|int - df1.stdout|int }}"
+
 - name: "Set 'azuracast_installed: True'"
   set_fact:
     azuracast_installed: True

roles/calibre-web/README.rst

@@ -13,98 +13,175 @@
 Calibre-Web README
 ==================
 
-Calibre-Web provides a clean interface for browsing, reading and downloading
+This Ansible role installs
-e-books using an existing Calibre database.  Teachers can upload e-books,
+`Calibre-Web <https://github.com/janeczku/calibre-web#readme>`_ as a modern
-adjust e-book metadata, and create custom e-book collections ("bookshelves"):
+client-server alternative to Calibre, for your
-https://github.com/janeczku/calibre-web#about
+`Internet-in-a-Box (IIAB) <https://internet-in-a-box.org>`_.
 
-This Ansible role installs Calibre-Web as part of your Internet-in-a-Box (IIAB)
+Calibre-Web provides a clean web interface for students to browse, read and
-as a possible alternative to Calibre.
+download e-books using a
+`Calibre-compatible database <https://manual.calibre-ebook.com/db_api.html>`_.
 
-*WARNING: Calibre-Web depends on Calibre's own* ``/usr/bin/ebook-convert`` *program,
+Teachers upload e-books, adjust e-book metadata, and create custom "bookshelf"
-so we strongly recommend you also install Calibre during your IIAB
+collections — to help students build the best local community library!
-installation!*
 
-Please note Calibre-Web's Ansible playbook is ``/opt/iiab/iiab/roles/calibre-web``
+**NEW AS OF JANUARY 2024:** `IIAB's experimental new version of Calibre-Web <https://github.com/iiab/calibre-web/wiki>`_
-whereas its Ansible variables ``calibreweb_*`` do **not** include the dash,
+**also lets you add YouTube and Vimeo videos (and local videos, e.g. from
-per Ansible recommendations.
+teachers' phones) to expand your indigenous/local/family learning library!**
+
+.. image:: https://www.yankodesign.com/images/design_news/2019/05/221758/luo_beetle_library_8.jpg
+
+🍒 GURU TIPS 🍒
+
+* Calibre-Web takes advantage of Calibre's own `/usr/bin/ebook-convert
+  <https://manual.calibre-ebook.com/generated/en/ebook-convert.html>`_ program
+  if that's installed — so consider also installing
+  `Calibre <https://calibre-ebook.com/whats-new>`_ during your IIAB
+  installation — *if you tolerate the weighty ~1 GB (of graphical OS libraries)
+  that Calibre mandates!*
+
+* If you choose to also install Calibre (e.g. by running
+  ``sudo apt install calibre``) then you'll get useful e-book
+  importing/organizing tools like
+  `/usr/bin/calibredb <https://manual.calibre-ebook.com/generated/en/calibredb.html>`_.
+
+Install It
+----------
+
+Install Calibre-Web by setting these 2 variables in
+`/etc/iiab/local_vars.yml <https://wiki.iiab.io/go/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it%3F>`_::
+
+  calibreweb_install: True
+  calibreweb_enabled: True
+
+Then install IIAB (`download.iiab.io <https://download.iiab.io>`_).  Or if
+IIAB's already installed, run::
+
+  cd /opt/iiab/iiab
+  sudo ./runrole calibre-web
+
+NOTE: Calibre-Web's Ansible role (playbook) in
+`/opt/iiab/iiab/roles <https://github.com/iiab/iiab/tree/master/roles>`_ is
+``calibre-web`` which contains a hyphen — *whereas its Ansible variables*
+``calibreweb_*`` *do NOT contain a hyphen!*
 
 Using It
 --------
 
-After installation, try out Calibre-Web at http://box/books (or box.lan/books).
+Try Calibre-Web on your own IIAB by browsing to http://box/books (or
+http://box.lan/books).
 
-Typically students access it without a password (to read and download books)
+*Students* access it without a password (to read and download books).
-whereas teachers add books using an administrative account, as follows::
+
+*Teachers* add and arrange books using an administrative account, by clicking
+**Guest** then logging in with::
 
   Username: Admin
   Password: changeme
 
-If the default configuration is not found, the Calibre-Web server creates a
+🍒 GURU TIPS 🍒
-new settings file with calibre-web's own default administrative account::
+
+* If Calibre-Web's configuration file (app.db) goes missing, the administrative
+  account will revert to::
 
     Username: admin
     Password: admin123
 
-Backend
+* If you lose your password, you can change it with the
--------
+  ``-s [username]:[newpassword]`` command-line option:
-
+  https://github.com/janeczku/calibre-web/wiki/FAQ#what-do-i-do-if-i-lose-my-admin-password
-You can manage the backend Calibre-Web server with these systemd commands::
-
-  systemctl enable calibre-web
-  systemctl restart calibre-web
-  systemctl status calibre-web
-  systemctl stop calibre-web
 
 Configuration
 -------------
 
-To configure Calibre-Web, log in as user 'Admin' then click 'Admin' on top.
+To configure Calibre-Web browse to http://box/books then click **Guest** to log
-Check 'Configuration' options near the bottom of the page.
+in as user **Admin** (default passwords above!)
 
-Critical settings are stored in::
+Then click the leftmost **Admin** button to administer — considering all 3
+**Configuration** buttons further below.
+
+These critical settings are stored in::
 
   /library/calibre-web/config/app.db
 
-Your e-book metadata is stored in a Calibre-style database::
+Whereas your e-book metadata is stored in a Calibre-style database::
 
   /library/calibre-web/metadata.db
 
+Videos' metadata is stored in database::
+
+  /library/calibre-web/xklb-metadata.db
+
 See also::
 
   /library/calibre-web/metadata_db_prefs_backup.json
 
-Finally, take note of Calibre-Web's `FAQ <https://github.com/janeczku/calibre-web/wiki/FAQ>`_ and official docs on its `Runtime Configuration Options <https://github.com/janeczku/calibre-web/wiki/Configuration>`_ and `Command Line Interface <https://github.com/janeczku/calibre-web/wiki/Command-Line-Interface>`_.
+Finally, take note of Calibre-Web's
+`FAQ <https://github.com/janeczku/calibre-web/wiki/FAQ>`_ and official docs on
+its
+`Runtime Configuration Options <https://github.com/janeczku/calibre-web/wiki/Configuration>`_
+and
+`Command Line Interface <https://github.com/janeczku/calibre-web/wiki/Command-Line-Interface>`_.
+
+Backend
+-------
+
+You can manage the backend Calibre-Web server with systemd commands like::
+
+  systemctl status calibre-web
+  systemctl stop calibre-web
+  systemctl restart calibre-web
+
+Run all commands
+`as root <https://unix.stackexchange.com/questions/3063/how-do-i-run-a-command-as-the-system-administrator-root>`_.
+
+Errors and warnings can be seen if you run::
+
+  journalctl -u calibre-web
+
+Log verbosity level can be
+`adjusted <https://github.com/janeczku/calibre-web/wiki/Configuration#logfile-configuration>`_
+within Calibre-Web's **Configuration > Basic Configuration > Logfile
+Configuration**.
+
+Finally, http://box/live/stats (Calibre-Web's **About** page) can be a very
+useful list of ~42 `Calibre-Web dependencies <https://github.com/janeczku/calibre-web/wiki/Dependencies-in-Calibre-Web-Linux-and-Windows>`_
+(mostly Python packages, and the version number of each that's installed).
 
 Back Up Everything
 ------------------
 
 Please back up the entire folder ``/library/calibre-web`` before upgrading —
-as it contains your Calibre-Web content **and** settings!
+as it contains your Calibre-Web content **and** configuration settings!
 
 Upgrading
 ---------
 
-Reinstalling Calibre-Web automatically upgrades to the latest version if your
+Please see our `new/automated upgrade technique (iiab-update) <https://github.com/iiab/calibre-web/wiki#upgrading>`_
-Internet-in-a-Box (IIAB) is online.
+introduced in July 2024.
 
-But first: back up your content **and** settings, as explained above.
+But first: back up your content **and** configuration settings, as outlined
+above!
 
-**Also move your /library/calibre-web/config/app.db AND/OR
+**Conversely if you're sure you want to fully reset your Calibre-Web settings,
-/library/calibre-web/metadata.db out of the way — if you're sure you want to
+and remove all existing e-book/video/media metadata — then move your
-fully reset your Calibre-Web settings (to install defaults) AND/OR remove all
+/library/calibre-web/config/app.db, /library/calibre-web/metadata.db and
-e-book metadata!  Then run**::
+/library/calibre-web/xklb-metadata.db out of the way.**
+
+RECAP: Either way, "reinstalling" Calibre-Web automatically installs the latest
+version — so long as your Internet-in-a-Box (IIAB) is online.  Most people
+should stick with the new ``iiab-update`` technique above.  However if you must
+use the older/manual approach, you would need to run, as root::
 
   cd /opt/iiab/iiab
   ./runrole --reinstall calibre-web
 
-Or, if you just want to upgrade Calibre-Web code alone, prior to proceeding
+Or, if there's a need to try updating Calibre-Web's code alone::
-manually::
 
   cd /usr/local/calibre-web-py3
   git pull
 
-This older way *is no longer recommended*::
+Finally, this much older way is *no longer recommended*::
 
   cd /opt/iiab/iiab
   ./iiab-install --reinstall    # OR: ./iiab-configure
@@ -156,5 +233,5 @@ Known Issues
 
 * |ss| Upload of not supported file formats gives no feedback to the user: `janeczku/calibre-web#828 <https://github.com/janeczku/calibre-web/issues/828>`_ |se| |nbsp|  Fixed by `361a124 <https://github.com/janeczku/calibre-web/commit/361a1243d732116e6f520fabbaae017068b86037>`_ on 2019-02-27.
 
-* *Please assist us in reporting serious issues here:*
+* *Please report serious issues here:*
-  https://github.com/janeczku/calibre-web/issues
+  https://github.com/iiab/calibre-web/issues

roles/calibre-web/defaults/main.yml

@@ -14,8 +14,10 @@
 # All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml
 # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
 
+calibreweb_repo_url: https://github.com/iiab/calibre-web    # Or use upstream: https://github.com/janeczku/calibre-web
 calibreweb_version: master    # WAS: master, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.6.8, 0.6.9
 
+calibreweb_venv_wipe: False    # 2023-12-04: NEW default TDD (Test-Driven Dev!)
 calibreweb_venv_path: /usr/local/calibre-web-py3
 calibreweb_exec_path: "{{ calibreweb_venv_path }}/cps.py"
 

roles/calibre-web/tasks/enable-or-disable.yml

@@ -23,12 +23,29 @@
     dest: "{{ nginx_conf_dir }}/calibre-web-nginx.conf"    # /etc/nginx/conf.d
   when: calibreweb_enabled
 
+- name: If enabling with Calibre-Web enhanced for large audio/video "books" too, also append onto calibre-web-nginx.conf AND symlink /library/www/html/calibre-web -> /library/calibre-web (WIP)
+  shell: |
+    if [ -f {{ calibreweb_venv_path }}/scripts/calibre-web-nginx.conf ]; then
+        cat {{ calibreweb_venv_path }}/scripts/calibre-web-nginx.conf >> {{ nginx_conf_dir }}/calibre-web-nginx.conf
+        # 2023-12-05: Not needed as a result of PR iiab/calibre-web#57
+        # ln -sf {{ calibreweb_home }} {{ doc_root }}/calibre-web
+    fi
+  when: calibreweb_enabled
+
+
 - name: Disable http://box{{ calibreweb_url1 }} via NGINX, by removing {{ nginx_conf_dir }}/calibre-web-nginx.conf
   file:
-    path: "{{ nginx_conf_dir }}/calibre-web-nginx.conf"    # /etc/nginx/conf.d
+    path: "{{ nginx_conf_dir }}/calibre-web-nginx.conf"
     state: absent
   when: not calibreweb_enabled
 
+- name: If disabling, also remove symlink /library/www/html/calibre-web (WIP)
+  file:
+    path: "{{ doc_root }}/calibre-web"    # /library/www/html
+    state: absent
+  when: not calibreweb_enabled
+
+
 - name: Restart 'nginx' systemd service
   systemd:
     name: nginx

roles/calibre-web/tasks/install.yml

@@ -1,10 +1,50 @@
-- name: "Install packages: imagemagick, python3-venv"
+# Or try 'iiab-update -f' for a more rapid upgrade of IIAB Calibre-Web:
+#
+# https://wiki.iiab.io/go/FAQ#Can_I_upgrade_IIAB_software%3F
+# https://github.com/iiab/calibre-web/wiki#upgrading
+# https://github.com/iiab/iiab/blob/master/scripts/iiab-update
+# https://github.com/iiab/iiab/tree/master/roles/calibre-web#upgrading
+
+
+- name: Record (initial) disk space used
+  shell: df -B1 --output=used / | tail -1
+  register: df1
+
+
+- name: Stop 'calibre-web' systemd service for safety (RED ERROR CAN BE IGNORED!)
+  systemd:
+    name: calibre-web
+    state: stopped
+  ignore_errors: True    # Shows red errors, and continue...
+  #failed_when: False    # Hides red errors, and continue...
+
+# Official upstream instructions:
+# apt install python3-pip python3-venv
+# https://github.com/janeczku/calibre-web/wiki/Manual-installation
+- name: "Install package: imagemagick"
   package:
     name:
       - imagemagick
-      - python3-venv
+      #- python3-cryptography    # Was needed on Raspberry Pi OS (SEE iiab/calibre-web#260, janeczku/calibre-web#3183)
+      #- python3-netifaces
     state: present
 
+# https://github.com/iiab/iiab/pull/3496#issuecomment-1475094542
+#- name: "Install packages: python3-dev, gcc to compile 'netifaces'"
+#  package:
+#    name:
+#      - python3-dev # header files
+#      - gcc         # compiler
+#    state: present
+#  when: python_version is version('3.10', '>=')
+
+- name: Does /etc/ImageMagick-6/policy.xml exist?
+  stat:
+    path: /etc/ImageMagick-6/policy.xml
+  register: imagemagick6_policy_xml
+
+# 2024-12-16: Debian 13 uses /etc/ImageMagick-7/policy.xml instead, which doesn't need this lineinfile surgery:
+# https://stackoverflow.com/questions/52998331/imagemagick-security-policy-pdf-blocking-conversion
 - name: Allow ImageMagick to read PDFs, per /etc/ImageMagick-6/policy.xml, to create book cover thumbnails
   lineinfile:
     path: /etc/ImageMagick-6/policy.xml
@@ -12,8 +52,9 @@
     backrefs: yes
     line: '  <policy domain="coder" rights="read" pattern="PDF" />'
     state: present
+  when: imagemagick6_policy_xml.stat.exists
 
-- name: "Create 3 Calibre-Web folders to store data and config files: {{ calibreweb_home }}, {{ calibreweb_venv_path }}, {{ calibreweb_config }} (all set to {{ calibreweb_user }}:{{ apache_user }}) (default to 0755)"
+- name: "Create 2 Calibre-Web folders to store data and config files: {{ calibreweb_home }}, {{ calibreweb_config }} (each set to {{ calibreweb_user }}:{{ apache_user }}, default to 0755)"
   file:
     state: directory
     path: "{{ item }}"
@@ -22,40 +63,100 @@
   with_items:
     - "{{ calibreweb_home }}"         # /library/calibre-web
     - "{{ calibreweb_config }}"       # /library/calibre-web/config
-    - "{{ calibreweb_venv_path }}"    # /usr/local/calibre-web-py3
 
-## TODO: Calibre-web future release might get into pypi https://github.com/janeczku/calibre-web/issues/456
+# FYI since May 2021, Calibre-Web (major releases) can be installed with pip:
-- name: Clone i.e. download Calibre-Web ({{ calibreweb_version }}) from https://github.com/janeczku/calibre-web.git to {{ calibreweb_venv_path }} (~94 MB initially, ~115+ MB later)
+# https://pypi.org/project/calibreweb/
+# https://github.com/janeczku/calibre-web/issues/456
+# https://github.com/janeczku/calibre-web/issues/677
+# https://github.com/janeczku/calibre-web/pull/927
+# https://github.com/janeczku/calibre-web/pull/1459
+
+- name: "Remove previous virtual environment {{ calibreweb_venv_path }} -- if 'calibreweb_venv_wipe: True'"
+  file:
+    path: "{{ calibreweb_venv_path }}"    # /usr/local/calibre-web-py3
+    state: absent
+  when: calibreweb_venv_wipe
+
+- name: Does {{ calibreweb_venv_path }} exist?
+  stat:
+    path: "{{ calibreweb_venv_path }}"
+  register: calibreweb_venv
+
+- name: git clone Calibre-Web ({{ calibreweb_version }}) from {{ calibreweb_repo_url }} to {{ calibreweb_venv_path }} (~122 MB initially, ~191+ or ~203+ MB later) -- if {{ calibreweb_venv_path }} doesns't exist
   git:
-    repo: https://github.com/janeczku/calibre-web.git
+    repo: "{{ calibreweb_repo_url }}"    # e.g. https://github.com/iiab/calibre-web or https://github.com/janeczku/calibre-web
     dest: "{{ calibreweb_venv_path }}"
-    force: yes
+    #force: True    # CLAIM: "If true, any modified files in the working repository will be discarded" -- REALITY: even if `force: no`, Ansible destructively reclones (also removing all test branch commits etc!) -- unless a git credential is provided to Ansible?
-    depth: 1
+    #depth: 1       # 2023-11-04: Full clone for now, to help @deldesir & wider community testing
-    version: "{{ calibreweb_version }}"    # e.g. master, 0.6.17
+    version: "{{ calibreweb_version }}"    # e.g. master, 0.6.22
+  when: not calibreweb_venv.stat.exists
 
-## Ansible Pip Bug: Cannot use 'chdir' with 'env' https://github.com/ansible/ansible/issues/37912 (Patch landed)
+- name: cd {{ calibreweb_venv_path }} ; git pull {{ calibreweb_repo_url }} {{ calibreweb_version }} --no-rebase --no-edit -- if {{ calibreweb_venv_path }} exists
-#- name: Download calibre-web dependencies into vendor subdirectory.
+  command: git pull "{{ calibreweb_repo_url }}" "{{ calibreweb_version }}" --no-rebase --no-edit
-#  pip:
+  args:
-#    requirements: "{{ calibreweb_path }}/requirements.txt"
+    chdir: "{{ calibreweb_venv_path }}"
-#    chdir: "{{ calibreweb_path }}"
+  when: calibreweb_venv.stat.exists
-#    extra_args: '--target vendor'
+
-#  ignore_errors: True
+- debug:
-##
+    msg:
-# Implementing this with Ansible command module for now.
+      - "NEED BETTER/EXPERIMENTAL YouTube SCRAPING?  RUN THE NEXT LINE -- for the latest yt-dlp 'nightly' release:"
-- name: Download Calibre-Web dependencies (using pip) into python3 virtual environment {{ calibreweb_venv_path }}
+      - sudo pipx inject --pip-args='--upgrade --pre' -f library yt-dlp[default]
+
+- name: If Calibre-Web is being enhanced with audio/video "books" too, install/upgrade additional prereqs -- SEE https://github.com/iiab/calibre-web/wiki
+  shell: |
+    if [ -f {{ calibreweb_venv_path }}/scripts/lb-wrapper ]; then
+        apt install ffmpeg pipx -y
+        if lb --version; then
+            if pipx list | grep -q 'xklb'; then
+                pipx uninstall xklb
+                pipx install library
+            else
+                pipx reinstall library
+            fi
+        else
+            pipx install library
+        fi
+        ln -sf /root/.local/bin/lb /usr/local/bin/lb
+        if [ -f /root/.local/share/pipx/venvs/library/bin/yt-dlp ]; then
+            ln -sf /root/.local/share/pipx/venvs/library/bin/yt-dlp /usr/local/bin/yt-dlp
+        elif [ -f /root/.local/pipx/venvs/library/bin/yt-dlp ]; then
+            ln -sf /root/.local/pipx/venvs/library/bin/yt-dlp /usr/local/bin/yt-dlp
+        else
+            echo "ERROR: yt-dlp NOT FOUND"
+        fi
+        # NEED BETTER/EXPERIMENTAL YouTube SCRAPING?  UNCOMMENT THE NEXT LINE -- for the latest yt-dlp "nightly" release:
+        # pipx inject --pip-args="--upgrade --pre" -f library yt-dlp[default]
+        #
+        # https://github.com/yt-dlp/yt-dlp-nightly-builds/releases
+        # https://pypi.org/project/yt-dlp/#history
+        cp {{ calibreweb_venv_path }}/scripts/lb-wrapper /usr/local/bin/
+        chmod a+x /usr/local/bin/lb-wrapper
+    fi
+
+- name: Download Calibre-Web dependencies from 'requirements.txt' into python3 virtual environment {{ calibreweb_venv_path }}
   pip:
     requirements: "{{ calibreweb_venv_path }}/requirements.txt"
     virtualenv: "{{ calibreweb_venv_path }}"    # /usr/local/calibre-web-py3
-    virtualenv_site_packages: no
+    #virtualenv_site_packages: no
+    #virtualenv_command: python3 -m venv --system-site-packages {{ calibreweb_venv_path }}
     virtualenv_command: python3 -m venv {{ calibreweb_venv_path }}
+    extra_args: --prefer-binary    # 2023-10-01: Lifesaver when recent wheels (e.g. piwheels.org) are inevitably not yet built!  SEE #3560
+
+# 2023-10-11: RasPiOS Bookworm doc for Python with venv (PEP 668 now enforced!)
+# https://www.raspberrypi.com/documentation/computers/os.html#use-python-on-a-raspberry-pi
+# https://www.raspberrypi.com/documentation/computers/os.html#install-python-packages-using-apt
+# https://www.raspberrypi.com/documentation/computers/os.html#install-python-libraries-using-pip
+
 # VIRTUALENV EXAMPLE COMMANDS:
+# python3 -m venv /usr/local/calibre-web-py3    (create venv)
 # cd /usr/local/calibre-web-py3
-# source bin/activate
+# . bin/activate    (or 'source bin/activate' -- this prepends '/usr/local/calibre-web-py3/bin' to yr PATH)
-# python3 -m pip list    ('pip list' probably sufficient, likewise below)
+# python3 -m pip list    ('pip list' sufficient *IF* path set above!)
 # python3 -m pip freeze > /tmp/requirements.txt
 # python3 -m pip install -r requirements.txt
 # deactivate
-# https://pip.pypa.io/en/latest/user_guide/#requirements-files
+# https://pip.pypa.io/en/stable/user_guide/#requirements-files
+# https://pip.pypa.io/en/latest/reference/requirements-file-format/
 
 - name: Install /etc/systemd/system/calibre-web.service from template
   template:
@@ -96,6 +197,17 @@
 
 # RECORD Calibre-Web AS INSTALLED
 
+- name: Record (final) disk space used
+  shell: df -B1 --output=used / | tail -1
+  register: df2
+
+- name: Add 'calibreweb_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }}
+  ini_file:
+    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+    section: calibre-web
+    option: calibreweb_disk_usage
+    value: "{{ df2.stdout|int - df1.stdout|int }}"
+
 - name: "Set 'calibreweb_installed: True'"
   set_fact:
     calibreweb_installed: True

roles/calibre-web/templates/calibre-web-nginx.conf.j2

@@ -5,7 +5,7 @@ location {{ calibreweb_url1 }}/ {
     proxy_set_header        Host            $http_host;
     proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header        X-Scheme        $scheme;
-    proxy_set_header        X-Script-Name   {{ calibreweb_url1 }};
+    proxy_set_header        X-Script-Name   "{{ calibreweb_url1 }}";
     proxy_pass http://127.0.0.1:8083;
 }
 
@@ -14,7 +14,7 @@ location {{ calibreweb_url2 }}/ {
     proxy_set_header        Host            $http_host;
     proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header        X-Scheme        $scheme;
-    proxy_set_header        X-Script-Name   {{ calibreweb_url2 }};
+    proxy_set_header        X-Script-Name   "{{ calibreweb_url2 }}";
     proxy_pass http://127.0.0.1:8083;
 }
 
@@ -23,6 +23,6 @@ location {{ calibreweb_url3 }}/ {
     proxy_set_header        Host            $http_host;
     proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header        X-Scheme        $scheme;
-    proxy_set_header        X-Script-Name   {{ calibreweb_url3 }};
+    proxy_set_header        X-Script-Name   "{{ calibreweb_url3 }}";
     proxy_pass http://127.0.0.1:8083;
 }

roles/calibre/tasks/install.yml

@@ -1,3 +1,8 @@
+- name: Record (initial) disk space used
+  shell: df -B1 --output=used / | tail -1
+  register: df1
+
+
 # 1. APT INSTALL CALIBRE 4.12+ or 5.12+ (calibre, calibredb, calibre-server etc) ON ALL OS'S
 
 - name: "Install OS's latest packages: calibre, calibre-bin"
@@ -79,6 +84,17 @@
 
 # 5. RECORD Calibre AS INSTALLED
 
+- name: Record (final) disk space used
+  shell: df -B1 --output=used / | tail -1
+  register: df2
+
+- name: Add 'calibre_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }}
+  ini_file:
+    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+    section: calibre
+    option: calibre_disk_usage
+    value: "{{ df2.stdout|int - df1.stdout|int }}"
+
 - name: "Set 'calibre_installed: True'"
   set_fact:
     calibre_installed: True

roles/captiveportal/tasks/install.yml

@@ -1,3 +1,8 @@
+- name: Record (initial) disk space used
+  shell: df -B1 --output=used / | tail -1
+  register: df1
+
+
 - name: "Install packages: python3-dateutil, python3-jinja2"
   package:
     name:
@@ -51,6 +56,17 @@
 
 # RECORD Captive Portal AS INSTALLED
 
+- name: Record (final) disk space used
+  shell: df -B1 --output=used / | tail -1
+  register: df2
+
+- name: Add 'captiveportal_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }}
+  ini_file:
+    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+    section: captiveportal
+    option: captiveportal_disk_usage
+    value: "{{ df2.stdout|int - df1.stdout|int }}"
+
 - name: "Set 'captiveportal_installed: True'"
   set_fact:
     captiveportal_installed: True

roles/cups/README.md

@@ -8,7 +8,7 @@ This can be useful if a printer is attached to your IIAB — so student/teac
 
 ## Using it
 
-Make sure your IIAB was installed with these 2 lines in [/etc/iiab/local_vars.yml](http://faq.iiab.io/#What_is_local_vars.yml_and_how_do_I_customize_it.3F) :
+Make sure your IIAB was installed with these 2 lines in [/etc/iiab/local_vars.yml](http://faq.iiab.io/#What_is_local_vars.yml_and_how_do_I_customize_it%3F) :
 
 ```
 cups_install: True

roles/cups/tasks/install.yml

@@ -2,6 +2,11 @@
 # (OR ANY MEMBER OF LINUX GROUP 'lpadmin') AS SET UP BELOW...
 
 
+- name: Record (initial) disk space used
+  shell: df -B1 --output=used / | tail -1
+  register: df1
+
+
 - name: Install 'cups' package
   package:
     name: cups
@@ -53,15 +58,30 @@
         AuthType Default
         Require user @SYSTEM
 
-- name: "CUPS web administration: Create Linux username 'Admin' with password 'changeme' in Linux group 'lpadmin' (shell: /usr/sbin/nologin, create_home: no)"
+- name: "CUPS web administration: Create Linux username 'Admin' in Linux group 'lpadmin' (shell: /usr/sbin/nologin, create_home: no)"
   user:
     name: Admin
     append: yes    # Don't clobber other groups, that other IIAB Apps might need.
     groups: lpadmin
-    password: "{{ 'changeme' | password_hash('sha512') }}"    # Random salt.  Presumably runs 5000 rounds of SHA-512 per /etc/login.defs & /etc/pam.d/common-password -- https://docs.ansible.com/ansible/latest/user_guide/playbooks_filters.html#encrypting-and-checksumming-strings-and-passwords
+    #password: "{{ 'changeme' | password_hash('sha512') }}"    # Random salt.  Presumably runs 5000 rounds of SHA-512 per /etc/login.defs & /etc/pam.d/common-password -- https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_filters.html#hashing-and-encrypting-strings-and-passwords
     create_home: no
     shell: /usr/sbin/nologin    # Debian/Ubuntu norm -- instead of /sbin/nologin, /bin/false
 
+# 2024-05-01: Above password-setting approach no longer works w/ Ansible 2.17 RC1 (#3727).
+# Ansible STOPS with this error...
+#
+# "[DEPRECATION WARNING]: Encryption using the Python crypt module is deprecated. The Python crypt module is
+# deprecated and will be removed from Python 3.13. Install the passlib library for continued encryption
+# functionality. This feature will be removed in version 2.17. Deprecation warnings can be disabled by
+# setting deprecation_warnings=False in ansible.cfg."
+#
+# ...so we instead use Linux's "chpasswd" command (below!)
+
+- name: Use chpasswd to set Linux username 'Admin' password to 'changeme'
+  command: chpasswd
+  args:
+    stdin: Admin:changeme
+
 # - name: Add user '{{ iiab_admin_user }}' to Linux group 'lpadmin' -- for CUPS web administration (or modify default 'SystemGroup lpadmin' in /etc/cups/cups-files.conf -- in coordination with ~14 -> ~15 '@SYSTEM' lines in /etc/cups/cupsd.conf)
 #   #command: "gpasswd -a {{ iiab_admin_user | quote }} lpadmin"
 #   #command: "gpasswd -d {{ iiab_admin_user | quote }} lpadmin"
@@ -124,6 +144,17 @@
 
 # RECORD CUPS AS INSTALLED
 
+- name: Record (final) disk space used
+  shell: df -B1 --output=used / | tail -1
+  register: df2
+
+- name: Add 'cups_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }}
+  ini_file:
+    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+    section: cups
+    option: cups_disk_usage
+    value: "{{ df2.stdout|int - df1.stdout|int }}"
+
 - name: "Set 'cups_installed: True'"
   set_fact:
     cups_installed: True

roles/cups/tasks/main.yml

@@ -23,14 +23,14 @@
     quiet: yes
 
 
+- block:
+
   - name: Install CUPS if 'cups_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
     include_tasks: install.yml
     when: cups_installed is undefined
 
-
   - include_tasks: enable-or-disable.yml
 
-
   - name: Add 'cups' variable values to {{ iiab_ini_file }}
     ini_file:
       path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
@@ -46,3 +46,10 @@
         value: "{{ cups_install }}"
       - option: cups_enabled
         value: "{{ cups_enabled }}"
+
+  rescue:
+
+  - name: 'SEE ERROR ABOVE (skip_role_on_error: {{ skip_role_on_error }})'
+    fail:
+      msg: ""
+    when: not skip_role_on_error

roles/firmware/tasks/download.yml

@@ -1,23 +1,44 @@
-- name: Back up 4 OS-provided WiFi firmware files (or symlinks) to /lib/firmware/brcm/*.orig
+# 2023-02-25: MONITOR FIRMWARE UPDATES in 3 places especially...
-  copy:
+#
-    src: /lib/firmware/brcm/{{ item }}
+# 1. apt changelog firmware-brcm80211
-    dest: /lib/firmware/brcm/{{ item }}.orig
+#    https://github.com/RPi-Distro/firmware-nonfree -> debian/config/brcm80211 (brcm, cypress)
+#    https://archive.raspberrypi.org/debian/dists/bullseye/main/binary-arm64/Packages (1.1MB text file, look inside for summary of latest firmware-brcm80211)
+#    https://archive.raspberrypi.org/debian/pool/main/f/firmware-nonfree/ -> firmware-brcm80211_* e.g.:
+#    https://archive.raspberrypi.org/debian/pool/main/f/firmware-nonfree/firmware-brcm80211_20190114-1+rpt11_all.deb from 2021-01-25
+#    https://archive.raspberrypi.org/debian/pool/main/f/firmware-nonfree/firmware-brcm80211_20210315-3+rpt4_all.deb from 2021-12-06
+#    https://archive.raspberrypi.org/debian/pool/main/f/firmware-nonfree/firmware-brcm80211_20221012-1~bpo11+1+rpt1_all.deb from 2022-11-17
+# 2. apt changelog linux-firmware-raspi
+#    https://packages.ubuntu.com/search?keywords=linux-firmware-raspi
+# 3. https://github.com/moodlebox/moodlebox/blob/main/roles/accesspoint/tasks/main.yml
+
+#- name: Back up 4 OS-provided WiFi firmware files (incl symlink contents) to /lib/firmware/cypress/*.orig
+- name: Back up 4 OS-provided WiFi firmware files (replicate any symlinks) to /lib/firmware/cypress/*.orig -- /usr/bin/iiab-check-firmware will later do similar (e.g. as firmware install completes) -- moving 2-or-4 of these to <ORIGINAL FILENAME>.YYYY-MM-DD-HH:MM:SS ("doubly timestamping" to preserve BOTH last-modif & moving date)
+  # copy:
+  #   src: /lib/firmware/cypress/{{ item }}
+  #   dest: /lib/firmware/cypress/{{ item }}.orig
+  #   #local_follow: False    # FAILS TO PRESERVE LINKS (ansible/ansible#74777) e.g. /lib/firmware/cypress/cyfmac43455-sdio.bin -> /etc/alternatives/cyfmac43455-sdio.bin -> ...
+  # 2023-05-01 CLARIF OF BELOW:
+  # 1) Even if 'mv' fails, no matter it'll continue to 'cp' below
+  # 2) 'cp -P' == 'cp --no-dereference' sufficient to replicate these symlinks and files ('cp -d' & 'cp -a' are incrementally stronger, and so probably can't hurt)
+  shell: |
+    mv /lib/firmware/cypress/{{ item }}.orig /lib/firmware/cypress/{{ item }}.orig.$(date +%F-%T)
+    cp -a /lib/firmware/cypress/{{ item }} /lib/firmware/cypress/{{ item }}.orig
   with_items:
-    - brcmfmac43430-sdio.bin
+    - cyfmac43430-sdio.bin
-    - brcmfmac43430-sdio.clm_blob
+    - cyfmac43430-sdio.clm_blob
-    - brcmfmac43455-sdio.bin
+    - cyfmac43455-sdio.bin
-    - brcmfmac43455-sdio.clm_blob
+    - cyfmac43455-sdio.clm_blob
-  ignore_errors: yes
+  #ignore_errors: yes    # 2023-02-25: Let's INTENTIONALLY surface any errors, e.g. if any future RasPiOS or Ubuntu-on-Rpi lack some of the above 4 files/links?
 
 - name: Download higher-capacity firmwares (for RPi internal WiFi, per https://github.com/iiab/iiab/issues/823#issuecomment-662285202 and https://github.com/iiab/iiab/issues/2853)
   get_url:
     url: "{{ iiab_download_url }}/{{ item }}"
-    dest: /lib/firmware/brcm/
+    dest: /lib/firmware/cypress/
     timeout: "{{ download_timeout }}"
   with_items:
-    - brcmfmac43455-sdio.bin_2021-11-30_minimal                # 19 -- from https://github.com/RPi-Distro/firmware-nonfree/blob/feeeda21e930c2e182484e8e1269b61cca2a8451/debian/config/brcm80211/cypress/cyfmac43455-sdio-minimal.bin
+    - brcmfmac43455-sdio.bin_2021-11-30_minimal                # 19 -- SAME AS RASPIOS & UBUNTU'S https://github.com/RPi-Distro/firmware-nonfree/blob/feeeda21e930c2e182484e8e1269b61cca2a8451/debian/config/brcm80211/cypress/cyfmac43455-sdio-minimal.bin
     - brcmfmac43455-sdio.bin_2021-10-05_3rd-trial-minimal      # 24 -- from https://github.com/iiab/iiab/issues/2853#issuecomment-934293015
-    - brcmfmac43455-sdio.clm_blob_2021-11-17_rpi               # Works w/ both above -- from https://github.com/RPi-Distro/firmware-nonfree/blob/dc406650e840705957f8403efeacf71d2d7543b3/debian/config/brcm80211/cypress/cyfmac43455-sdio.clm_blob
+    - brcmfmac43455-sdio.clm_blob_2021-11-17_rpi               # Works w/ both above -- SAME AS RASPIOS & UBUNTU'S https://github.com/RPi-Distro/firmware-nonfree/blob/dc406650e840705957f8403efeacf71d2d7543b3/debian/config/brcm80211/cypress/cyfmac43455-sdio.clm_blob
     - brcmfmac43455-sdio.bin_2015-03-01_7.45.18.0_ub19.10.1    # 32 -- from https://github.com/iiab/iiab/issues/823#issuecomment-662285202
     - brcmfmac43455-sdio.clm_blob_2018-02-26_rpi
     - brcmfmac43430-sdio.bin_2018-09-11_7.45.98.65             # 30 -- from https://github.com/iiab/iiab/issues/823#issuecomment-662285202

roles/firmware/tasks/install.yml

@@ -4,61 +4,69 @@
 
 
 # Set 2 symlinks for RPi 3 B+ and 4 (43455)
+# COMPARE: update-alternatives --display cyfmac43455-sdio.bin
+# https://github.com/moodlebox/moodlebox/blob/main/roles/accesspoint/tasks/main.yml#L3-L6
 
-- name: Populate rpi3bplus_rpi4_wifi_firmwares dictionary (lookup table for operator-chosen .bin and .clm_blob files in /lib/firmware/brcm)
+- name: Populate rpi3bplus_rpi4_wifi_firmwares dictionary (lookup table for operator-chosen .bin and .clm_blob files in /lib/firmware/cypress)
   set_fact:
     rpi3bplus_rpi4_wifi_firmwares:    # Dictionary keys (left side) are always strings, e.g. "19"
       os:
-        - brcmfmac43455-sdio.bin.orig
+        - cyfmac43455-sdio.bin.orig             # 2023-02-25: 7.45.241 from 2021-11-01 on Ubuntu 22.04.2 too (cyfmac43455-sdio-standard.bin)
-        - brcmfmac43455-sdio.clm_blob.orig
+        - cyfmac43455-sdio.clm_blob.orig        # On Ubuntu 22.04.2 too (brcmfmac43455-sdio.clm_blob_2021-11-17_rpi)
+      ub:
+        - cyfmac43455-sdio.bin.distrib          # 2023-02-25: STALE 7.45.234 from 2021-04-15; on Ubuntu 22.04.2 NOT RasPiOS
+        - cyfmac43455-sdio.clm_blob.distrib     # 4.7K instead of 2.7K w/ above "os"
       19:
-        - brcmfmac43455-sdio.bin_2021-11-30_minimal
+        - brcmfmac43455-sdio.bin_2021-11-30_minimal     # On Ubuntu 22.04.2 too (cyfmac43455-sdio-minimal.bin)
-        - brcmfmac43455-sdio.clm_blob_2021-11-17_rpi
+        - brcmfmac43455-sdio.clm_blob_2021-11-17_rpi    # On Ubuntu 22.04.2 too (cyfmac43455-sdio.clm_blob)
       24:
         - brcmfmac43455-sdio.bin_2021-10-05_3rd-trial-minimal
-        - brcmfmac43455-sdio.clm_blob_2021-11-17_rpi
+        - brcmfmac43455-sdio.clm_blob_2021-11-17_rpi    # On Ubuntu 22.04.2 too (cyfmac43455-sdio.clm_blob)
       32:
         - brcmfmac43455-sdio.bin_2015-03-01_7.45.18.0_ub19.10.1
-        - brcmfmac43455-sdio.clm_blob_2018-02-26_rpi
+        - brcmfmac43455-sdio.clm_blob_2018-02-26_rpi    # 14K instead of 2.7K w/ above "os"
 
-- name: Symlink /lib/firmware/brcm/brcmfmac43455-sdio.bin.iiab -> {{ rpi3bplus_rpi4_wifi_firmwares[rpi3bplus_rpi4_wifi_firmware][0] }} (as rpi3bplus_rpi4_wifi_firmware is "{{ rpi3bplus_rpi4_wifi_firmware }}")
+- name: Symlink /lib/firmware/cypress/cyfmac43455-sdio.bin.iiab -> {{ rpi3bplus_rpi4_wifi_firmwares[rpi3bplus_rpi4_wifi_firmware][0] }} (as rpi3bplus_rpi4_wifi_firmware is "{{ rpi3bplus_rpi4_wifi_firmware }}")
   file:
     src: "{{ rpi3bplus_rpi4_wifi_firmwares[rpi3bplus_rpi4_wifi_firmware][0] }}"
-    path: /lib/firmware/brcm/brcmfmac43455-sdio.bin.iiab
+    path: /lib/firmware/cypress/cyfmac43455-sdio.bin.iiab
     state: link
     force: yes
 
-- name: Symlink /lib/firmware/brcm/brcmfmac43455-sdio.clm_blob.iiab -> {{ rpi3bplus_rpi4_wifi_firmwares[rpi3bplus_rpi4_wifi_firmware][1] }} (as rpi3bplus_rpi4_wifi_firmware is "{{ rpi3bplus_rpi4_wifi_firmware }}")
+- name: Symlink /lib/firmware/cypress/cyfmac43455-sdio.clm_blob.iiab -> {{ rpi3bplus_rpi4_wifi_firmwares[rpi3bplus_rpi4_wifi_firmware][1] }} (as rpi3bplus_rpi4_wifi_firmware is "{{ rpi3bplus_rpi4_wifi_firmware }}")
   file:
     src: "{{ rpi3bplus_rpi4_wifi_firmwares[rpi3bplus_rpi4_wifi_firmware][1] }}"
-    path: /lib/firmware/brcm/brcmfmac43455-sdio.clm_blob.iiab
+    path: /lib/firmware/cypress/cyfmac43455-sdio.clm_blob.iiab
     state: link
     force: yes
 
 
 # Set 2 symlinks for RPi Zero W and 3 (43430)
 
-- name: Populate rpizerow_rpi3_wifi_firmwares dictionary (lookup table for operator-chosen .bin and .clm_blob files in /lib/firmware/brcm)
+- name: Populate rpizerow_rpi3_wifi_firmwares dictionary (lookup table for operator-chosen .bin and .clm_blob files in /lib/firmware/cypress)
   set_fact:
     rpizerow_rpi3_wifi_firmwares:
       os:
-        - brcmfmac43430-sdio.bin.orig
+        - cyfmac43430-sdio.bin.orig            # 2023-02-25: 7.45.98 from 2021-07-19 on Ubuntu 22.04.2 too
-        - brcmfmac43430-sdio.clm_blob.orig
+        - cyfmac43430-sdio.clm_blob.orig       # On Ubuntu 22.04.2 too
+      ub:
+        - cyfmac43430-sdio.bin.distrib         # 2023-02-25: STALE 7.45.98.118 from 2021-03-30; on Ubuntu 22.04.2 NOT RasPiOS
+        - cyfmac43430-sdio.clm_blob.distrib    # Identical to above 4.7K cyfmac43430-sdio.clm_blob
       30:
         - brcmfmac43430-sdio.bin_2018-09-11_7.45.98.65
-        - brcmfmac43430-sdio.clm_blob_2018-09-11_7.45.98.65
+        - brcmfmac43430-sdio.clm_blob_2018-09-11_7.45.98.65    # 14K instead of 4.7K w/ above "os" & "ub"
 
-- name: Symlink /lib/firmware/brcm/brcmfmac43430-sdio.bin.iiab -> {{ rpizerow_rpi3_wifi_firmwares[rpizerow_rpi3_wifi_firmware][0] }} (as rpizerow_rpi3_wifi_firmware is "{{ rpizerow_rpi3_wifi_firmware }}")
+- name: Symlink /lib/firmware/cypress/cyfmac43430-sdio.bin.iiab -> {{ rpizerow_rpi3_wifi_firmwares[rpizerow_rpi3_wifi_firmware][0] }} (as rpizerow_rpi3_wifi_firmware is "{{ rpizerow_rpi3_wifi_firmware }}")
   file:
     src: "{{ rpizerow_rpi3_wifi_firmwares[rpizerow_rpi3_wifi_firmware][0] }}"
-    path: /lib/firmware/brcm/brcmfmac43430-sdio.bin.iiab
+    path: /lib/firmware/cypress/cyfmac43430-sdio.bin.iiab
     state: link
     force: yes
 
-- name: Symlink /lib/firmware/brcm/brcmfmac43430-sdio.clm_blob.iiab -> {{ rpizerow_rpi3_wifi_firmwares[rpizerow_rpi3_wifi_firmware][1] }} (as rpizerow_rpi3_wifi_firmware is "{{ rpizerow_rpi3_wifi_firmware }}")
+- name: Symlink /lib/firmware/cypress/cyfmac43430-sdio.clm_blob.iiab -> {{ rpizerow_rpi3_wifi_firmwares[rpizerow_rpi3_wifi_firmware][1] }} (as rpizerow_rpi3_wifi_firmware is "{{ rpizerow_rpi3_wifi_firmware }}")
   file:
     src: "{{ rpizerow_rpi3_wifi_firmwares[rpizerow_rpi3_wifi_firmware][1] }}"
-    path: /lib/firmware/brcm/brcmfmac43430-sdio.clm_blob.iiab
+    path: /lib/firmware/cypress/cyfmac43430-sdio.clm_blob.iiab
     state: link
     force: yes
 
@@ -73,7 +81,7 @@
     - { src: 'iiab-check-firmware.service', dest: '/etc/systemd/system/', mode: '0644' }
     - { src: 'iiab-firmware-warn.sh', dest: '/etc/profile.d/', mode: '0644' }
 
-- name: Enable & (Re)Start iiab-check-firmware.service (also runs on each boot)
+- name: Enable & (Re)Start iiab-check-firmware.service (also runs on each boot) -- finalizing 2-or-4 symlink chains e.g. /lib/firmware/cypress/X.{bin|blob} -> /lib/firmware/cypress/X.{bin|blob}.iiab -> CHOSEN-FIRMWARE-FILE-OR-LINK
   systemd:
     name: iiab-check-firmware.service
     daemon_reload: yes

roles/firmware/tasks/main.yml

@@ -3,19 +3,23 @@
 # client devices that can access your Raspberry Pi's internal WiFi hotspot.
 
 # If IIAB's already installed, you should then run 'cd /opt/iiab/iiab' and
-# then 'sudo ./runrole firmware' (do run iiab-check-firmware for more tips!)
+# then 'sudo ./runrole firmware' (DO RUN iiab-check-firmware FOR MORE TIPS!)
 
-# BACKGROUND AS OF 2022-01-10:
+# 2018-2023 Background & Progress:
+#
+# Raspberry Pi 3 used to support 32 WiFi connections but is now limited to [4-10]
 #     https://github.com/iiab/iiab/issues/823#issuecomment-662285202
+# Opinions about Pi 4B/3B+ WiFi features [practical AP firmware for schools!]
 #     https://github.com/iiab/iiab/issues/2853#issuecomment-957836892
+# RPi WiFi hotspot firmware reliability fix, incl new/better choices for 3B+ & 4
 #     https://github.com/iiab/iiab/pull/3103
-# https://github.com/RPi-Distro/firmware-nonfree/tree/bullseye/debian/config/brcm80211 (brcm, cypress)
+# Set WiFi firmware in /lib/firmware/cypress due to RasPiOS & Ubuntu changes
-# https://archive.raspberrypi.org/debian/pool/main/f/firmware-nonfree/firmware-brcm80211_20190114-1+rpt11_all.deb from 2021-01-25
+#     https://github.com/iiab/iiab/pull/3482
-# https://archive.raspberrypi.org/debian/pool/main/f/firmware-nonfree/firmware-brcm80211_20210315-3+rpt4_all.deb from 2021-12-06
-
 # RISK: What USB 3.0 stick/drive patterns degrade a Raspberry Pi's 2.4GHz WiFi?
 #     https://github.com/iiab/iiab/issues/2638
 
+# ► SEE "MONITOR FIRMWARE UPDATES in 3 places especially" in tasks/download.yml ◄
+
 - name: Install firmware (for RPi internal WiFi)
   include_tasks: install.yml
   when: firmware_installed is undefined

roles/firmware/templates/iiab-check-firmware

@@ -1,11 +1,25 @@
 #!/bin/bash
 
-# 2021-08-18: bash scripts using default_vars.yml &/or local_vars.yml
+# The 1st time /usr/bin/iiab-check-firmware runs (at the end of
+# firmware/tasks/install.yml) 2-4 lynchpin top links are put in place,
+# finalizing symlink chains like:
+#
+#     /lib/firmware/cypress/X.{bin|blob} ->
+#     /lib/firmware/cypress/X.{bin|blob}.iiab ->
+#     CHOSEN-FIRMWARE-FILE-OR-LINK
+#
+# Also backing up top-of-chain originals (file or link!) by moving these to:
+#
+#     /lib/firmware/cypress/<ORIGINAL FILENAME>.YYYY-MM-DD-HH:MM:SS
+#
+# NOTE these are "doubly timestamped" to preserve BOTH last-modif & moving date.
+
+# 2023-02-25: bash scripts using default_vars.yml &/or local_vars.yml
 # https://github.com/iiab/iiab-factory/blob/master/iiab
 # https://github.com/iiab/iiab/blob/master/roles/firmware/templates/iiab-check-firmware#L10-14
 # https://github.com/iiab/iiab/blob/master/roles/network/templates/gateway/iiab-gen-iptables#L48-L52
-# https://github.com/iiab/maps/blob/master/osm-source/pages/viewer/scripts/iiab-install-map-region#L25-L34
+# https://github.com/iiab/maps/blob/master/osm-source/pages/viewer/scripts/iiab-install-map-region#L23-L39
-# https://github.com/iiab/iiab/blob/master/roles/openvpn/templates/iiab-support READS AND WRITES, INCL NON-BOOLEAN
+# https://github.com/iiab/iiab/blob/master/roles/0-DEPRECATED-ROLES/openvpn/templates/iiab-support READS AND WRITES, INCL NON-BOOLEAN
 
 iiab_var_value() {
     v1=$(grep "^$1:\s" /opt/iiab/iiab/vars/default_vars.yml | tail -1 | sed "s/^$1:\s\+//; s/#.*//; s/\s*$//; s/^\(['\"]\)\(.*\)\1$/\2/")
@@ -14,29 +28,29 @@ iiab_var_value() {
 }
 
 link_fw() {
-    if [[ $(readlink /lib/firmware/brcm/$1) != $1.iiab ]] ; then
+    if [[ $(readlink /lib/firmware/cypress/$1) != $1.iiab ]] ; then
         echo
-	mv /lib/firmware/brcm/$1 /lib/firmware/brcm/$1.$(date +%F-%T)
+        mv /lib/firmware/cypress/$1 /lib/firmware/cypress/$1.$(date +%F-%T)
-	ln -s $1.iiab /lib/firmware/brcm/$1
+        ln -s $1.iiab /lib/firmware/cypress/$1
-	echo -e "\e[1mSymlinked /lib/firmware/brcm/$1 -> $1.iiab\e[0m"
+        echo -e "\e[1mSymlinked /lib/firmware/cypress/$1 -> $1.iiab\e[0m"
         touch /tmp/.fw_modified
     fi
 }
 
 if [[ $(iiab_var_value rpi3bplus_rpi4_wifi_firmware) != "os" ]] ; then
-    link_fw brcmfmac43455-sdio.bin
+    link_fw cyfmac43455-sdio.bin
-    link_fw brcmfmac43455-sdio.clm_blob
+    link_fw cyfmac43455-sdio.clm_blob
 fi
 
 if [[ $(iiab_var_value rpizerow_rpi3_wifi_firmware) != "os" ]] ; then
-    link_fw brcmfmac43430-sdio.bin
+    link_fw cyfmac43430-sdio.bin
-    link_fw brcmfmac43430-sdio.clm_blob
+    link_fw cyfmac43430-sdio.clm_blob
 fi
 
 if [ -f /tmp/.fw_modified ]; then
     bash /etc/profile.d/iiab-firmware-warn.sh
 else
-    echo -e "\n\e[1mWiFi Firmware links in /lib/firmware/brcm appear \e[92mCORRECT\e[0m\e[1m, per iiab/iiab#2853.\e[0m"
+    echo -e "\n\e[1mWiFi Firmware links in /lib/firmware/cypress appear \e[92mCORRECT\e[0m\e[1m, per iiab/iiab#3482\e[0m"
     echo
     echo -e "\e[100;1m(No reboot appears necessary!)\e[0m"
     echo
@@ -46,7 +60,7 @@ else
     echo -e "  cd /opt/iiab/iiab"
     echo -e "  sudo iiab-hotspot-off    # NO LONGER NEC? eg to restore 'wifi_up_down: True'"
     echo -e "  sudo ./runrole --reinstall firmware"
-    echo -e "  sudo ./iiab-network      # SOMETIMES NECESSARY"
+    echo -e "  sudo iiab-network        # SOMETIMES NECESSARY"
     echo -e "  sudo iiab-hotspot-on     # NO LONGER NEC? eg to restore 'wifi_up_down: True'"
     echo -e "  sudo reboot\n"
     #echo

roles/firmware/templates/iiab-firmware-warn.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 if [ -f /tmp/.fw_modified ]; then
-    echo -e "\n\e[41;1mWiFi Firmware link(s) modified, per iiab/iiab#2853: PLEASE REBOOT!\e[0m"
+    echo -e "\n\e[41;1mWiFi Firmware link(s) modified, per iiab/iiab#3482: PLEASE REBOOT!\e[0m"
     echo
     echo -e "If you want this warning to stop, reboot to remove /tmp/.fw_modified\n"
 fi

roles/gitea/defaults/main.yml

@@ -9,7 +9,7 @@
 
 # Info needed to install Gitea:
 
-gitea_version: 1.18    # 2022-01-30: Grabs latest from this MAJOR/MINOR release branch.  Rather than exhaustively hard-coding point releases (e.g. 1.14.5) every few weeks.
+gitea_version: "1.22"    # 2022-01-30: Grabs latest from this MAJOR/MINOR release branch.  Rather than exhaustively hard-coding point releases (e.g. 1.14.5) every few weeks.  Quotes nec if trailing zero.
 iset_suffixes:
   i386: 386
   x86_64: amd64
@@ -17,9 +17,9 @@ iset_suffixes:
   armv6l: arm-6
   armv7l: arm-6    # "arm-7" used to work, but no longer since 2019-04-20's Gitea 1.8.0: https://github.com/iiab/iiab/issues/1673 https://github.com/iiab/iiab/pull/1713 -- 2019-07-31: ARM7 support will return at some point, according to: https://github.com/go-gitea/gitea/pull/7037#issuecomment-516735216 (what about ARM8 support for RPi 4?)
 
-gitea_iset_suffix: "{{ iset_suffixes[ansible_architecture] | default('unknown') }}"
+gitea_iset_suffix: "{{ iset_suffixes[ansible_machine] | default('unknown') }}"    # A bit safer than ansible_architecture (see kiwix/defaults/main.yml)
 
-gitea_download_url: "https://dl.gitea.io/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-{{ gitea_iset_suffix }}"
+gitea_download_url: "https://dl.gitea.com/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-{{ gitea_iset_suffix }}"
 gitea_integrity_url: "{{ gitea_download_url }}.asc"
 
 gitea_root_directory: "{{ content_base }}/gitea"    # /library/gitea

roles/gitea/tasks/install.yml

@@ -1,3 +1,8 @@
+- name: Record (initial) disk space used
+  shell: df -B1 --output=used / | tail -1
+  register: df1
+
+
 # 1. Prepare to install Gitea: create user and directory structure
 
 - name: Shut down existing Gitea instance (if we're reinstalling)
@@ -43,10 +48,10 @@
     msg: "Could not find a binary for the CPU architecture \"{{ ansible_architecture }}\""
   when: gitea_iset_suffix == "unknown"
 
-- name: Download Gitea binary {{ gitea_download_url }} to {{ gitea_install_path }} (0775, ~108 MB, SLOW DOWNLOAD CAN TAKE ~15 MIN)
+- name: Download Gitea binary {{ gitea_download_url }} to {{ gitea_install_path }} (0775, ~134 MB, SLOW DOWNLOAD CAN TAKE ~15 MIN)
   get_url:
     url: "{{ gitea_download_url }}"
-    dest: "{{ gitea_install_path }}"    # e.g. /library/gitea/bin/gitea-1.16
+    dest: "{{ gitea_install_path }}"    # e.g. /library/gitea/bin/gitea-1.21
     mode: 0775
     timeout: "{{ download_timeout }}"
 
@@ -56,9 +61,9 @@
     dest: "{{ gitea_checksum_path }}"
     timeout: "{{ download_timeout }}"
 
-- name: Verify Gitea binary with GPG signature
+- name: Verify Gitea binary with GPG signature ("BAD signature" FALSE ALARMS continue as of 2023-07-16, despite their claims at https://docs.gitea.com/installation/install-from-binary#verify-gpg-signature)
   shell: |
-    gpg --keyserver pgp.mit.edu --recv {{ gitea_gpg_key }}
+    gpg --keyserver keys.openpgp.org --recv {{ gitea_gpg_key }}
     gpg --verify {{ gitea_checksum_path }} {{ gitea_install_path }}
   ignore_errors: yes
 
@@ -105,6 +110,17 @@
 
 # 5. RECORD Gitea AS INSTALLED
 
+- name: Record (final) disk space used
+  shell: df -B1 --output=used / | tail -1
+  register: df2
+
+- name: Add 'gitea_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }}
+  ini_file:
+    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+    section: gitea
+    option: gitea_disk_usage
+    value: "{{ df2.stdout|int - df1.stdout|int }}"
+
 - name: "Set 'gitea_installed: True'"
   set_fact:
     gitea_installed: True

roles/gitea/tasks/main.yml

@@ -27,7 +27,7 @@
 
   - include_tasks: enable-or-disable.yml
 
-  - name: Add 'gitea' to list of services at {{ iiab_ini_file }}
+  - name: Add 'gitea' variable values to {{ iiab_ini_file }}
     ini_file:
       path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
       section: gitea

roles/gitea/templates/app.ini.j2

@@ -2,7 +2,8 @@
 ; Copy required sections to your own app.ini (default is custom/conf/app.ini)
 ; and modify as needed.
 
-; see https://docs.gitea.io/en-us/config-cheat-sheet/ for additional documentation.
+; see https://docs.gitea.com/administration/config-cheat-sheet for additional documentation.
+;     https://docs.gitea.com/next/administration/config-cheat-sheet
 
 ; App name that shows in every page title
 APP_NAME = {{ gitea_display_name }}
@@ -23,9 +24,11 @@ DEFAULT_PRIVATE = last
 ; Global limit of repositories per user, applied at creation time. -1 means no limit
 MAX_CREATION_LIMIT = -1
 ; Mirror sync queue length, increase if mirror syncing starts hanging
-MIRROR_QUEUE_LENGTH = 1000
+; 2023-07-16 ERROR: MIRROR_QUEUE_LENGTH = 1000
+;     `[repository].MIRROR_QUEUE_LENGTH`. Use new options in `[queue.mirror]`
 ; Patch test queue length, increase if pull request patch testing starts hanging
-PULL_REQUEST_QUEUE_LENGTH = 1000
+; 2023-07-16 ERROR: PULL_REQUEST_QUEUE_LENGTH = 1000
+;     `[repository].PULL_REQUEST_QUEUE_LENGTH`. Use new options in `[queue.pr_patch_checker]`
 ; Preferred Licenses to place at the top of the List
 ; The name here must match the filename in conf/license or custom/conf/license
 PREFERRED_LICENSES = Apache License 2.0,MIT License
@@ -201,13 +204,22 @@ PPROF_DATA_PATH = data/tmp/pprof
 LANDING_PAGE = home
 ; Enables git-lfs support. true or false, default is false.
 LFS_START_SERVER = false
-; Where your lfs files reside, default is data/lfs.
-LFS_CONTENT_PATH = {{ gitea_lfs_root }}
 ; LFS authentication secret, change this yourself
 LFS_JWT_SECRET =
 ; LFS authentication validity period (in time.Duration), pushes taking longer than this may fail.
 LFS_HTTP_AUTH_EXPIRY = 20m
 
+; lfs [Large File Storage] storage will override storage
+;
+[lfs]
+;STORAGE_TYPE = local
+;
+; Where your lfs files reside, default is data/lfs.
+PATH = {{ gitea_lfs_root }}
+;
+; override the minio base path if storage type is minio
+;MINIO_BASE_PATH = lfs/
+
 ; Define allowed algorithms and their minimum key length (use -1 to disable a type)
 [ssh.minimum_key_sizes]
 ED25519 = 256
@@ -240,7 +252,8 @@ ISSUE_INDEXER_PATH = indexers/issues.bleve
 ; repo indexer by default disabled, since it uses a lot of disk space
 REPO_INDEXER_ENABLED = false
 REPO_INDEXER_PATH = indexers/repos.bleve
-UPDATE_BUFFER_LEN = 20
+; 2023-07-16 ERROR: UPDATE_BUFFER_LEN = 20
+;        `[indexer].UPDATE_BUFFER_LEN`. Use new options in `[queue.issue_indexer]`
 MAX_FILE_SIZE = 1048576
 
 [admin]
@@ -360,7 +373,8 @@ PAGING_NUM = 10
 [mailer]
 ENABLED = false
 ; Buffer length of channel, keep it as it is if you don't know what it is.
-SEND_BUFFER_LEN = 100
+; 2023-07-16 ERROR: SEND_BUFFER_LEN = 100
+;         `[mailer].SEND_BUFFER_LEN`. Use new options in `[queue.mailer]`
 ; Name displayed in mail title
 SUBJECT = %(APP_NAME)s
 ; Mail server

roles/iiab-admin/README.rst

@@ -36,7 +36,7 @@ Security
    #. ``iiab-admin`` (specified by ``admin_console_group`` in `/opt/iiab/iiab/vars/default_vars.yml <../../vars/default_vars.yml>`_ and `/opt/iiab/iiab-admin-console/vars/default_vars.yml <https://github.com/iiab/iiab-admin-console/blob/master/vars/default_vars.yml>`_)
    #. ``sudo``
 * Please read much more about what escalated (root) actions are authorized when you log into IIAB's Admin Console, and how this works: https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md
-* If your IIAB includes OpenVPN, ``/root/.ssh/authorized_keys`` should be installed by `roles/openvpn/tasks/install.yml <../openvpn/tasks/install.yml>`_ to facilitate remote community support.  Feel free to remove this as mentioned here: https://wiki.iiab.io/go/Security
+* If your IIAB includes Tailscale (VPN), ``/root/.ssh/authorized_keys`` should be installed by `roles/tailscale/tasks/install.yml <../tailscale/tasks/install.yml>`_ to facilitate remote community support.  Feel free to remove this as mentioned here: https://wiki.iiab.io/go/Security
 * Auto-checking for the default/published password (as specified by ``iiab_admin_published_pwd`` in `/opt/iiab/iiab/vars/default_vars.yml <../../vars/default_vars.yml>`_) is implemented in `/etc/profile.d <templates/sshpwd-profile-iiab.sh>`_ (and `/etc/xdg/lxsession/LXDE-pi <templates/sshpwd-lxde-iiab.sh>`_ when it exists, i.e. on Raspberry Pi OS with desktop).
 
 Example
@@ -56,16 +56,16 @@ Historical Notes
 Remote Support Tools
 --------------------
 
-The `iiab-diagnostics <../../scripts/iiab-diagnostics.README.md>`_ and `OpenVPN <https://en.wikipedia.org/wiki/OpenVPN>`_ options mentioned above can greatly help you empower your community, typically during the implementation phase of your project, even if Linux is new to you.
+The `iiab-diagnostics <../../scripts/iiab-diagnostics.README.md>`_ and `Tailscale (VPN) <https://en.wikipedia.org/wiki/Tailscale>`_ options mentioned above can greatly help you empower your community, typically during the implementation phase of your project, even if Linux is new to you.
 
-Similarly, `access.yml <tasks/access.yml>`_ adds a couple text mode tools — extremely helpful over expensive / low-bandwidth connections:
+Similarly, `tasks/main.yml <tasks/main.yml>`_ adds a couple text mode tools — extremely helpful over expensive / low-bandwidth connections:
 
 * `lynx <https://en.wikipedia.org/wiki/Lynx_(web_browser)>`_
 * `screen <https://linuxize.com/post/how-to-use-linux-screen/>`_
 
 *More great tools to help you jumpstart community action at a distance:*
 
-* http://FAQ.IIAB.IO > "How can I remotely manage my Internet-in-a-Box?"
+* `FAQ.IIAB.IO <https://wiki.iiab.io/go/FAQ>`_ > "How can I remotely manage my Internet-in-a-Box?"
 
 Admin Console
 -------------

roles/iiab-admin/tasks/main.yml

@@ -2,6 +2,11 @@
 # https://github.com/iiab/iiab/blob/master/roles/iiab-admin/README.rst
 
 
+- name: Record (initial) disk space used
+  shell: df -B1 --output=used / | tail -1
+  register: df1
+
+
 - name: "Install text-mode packages, useful during remote access: lynx, screen"
   package:
     name:
@@ -35,6 +40,17 @@
 
 # RECORD iiab-admin AS INSTALLED
 
+- name: Record (final) disk space used
+  shell: df -B1 --output=used / | tail -1
+  register: df2
+
+- name: Add 'iiab_admin_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }}
+  ini_file:
+    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+    section: iiab-admin
+    option: iiab_admin_disk_usage
+    value: "{{ df2.stdout|int - df1.stdout|int }}"
+
 - name: "Set 'iiab_admin_installed: True'"
   set_fact:
     iiab_admin_installed: True

roles/iiab-admin/tasks/pwd-warnings.yml

@@ -2,34 +2,35 @@
 #                    AND roles/network/tasks/netwarn.yml  FOR iiab-network
 
 
-- name: Install /etc/profile.d/sshpwd-profile-iiab.sh from template, to issue warnings (during shell/ssh logins) if iiab-admin password is the default
+- name: Install /etc/profile.d/iiab-pwdwarn-profile.sh from template, to issue warnings (during shell/ssh logins) if iiab-admin password is the default
   template:
-    src: sshpwd-profile-iiab.sh.j2
+    src: iiab-pwdwarn-profile.sh.j2
-    dest: /etc/profile.d/sshpwd-profile-iiab.sh
+    dest: /etc/profile.d/iiab-pwdwarn-profile.sh
     mode: '0644'
 
-- name: Is /etc/xdg/lxsession/LXDE-pi a directory?
+- name: Does directory /home/{{ iiab_admin_user }}/.config/labwc/ exist?
   stat:
-    path: /etc/xdg/lxsession/LXDE-pi
+    path: /home/{{ iiab_admin_user }}/.config/labwc/
-  register: lx
+  register: labwc_dir
 
-- name: "If so, install from template: /etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh"
+- name: "If so, install from template: /usr/local/sbin/iiab-pwdwarn-labwc"
   template:
-    src: sshpwd-lxde-iiab.sh.j2
+    src: iiab-pwdwarn-labwc.j2
-    dest: /etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh
+    dest: /usr/local/sbin/iiab-pwdwarn-labwc
     mode: '0755'
-  when: lx.stat.isdir is defined and lx.stat.isdir    # and is_raspbian
+  when: labwc_dir.stat.exists and labwc_dir.stat.isdir
 
-# 2019-03-07: This popup (/etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh) does
+# 2019-03-07: This pop-up (/etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh) did
 # not actually appear when triggered by /etc/xdg/autostart/pprompt-iiab.desktop
 # (or pprompt.desktop as Raspbian has working since 2018-11-13!)  Too bad as it
-# would be really nice to standardize this popup across Ubermix & all distros..
+# would be really nice to standardize pop-ups across Ubermix & all distros...
 # Is this a permissions/security issue presumably?  Official autostart spec is:
 # https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html
 # Raspbian's 2016-2018 evolution here: https://github.com/iiab/iiab/issues/1537
 
-- name: ...and put a line in /etc/xdg/lxsession/LXDE-pi/autostart to trigger popups
+- name: ...and put a line in /home/{{ iiab_admin_user }}/.config/labwc/autostart to trigger iiab-pwdwarn-labwc (& pop-up as nec)
   lineinfile:
-    path: /etc/xdg/lxsession/LXDE-pi/autostart
+    path: /home/{{ iiab_admin_user }}/.config/labwc/autostart    # iiab-admin
-    line: "@/etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh"
+    create: yes
-  when: lx.stat.isdir is defined and lx.stat.isdir    # and is_raspbian
+    line: '/usr/local/sbin/iiab-pwdwarn-labwc &'
+  when: labwc_dir.stat.exists and labwc_dir.stat.isdir

roles/iiab-admin/tasks/sudo-prereqs.yml

@@ -1,6 +1,6 @@
 - name: 'Install package: sudo'
   package:
-    name: sudo    # (1) Should be installed prior to installing IIAB, (2) Can also be installed by roles/1-prep's roles/openvpn/tasks/install.yml, (3) Is definitely installed by 1-prep here, (4) Used to be installed by roles/2-common/tasks/packages.yml (but that's too late!)
+    name: sudo    # (1) Should be installed prior to installing IIAB, (2) Can be installed by 1-prep's roles/tailscale/tasks/install.yml, (3) Can be installed by 1-prep's roles/iiab-admin/tasks/sudo-prereqs.yml here, (4) Used to be installed by roles/2-common/tasks/packages.yml (but that's too late!)
 
 - name: Temporarily make file /etc/sudoers editable (0640)
   file:

roles/internetarchive/tasks/install.yml

@@ -9,10 +9,10 @@
   include_role:
     name: nodejs
 
-- name: Assert that 10.x <= nodejs_version ({{ nodejs_version }}) <= 18.x
+- name: Assert that 10.x <= nodejs_version ({{ nodejs_version }}) <= 22.x
   assert:
-    that: nodejs_version is version('10.x', '>=') and nodejs_version is version('18.x', '<=')
+    that: nodejs_version is version('10.x', '>=') and nodejs_version is version('22.x', '<=')
-    fail_msg: "Internet Archive install cannot proceed, as it currently requires Node.js 10.x - 18.x, and your nodejs_version is set to {{ nodejs_version }}.  Please check the value of nodejs_version in /opt/iiab/iiab/vars/default_vars.yml and possibly also /etc/iiab/local_vars.yml"
+    fail_msg: "Internet Archive install cannot proceed, as it currently requires Node.js 10.x - 22.x, and your nodejs_version is set to {{ nodejs_version }}.  Please check the value of nodejs_version in /opt/iiab/iiab/vars/default_vars.yml and possibly also /etc/iiab/local_vars.yml"
     quiet: yes
 
 - name: "Set 'yarn_install: True' and 'yarn_enabled: True'"
@@ -30,6 +30,11 @@
     state: present
 
 
+- name: Record (initial) disk space used
+  shell: df -B1 --output=used / | tail -1
+  register: df1
+
+
 # 2. CREATE 2 DIRS, WIPE /opt/iiab/internetarchive/node_modules & RUN YARN
 
 - name: mkdir {{ internetarchive_dir }}
@@ -64,6 +69,17 @@
 
 # 4. RECORD Internet Archive AS INSTALLED
 
+- name: Record (final) disk space used
+  shell: df -B1 --output=used / | tail -1
+  register: df2
+
+- name: Add 'internetarchive_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }}
+  ini_file:
+    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+    section: internetarchive
+    option: internetarchive_disk_usage
+    value: "{{ df2.stdout|int - df1.stdout|int }}"
+
 - name: "Set 'internetarchive_installed: True'"
   set_fact:
     internetarchive_installed: True

roles/jupyterhub/README.md

@@ -1,5 +1,7 @@
 ## JupyterHub programming environment with student Notebooks
 
+### CAUTION: Internet-in-a-Box (IIAB) does not support JupyterHub on 32-bit OS's, where installation will likely fail ([#3639](https://github.com/iiab/iiab/issues/3639)).
+
 #### Secondary schools may want to consider JupyterHub to integrate coding with dynamic interactive graphing — A New Way to Think About Programming — allowing students to integrate science experiment results and program output within their own blog-like "Jupyter Notebooks."
 
 * Jupyter Notebooks are widely used in the scientific community:
@@ -9,10 +11,11 @@
   * [JupyterHub changelog](https://jupyterhub.readthedocs.io/en/stable/changelog.html#changelog)
 * Students create their own accounts on first use — e.g. at http://box.lan/jupyterhub — just as if they're logging in regularly (unfortunately the login screen doesn't make that clear, but the teacher _does not_ need to be involved!)
   * A student can then sign in with their username and password, to gain access to their files (Jupyter Notebooks).
-  * The teacher should set and protect JupyterHub's overall `Admin` password, just in case.  As with student accounts, the login screen doesn't make that clear — so just log in with username `Admin` — using any password that you want to become permanent.
+  * The teacher should set and protect JupyterHub's overall `Admin` password, just in case.  As with student accounts, the login screen unfortunately doesn't make that clear — so just log in with username `Admin` — using any password that you want to become permanent.
-* Individual student folders are created in `/var/lib/private/` on the Internet-in-a-Box (IIAB) server:
+* Individual student folders are created in `/var/lib/private/` on your Internet-in-a-Box (IIAB) server:
   * A student will only be able to see their own work — they do not have privileges outside of their own folder.
   * Students may upload Jupyter Notebooks to the IIAB server, and download the current state of their work via a normal browser.
+  * Linux administrators can read more about JupyterHub's [Local Users](https://github.com/jupyterhub/systemdspawner#local-users) and [c.SystemdSpawner.dynamic_users = True](https://github.com/jupyterhub/systemdspawner#dynamic_users)
 
 ### Settings
 
@@ -26,10 +29,11 @@ In some rare circumstances, it may be necessary to restart JupyterHub's systemd
 sudo systemctl restart jupyterhub
 ```
 
-FYI `/opt/iiab/jupyterhub` is a Python 3 virtual environment, that can be activated with the usual formula:
+FYI `/opt/iiab/jupyterhub` is a Python 3 virtual environment, that can be activated (and deactivated) with the usual:
 
 ```
 source /opt/iiab/jupyterhub/bin/activate
+(jupyterhub) root@box:~# deactivate
 ```
 
 Passwords are hashed using 4096 rounds of the latest Blowfish (bcrypt's $2b$ algorithm) and stored in:
@@ -42,19 +46,19 @@ Passwords are hashed using 4096 rounds of the latest Blowfish (bcrypt's $2b$ alg
 
 Users can change their password by logging in, and then visiting URL: http://box.lan/jupyterhub/auth/change-password
 
-NOTE: This is the only way to change the password for user 'Admin', because Control Panel > Admin (below) does not permit deletion of this account.
+NOTE: This is the only way to change the password for user `Admin`, because **File > Hub Control Panel > Admin** (below) does not permit deletion of this account.
 
-### Control Panel > Admin page, to manage other accounts
+### File > Hub Control Panel > Admin, to manage accounts
 
 The `Admin` user (and any users given `Admin` privilege) can reset user passwords by deleting the user from JupyterHub's **Admin** page (below).  This logs the user out, but does not remove any of their data or home directories.  The user can then set a new password in the usual way — simply by logging in.  Example:
 
-1. As a user with `Admin` privilege, click **Control Panel** in the top right of your JupyterHub:
+1. As a user with `Admin` privilege, click **File > Hub Control Panel** in your JupyterHub:
 
-   ![Control panel button in notebook, top right](control-panel-button1.png)
+   ![image](https://user-images.githubusercontent.com/2458907/217602766-ab6a9d3c-9f92-496e-a0e8-6c18a084e960.png)
 
-2. In the Control Panel, open the **Admin** link in the top left:
+2. At the top of the Control Panel, click **Admin**:
 
-   ![Admin button in control panel, top left](admin-access-button1.png)
+   ![image](https://user-images.githubusercontent.com/2458907/217602473-f4f9fd40-b4c1-45e1-88c5-54c6d4b604ff.png)
 
    This opens up the JupyterHub Admin page, where you can add / delete users, start / stop peoples’ servers and see who is online.
 
@@ -70,6 +74,20 @@ The `Admin` user (and any users given `Admin` privilege) can reset user password
 
 _WARNING: If on login users see "500 : Internal Server Error", you may need to remove ALL files of the form_ `/run/jupyter-johndoe-singleuser`
 
+### Logging
+
+To see JupyterHub's (typically very long!) log, run:
+
+```
+journalctl -u jupyterhub
+```
+
+Sometimes other logs might also be available, e.g.:
+
+```
+journalctl -u jupyter-admin-singleuser
+```
+
 ### PAWS/Jupyter Notebooks for Python Beginners
 
 While PAWS is a little bit off topic, if you have an interest in Wikipedia, please do see this 23m 42s video ["Intro to PAWS/Jupyter notebooks for Python beginners"](https://www.youtube.com/watch?v=AUZkioRI-aA&list=PLeoTcBlDanyNQXBqI1rVXUqUTSSiuSIXN&index=8) by Chico Venancio, from 2021-06-01.

roles/jupyterhub/tasks/install.yml

@@ -13,10 +13,20 @@
   when: nodejs_installed is undefined
 
 
-- name: "Install package: python3-venv"
+- name: Record (initial) disk space used
-  package:
+  shell: df -B1 --output=used / | tail -1
-    name: python3-venv
+  register: df1
-    state: present
+
+# 2025-02-16
+#- name: "Install package: python3-psutil"
+#  package:
+#    name: python3-psutil
+#    state: present
+
+- name: Remove previous virtual environment {{ jupyterhub_venv }}
+  file:
+    path: "{{ jupyterhub_venv }}"
+    state: absent
 
 - name: Make 3 directories to hold JupyterHub config
   file:
@@ -33,17 +43,18 @@
     global: yes
     state: latest
 
-- name: "pip install 3 packages into virtual environment: {{ jupyterhub_venv }} (~271 MB total, after 2 Ansible calls)"
+- name: "pip install 3 packages into virtual environment: {{ jupyterhub_venv }} (~316 MB total, after 2 Ansible calls)"
   pip:
     name:
       - pip
       - wheel
       - jupyterhub
     virtualenv: "{{ jupyterhub_venv }}"    # /opt/iiab/jupyterhub
-    virtualenv_site_packages: no
+    #virtualenv_site_packages: no
-    virtualenv_command: python3 -m venv "{{ jupyterhub_venv }}"    # 2021-07-29: This works on RasPiOS 10, Debian 11, Ubuntu 20.04 and Mint 20 -- however if you absolutely must use the older Debian 10 -- you can work around errors "can't find Rust compiler" and "This package requires Rust >=1.41.0" if you (1) revert this line to 'virtualenv_command: virtualenv' AND (2) uncomment the line just below
+    virtualenv_command: python3 -m venv "{{ jupyterhub_venv }}"    # 2025-02-16
+    #virtualenv_command: python3 -m venv --system-site-packages "{{ jupyterhub_venv }}"    # 2021-07-29: This works on RasPiOS 10, Debian 11, Ubuntu 20.04 and Mint 20 -- however if you absolutely must use the older Debian 10 -- you can work around errors "can't find Rust compiler" and "This package requires Rust >=1.41.0" if you (1) revert this line to 'virtualenv_command: virtualenv' AND (2) uncomment the line just below
     #virtualenv_python: python3    # 2021-07-29: Was needed when above line was 'virtualenv_command: virtualenv' (generally for Python 2)
-    extra_args: "--no-cache-dir"    # 2021-11-30, 2022-07-07: The "--pre" flag had earlier been needed, for beta-like pre-releases of JupyterHub 2.0.0
+    extra_args: "--no-cache-dir --prefer-binary"    # 2021-11-30, 2022-07-07: The "--pre" flag had earlier been needed, for beta-like pre-releases of JupyterHub 2.0.0
 
 # 2022-07-07: Attempting to "pip install" all 7 together (3 above + 4 below)
 # fails on OS's like 64-bit RasPiOS (but interestingly works on Ubuntu 22.04!)
@@ -57,9 +68,10 @@
       - jupyterhub-systemdspawner
       - ipywidgets
     virtualenv: "{{ jupyterhub_venv }}"
-    virtualenv_site_packages: no
+    #virtualenv_site_packages: no
-    virtualenv_command: python3 -m venv "{{ jupyterhub_venv }}"    
+    virtualenv_command: python3 -m venv "{{ jupyterhub_venv }}"    # 2025-02-16
-    extra_args: "--no-cache-dir"
+    #virtualenv_command: python3 -m venv --system-site-packages "{{ jupyterhub_venv }}"
+    extra_args: "--no-cache-dir --prefer-binary"    # 2023-10-01: Lifesaver when recent wheels (e.g. piwheels.org) are inevitably not yet built!  SEE #3560
 
 - name: "Install from template: {{ jupyterhub_venv }}/etc/jupyterhub/jupyterhub_config.py"
   template:
@@ -99,6 +111,17 @@
 
 # RECORD JupyterHub AS INSTALLED
 
+- name: Record (final) disk space used
+  shell: df -B1 --output=used / | tail -1
+  register: df2
+
+- name: Add 'jupyterhub_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }}
+  ini_file:
+    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+    section: jupyterhub
+    option: jupyterhub_disk_usage
+    value: "{{ df2.stdout|int - df1.stdout|int }}"
+
 - name: "Set 'jupyterhub_installed: True'"
   set_fact:
     jupyterhub_installed: True

roles/jupyterhub/templates/jupyterhub_config.py.j2

@@ -1,5 +1,18 @@
+# 2023-02-10 /opt/iiab/jupyterhub/etc/jupyterhub/jupyterhub_config.py update:
+# https://jupyterhub.readthedocs.io/en/stable/getting-started/config-basics.html
+#
+# 1) To generate this 1500+ line stub, I first ran JupyterHub 3.1.1's:
+#    /opt/iiab/jupyterhub/bin/jupyterhub --generate-config
+# 2) Then I manually inserted 8 of IIAB's 10 legacy custom lines below, from:
+#    grep ^c /opt/iiab/iiab/roles/jupyterhub/templates/jupyterhub_config.py.j2
+# 3) Finally I added the following line on @jvonau's suggestion: (#3475)
+#    c.ConfigurableHTTPProxy.pid_file = "/run/jupyterhub-proxy.pid"
+
+
 # Configuration file for jupyterhub.
 
+c = get_config()  #noqa
+
 #------------------------------------------------------------------------------
 # Application(SingletonConfigurable) configuration
 #------------------------------------------------------------------------------
@@ -18,6 +31,53 @@
 #  Default: 30
 # c.Application.log_level = 30
 
+## Configure additional log handlers.
+#  
+#  The default stderr logs handler is configured by the log_level, log_datefmt
+#  and log_format settings.
+#  
+#  This configuration can be used to configure additional handlers (e.g. to
+#  output the log to a file) or for finer control over the default handlers.
+#  
+#  If provided this should be a logging configuration dictionary, for more
+#  information see:
+#  https://docs.python.org/3/library/logging.config.html#logging-config-
+#  dictschema
+#  
+#  This dictionary is merged with the base logging configuration which defines
+#  the following:
+#  
+#  * A logging formatter intended for interactive use called
+#    ``console``.
+#  * A logging handler that writes to stderr called
+#    ``console`` which uses the formatter ``console``.
+#  * A logger with the name of this application set to ``DEBUG``
+#    level.
+#  
+#  This example adds a new handler that writes to a file:
+#  
+#  .. code-block:: python
+#  
+#     c.Application.logging_config = {
+#         'handlers': {
+#             'file': {
+#                 'class': 'logging.FileHandler',
+#                 'level': 'DEBUG',
+#                 'filename': '<path/to/file>',
+#             }
+#         },
+#         'loggers': {
+#             '<application-name>': {
+#                 'level': 'DEBUG',
+#                 # NOTE: if you don't list the default "console"
+#                 # handler here then it will be disabled
+#                 'handlers': ['console', 'file'],
+#             },
+#         }
+#     }
+#  Default: {}
+# c.Application.logging_config = {}
+
 ## Instead of starting the Application, dump configuration to stdout
 #  Default: False
 # c.Application.show_config = False
@@ -60,11 +120,13 @@
 #  Default: 30
 # c.JupyterHub.activity_resolution = 30
 
-## Grant admin users permission to access single-user servers.
+## DEPRECATED since version 2.0.0.
 #  
-#  Users should be properly informed if this is enabled.
+#          The default admin role has full permissions, use custom RBAC scopes instead to
+#          create restricted administrator roles.
+#          https://jupyterhub.readthedocs.io/en/stable/rbac/index.html
 #  Default: False
-c.JupyterHub.admin_access = True
+# c.JupyterHub.admin_access = False
 
 ## DEPRECATED since version 0.7.2, use Authenticator.admin_users instead.
 #  Default: set()
@@ -78,14 +140,23 @@ c.JupyterHub.admin_access = True
 #  Default: False
 # c.JupyterHub.answer_yes = False
 
+## The default amount of records returned by a paginated endpoint
+#  Default: 50
+# c.JupyterHub.api_page_default_limit = 50
+
+## The maximum amount of records that can be returned at once
+#  Default: 200
+# c.JupyterHub.api_page_max_limit = 200
+
 ## PENDING DEPRECATION: consider using services
 #  
 #          Dict of token:username to be loaded into the database.
 #  
-#  Allows ahead-of-time generation of API tokens for use by externally managed
+#          Allows ahead-of-time generation of API tokens for use by externally managed services,
-#  services, which authenticate as JupyterHub users.
+#          which authenticate as JupyterHub users.
 #  
-#  Consider using services for general services that talk to the JupyterHub API.
+#          Consider using services for general services that talk to the
+#  JupyterHub API.
 #  Default: {}
 # c.JupyterHub.api_tokens = {}
 
@@ -112,30 +183,34 @@ c.JupyterHub.admin_access = True
 #  Currently installed: 
 #    - default: jupyterhub.auth.PAMAuthenticator
 #    - dummy: jupyterhub.auth.DummyAuthenticator
+#    - null: jupyterhub.auth.NullAuthenticator
 #    - pam: jupyterhub.auth.PAMAuthenticator
 #  Default: 'jupyterhub.auth.PAMAuthenticator'
+# c.JupyterHub.authenticator_class = 'jupyterhub.auth.PAMAuthenticator'
 c.JupyterHub.authenticator_class = 'firstuseauthenticator.FirstUseAuthenticator'
 
 ## The base URL of the entire application.
 #  
-#  Add this to the beginning of all JupyterHub URLs. Use base_url to run
+#          Add this to the beginning of all JupyterHub URLs.
-#  JupyterHub within an existing website.
+#          Use base_url to run JupyterHub within an existing website.
 #  
 #          .. deprecated: 0.9
 #              Use JupyterHub.bind_url
 #  Default: '/'
+# c.JupyterHub.base_url = '/'
 c.JupyterHub.base_url = '/jupyterhub'
 
 ## The public facing URL of the whole JupyterHub application.
 #  
-#  This is the address on which the proxy will bind. Sets protocol, ip, base_url
+#          This is the address on which the proxy will bind.
+#          Sets protocol, ip, base_url
 #  Default: 'http://:8000'
 # c.JupyterHub.bind_url = 'http://:8000'
 
 ## Whether to shutdown the proxy when the Hub shuts down.
 #  
-#  Disable if you want to be able to teardown the Hub while leaving the proxy
+#          Disable if you want to be able to teardown the Hub while leaving the
-#  running.
+#  proxy running.
 #  
 #          Only valid if the proxy was starting by the Hub process.
 #  
@@ -148,11 +223,11 @@ c.JupyterHub.base_url = '/jupyterhub'
 
 ## Whether to shutdown single-user servers when the Hub shuts down.
 #  
-#  Disable if you want to be able to teardown the Hub while leaving the single-
+#          Disable if you want to be able to teardown the Hub while leaving the
-#  user servers running.
+#  single-user servers running.
 #  
-#  If both this and cleanup_proxy are False, sending SIGINT to the Hub will only
+#          If both this and cleanup_proxy are False, sending SIGINT to the Hub will
-#  shutdown the Hub, leaving everything else running.
+#          only shutdown the Hub, leaving everything else running.
 #  
 #          The Hub should be able to resume from database state.
 #  Default: True
@@ -184,7 +259,8 @@ c.JupyterHub.base_url = '/jupyterhub'
 #  Default: False
 # c.JupyterHub.confirm_no_ssl = False
 
-## Number of days for a login cookie to be valid. Default is two weeks.
+## Number of days for a login cookie to be valid.
+#          Default is two weeks.
 #  Default: 14
 # c.JupyterHub.cookie_max_age_days = 14
 
@@ -193,24 +269,44 @@ c.JupyterHub.base_url = '/jupyterhub'
 #          Loaded from the JPY_COOKIE_SECRET env variable by default.
 #  
 #          Should be exactly 256 bits (32 bytes).
-#  Default: b''
+#  Default: traitlets.Undefined
+# c.JupyterHub.cookie_secret = traitlets.Undefined
 c.JupyterHub.cookie_secret = b'helloiiabitsrainingb123456789012'
 
 ## File in which to store the cookie secret.
 #  Default: 'jupyterhub_cookie_secret'
 # c.JupyterHub.cookie_secret_file = 'jupyterhub_cookie_secret'
 
-## The location of jupyterhub data files (e.g. /usr/local/share/jupyterhub)
+## Custom scopes to define.
-#  Default: '/opt/iiab/jupyter/share/jupyterhub'
+#  
-# c.JupyterHub.data_files_path = '/opt/iiab/jupyter/share/jupyterhub'
+#          For use when defining custom roles,
+#          to grant users granular permissions
+#  
+#          All custom scopes must have a description,
+#          and must start with the prefix `custom:`.
+#  
+#          For example::
+#  
+#              custom_scopes = {
+#                  "custom:jupyter_server:read": {
+#                      "description": "read-only access to a single-user server",
+#                  },
+#              }
+#  Default: {}
+# c.JupyterHub.custom_scopes = {}
 
-## Include any kwargs to pass to the database connection. See
+## The location of jupyterhub data files (e.g. /usr/local/share/jupyterhub)
-#  sqlalchemy.create_engine for details.
+#  Default: '/opt/iiab/jupyterhub/share/jupyterhub'
+# c.JupyterHub.data_files_path = '/opt/iiab/jupyterhub/share/jupyterhub'
+
+## Include any kwargs to pass to the database connection.
+#          See sqlalchemy.create_engine for details.
 #  Default: {}
 # c.JupyterHub.db_kwargs = {}
 
 ## url for the database. e.g. `sqlite:///jupyterhub.sqlite`
 #  Default: 'sqlite:///jupyterhub.sqlite'
+# c.JupyterHub.db_url = 'sqlite:///jupyterhub.sqlite'
 c.JupyterHub.db_url = 'sqlite:///{{ jupyterhub_venv }}/jupyterhub.sqlite'
 
 ## log all database transactions. This has A LOT of output
@@ -221,8 +317,13 @@ c.JupyterHub.db_url = 'sqlite:///{{ jupyterhub_venv }}/jupyterhub.sqlite'
 #  Default: False
 # c.JupyterHub.debug_proxy = False
 
-## If named servers are enabled, default name of server to spawn or open, e.g. by
+## If named servers are enabled, default name of server to spawn or open when no
-#  user-redirect.
+#  server is specified, e.g. by user-redirect.
+#  
+#  Note: This has no effect if named servers are not enabled, and does _not_
+#  change the existence or behavior of the default server named `''` (the empty
+#  string). This only affects which named server is launched when no server is
+#  specified, e.g. by links to `/hub/user-redirect/lab/tree/mynotebook.ipynb`.
 #  Default: ''
 # c.JupyterHub.default_server_name = ''
 
@@ -245,9 +346,9 @@ c.JupyterHub.db_url = 'sqlite:///{{ jupyterhub_venv }}/jupyterhub.sqlite'
 #  Default: traitlets.Undefined
 # c.JupyterHub.default_url = traitlets.Undefined
 
-## Dict authority:dict(files). Specify the key, cert, and/or ca file for an
+## Dict authority:dict(files). Specify the key, cert, and/or
-#  authority. This is useful for externally managed proxies that wish to use
+#          ca file for an authority. This is useful for externally managed
-#  internal_ssl.
+#          proxies that wish to use internal_ssl.
 #  
 #          The files dict has this format (you must specify at least a cert)::
 #  
@@ -257,18 +358,16 @@ c.JupyterHub.db_url = 'sqlite:///{{ jupyterhub_venv }}/jupyterhub.sqlite'
 #                  'ca': '/path/to/ca.crt'
 #              }
 #  
-#  The authorities you can override: 'hub-ca', 'notebooks-ca', 'proxy-api-ca',
+#          The authorities you can override: 'hub-ca', 'notebooks-ca',
-#  'proxy-client-ca', and 'services-ca'.
+#          'proxy-api-ca', 'proxy-client-ca', and 'services-ca'.
 #  
 #          Use with internal_ssl
 #  Default: {}
 # c.JupyterHub.external_ssl_authorities = {}
 
-## Register extra tornado Handlers for jupyterhub.
+## DEPRECATED.
 #  
-#  Should be of the form ``("<regex>", Handler)``
+#  If you need to register additional HTTP endpoints please use services instead.
-#  
-#  The Hub prefix will be added, so `/my-page` will be served at `/hub/my-page`.
 #  Default: []
 # c.JupyterHub.extra_handlers = []
 
@@ -282,6 +381,14 @@ c.JupyterHub.db_url = 'sqlite:///{{ jupyterhub_venv }}/jupyterhub.sqlite'
 #  Default: []
 # c.JupyterHub.extra_log_handlers = []
 
+## Alternate header to use as the Host (e.g., X-Forwarded-Host)
+#          when determining whether a request is cross-origin
+#  
+#          This may be useful when JupyterHub is running behind a proxy that rewrites
+#          the Host header.
+#  Default: ''
+# c.JupyterHub.forwarded_host_header = ''
+
 ## Generate certs used for internal ssl
 #  Default: False
 # c.JupyterHub.generate_certs = False
@@ -303,17 +410,17 @@ c.JupyterHub.db_url = 'sqlite:///{{ jupyterhub_venv }}/jupyterhub.sqlite'
 #  Default: ''
 # c.JupyterHub.hub_bind_url = ''
 
-## The ip or hostname for proxies and spawners to use for connecting to the Hub.
+## The ip or hostname for proxies and spawners to use
+#          for connecting to the Hub.
 #  
 #          Use when the bind address (`hub_ip`) is 0.0.0.0, :: or otherwise different
 #          from the connect address.
 #  
-#  Default: when `hub_ip` is 0.0.0.0 or ::, use `socket.gethostname()`, otherwise
+#          Default: when `hub_ip` is 0.0.0.0 or ::, use `socket.gethostname()`,
-#  use `hub_ip`.
+#  otherwise use `hub_ip`.
 #  
-#  Note: Some spawners or proxy implementations might not support hostnames.
+#          Note: Some spawners or proxy implementations might not support hostnames. Check your
-#  Check your spawner or proxy documentation to see if they have extra
+#          spawner or proxy documentation to see if they have extra requirements.
-#  requirements.
 #  
 #          .. versionadded:: 0.8
 #  Default: ''
@@ -346,39 +453,59 @@ c.JupyterHub.db_url = 'sqlite:///{{ jupyterhub_venv }}/jupyterhub.sqlite'
 
 ## The ip address for the Hub process to *bind* to.
 #  
-#  By default, the hub listens on localhost only. This address must be accessible
+#          By default, the hub listens on localhost only. This address must be accessible from
-#  from the proxy and user servers. You may need to set this to a public ip or ''
+#          the proxy and user servers. You may need to set this to a public ip or '' for all
-#  for all interfaces if the proxy or user servers are in containers or on a
+#          interfaces if the proxy or user servers are in containers or on a different host.
-#  different host.
 #  
-#  See `hub_connect_ip` for cases where the bind and connect address should
+#          See `hub_connect_ip` for cases where the bind and connect address should differ,
-#  differ, or `hub_bind_url` for setting the full bind URL.
+#          or `hub_bind_url` for setting the full bind URL.
 #  Default: '127.0.0.1'
 # c.JupyterHub.hub_ip = '127.0.0.1'
 
 ## The internal port for the Hub process.
 #  
-#  This is the internal port of the hub itself. It should never be accessed
+#          This is the internal port of the hub itself. It should never be accessed directly.
-#  directly. See JupyterHub.port for the public port to use when accessing
+#          See JupyterHub.port for the public port to use when accessing jupyterhub.
-#  jupyterhub. It is rare that this port should be set except in cases of port
+#          It is rare that this port should be set except in cases of port conflict.
-#  conflict.
 #  
-#  See also `hub_ip` for the ip and `hub_bind_url` for setting the full bind URL.
+#          See also `hub_ip` for the ip and `hub_bind_url` for setting the full
+#  bind URL.
 #  Default: 8081
 # c.JupyterHub.hub_port = 8081
 
+## The routing prefix for the Hub itself.
+#  
+#  Override to send only a subset of traffic to the Hub. Default is to use the
+#  Hub as the default route for all requests.
+#  
+#  This is necessary for normal jupyterhub operation, as the Hub must receive
+#  requests for e.g. `/user/:name` when the user's server is not running.
+#  
+#  However, some deployments using only the JupyterHub API may want to handle
+#  these events themselves, in which case they can register their own default
+#  target with the proxy and set e.g. `hub_routespec = /hub/` to serve only the
+#  hub's own pages, or even `/hub/api/` for api-only operation.
+#  
+#  Note: hub_routespec must include the base_url, if any.
+#  
+#  .. versionadded:: 1.4
+#  Default: '/'
+# c.JupyterHub.hub_routespec = '/'
+
 ## Trigger implicit spawns after this many seconds.
 #  
-#  When a user visits a URL for a server that's not running, they are shown a
+#          When a user visits a URL for a server that's not running,
-#  page indicating that the requested server is not running with a button to
+#          they are shown a page indicating that the requested server
-#  spawn the server.
+#          is not running with a button to spawn the server.
 #  
-#  Setting this to a positive value will redirect the user after this many
+#          Setting this to a positive value will redirect the user
-#  seconds, effectively clicking this button automatically for the users,
+#          after this many seconds, effectively clicking this button
+#          automatically for the users,
 #          automatically beginning the spawn process.
 #  
-#  Warning: this can result in errors and surprising behavior when sharing access
+#          Warning: this can result in errors and surprising behavior
-#  URLs to actual servers, since the wrong server is likely to be started.
+#          when sharing access URLs to actual servers,
+#          since the wrong server is likely to be started.
 #  Default: 0
 # c.JupyterHub.implicit_spawn_seconds = 0
 
@@ -398,7 +525,8 @@ c.JupyterHub.db_url = 'sqlite:///{{ jupyterhub_venv }}/jupyterhub.sqlite'
 #  Default: 10
 # c.JupyterHub.init_spawners_timeout = 10
 
-## The location to store certificates automatically created by JupyterHub.
+## The location to store certificates automatically created by
+#          JupyterHub.
 #  
 #          Use with internal_ssl
 #  Default: 'internal-ssl'
@@ -407,17 +535,17 @@ c.JupyterHub.db_url = 'sqlite:///{{ jupyterhub_venv }}/jupyterhub.sqlite'
 ## Enable SSL for all internal communication
 #  
 #          This enables end-to-end encryption between all JupyterHub components.
-#  JupyterHub will automatically create the necessary certificate authority and
+#          JupyterHub will automatically create the necessary certificate
-#  sign notebook certificates as they're created.
+#          authority and sign notebook certificates as they're created.
 #  Default: False
 # c.JupyterHub.internal_ssl = False
 
-## The public facing ip of the whole JupyterHub application (specifically
+## The public facing ip of the whole JupyterHub application
-#  referred to as the proxy).
+#          (specifically referred to as the proxy).
 #  
-#  This is the address on which the proxy will listen. The default is to listen
+#          This is the address on which the proxy will listen. The default is to
-#  on all interfaces. This is the only address through which JupyterHub should be
+#          listen on all interfaces. This is the only address through which JupyterHub
-#  accessed by users.
+#          should be accessed by users.
 #  
 #          .. deprecated: 0.9
 #              Use JupyterHub.bind_url
@@ -436,12 +564,34 @@ c.JupyterHub.db_url = 'sqlite:///{{ jupyterhub_venv }}/jupyterhub.sqlite'
 #  
 #          This strictly *adds* groups and users to groups.
 #  
-#  Loading one set of groups, then starting JupyterHub again with a different set
+#          Loading one set of groups, then starting JupyterHub again with a different
-#  will not remove users or groups from previous launches. That must be done
+#          set will not remove users or groups from previous launches.
-#  through the API.
+#          That must be done through the API.
 #  Default: {}
 # c.JupyterHub.load_groups = {}
 
+## List of predefined role dictionaries to load at startup.
+#  
+#          For instance::
+#  
+#              load_roles = [
+#                              {
+#                                  'name': 'teacher',
+#                                  'description': 'Access to users' information and group membership',
+#                                  'scopes': ['users', 'groups'],
+#                                  'users': ['cyclops', 'gandalf'],
+#                                  'services': [],
+#                                  'groups': []
+#                              }
+#                          ]
+#  
+#          All keys apart from 'name' are optional.
+#          See all the available scopes in the JupyterHub REST API documentation.
+#  
+#          Default roles are defined in roles.py.
+#  Default: []
+# c.JupyterHub.load_roles = []
+
 ## The date format used by logging formatters for %(asctime)s
 #  See also: Application.log_datefmt
 # c.JupyterHub.log_datefmt = '%Y-%m-%d %H:%M:%S'
@@ -454,6 +604,10 @@ c.JupyterHub.db_url = 'sqlite:///{{ jupyterhub_venv }}/jupyterhub.sqlite'
 #  See also: Application.log_level
 # c.JupyterHub.log_level = 30
 
+## 
+#  See also: Application.logging_config
+# c.JupyterHub.logging_config = {}
+
 ## Specify path to a logo image to override the Jupyter logo in the banner.
 #  Default: ''
 # c.JupyterHub.logo_file = ''
@@ -464,17 +618,59 @@ c.JupyterHub.db_url = 'sqlite:///{{ jupyterhub_venv }}/jupyterhub.sqlite'
 #  Setting this can limit the total resources a user can consume.
 #  
 #  If set to 0, no limit is enforced.
+#  
+#  Can be an integer or a callable/awaitable based on the handler object:
+#  
+#  ::
+#  
+#      def named_server_limit_per_user_fn(handler):
+#          user = handler.current_user
+#          if user and user.admin:
+#              return 0
+#          return 5
+#  
+#      c.JupyterHub.named_server_limit_per_user = named_server_limit_per_user_fn
 #  Default: 0
 # c.JupyterHub.named_server_limit_per_user = 0
 
-## File to write PID Useful for daemonizing JupyterHub.
+## Expiry (in seconds) of OAuth access tokens.
+#  
+#          The default is to expire when the cookie storing them expires,
+#          according to `cookie_max_age_days` config.
+#  
+#          These are the tokens stored in cookies when you visit
+#          a single-user server or service.
+#          When they expire, you must re-authenticate with the Hub,
+#          even if your Hub authentication is still valid.
+#          If your Hub authentication is valid,
+#          logging in may be a transparent redirect as you refresh the page.
+#  
+#          This does not affect JupyterHub API tokens in general,
+#          which do not expire by default.
+#          Only tokens issued during the oauth flow
+#          accessing services and single-user servers are affected.
+#  
+#          .. versionadded:: 1.4
+#              OAuth token expires_in was not previously configurable.
+#          .. versionchanged:: 1.4
+#              Default now uses cookie_max_age_days so that oauth tokens
+#              which are generally stored in cookies,
+#              expire when the cookies storing them expire.
+#              Previously, it was one hour.
+#  Default: 0
+# c.JupyterHub.oauth_token_expires_in = 0
+
+## File to write PID
+#          Useful for daemonizing JupyterHub.
 #  Default: ''
 # c.JupyterHub.pid_file = ''
+c.ConfigurableHTTPProxy.pid_file = "/run/jupyterhub-proxy.pid"
 
 ## The public facing port of the proxy.
 #  
-#  This is the port on which the proxy will listen. This is the only port through
+#          This is the port on which the proxy will listen.
-#  which JupyterHub should be accessed by users.
+#          This is the only port through which JupyterHub
+#          should be accessed by users.
 #  
 #          .. deprecated: 0.9
 #              Use JupyterHub.bind_url
@@ -493,9 +689,9 @@ c.JupyterHub.db_url = 'sqlite:///{{ jupyterhub_venv }}/jupyterhub.sqlite'
 #  Default: ''
 # c.JupyterHub.proxy_auth_token = ''
 
-## Interval (in seconds) at which to check if the proxy is running.
+## DEPRECATED since version 0.8: Use ConfigurableHTTPProxy.check_running_interval
-#  Default: 30
+#  Default: 5
-# c.JupyterHub.proxy_check_interval = 30
+# c.JupyterHub.proxy_check_interval = 5
 
 ## The class to use for configuring the JupyterHub proxy.
 #  
@@ -538,8 +734,8 @@ c.JupyterHub.db_url = 'sqlite:///{{ jupyterhub_venv }}/jupyterhub.sqlite'
 
 ## Dict of token:servicename to be loaded into the database.
 #  
-#  Allows ahead-of-time generation of API tokens for use by externally managed
+#          Allows ahead-of-time generation of API tokens for use by externally
-#  services.
+#  managed services.
 #  Default: {}
 # c.JupyterHub.service_tokens = {}
 
@@ -585,11 +781,15 @@ c.JupyterHub.db_url = 'sqlite:///{{ jupyterhub_venv }}/jupyterhub.sqlite'
 #              e.g. `c.JupyterHub.spawner_class = 'localprocess'`
 #  
 #  Currently installed: 
+#    - systemd: systemdspawner.SystemdSpawner
+#    - systemdspawner: systemdspawner.SystemdSpawner
 #    - default: jupyterhub.spawner.LocalProcessSpawner
 #    - localprocess: jupyterhub.spawner.LocalProcessSpawner
 #    - simple: jupyterhub.spawner.SimpleLocalProcessSpawner
 #  Default: 'jupyterhub.spawner.LocalProcessSpawner'
+# c.JupyterHub.spawner_class = 'jupyterhub.spawner.LocalProcessSpawner'
 c.JupyterHub.spawner_class = 'systemdspawner.SystemdSpawner'
+c.SystemdSpawner.dynamic_users = True
 
 ## Path to SSL certificate file for the public facing interface of the proxy
 #  
@@ -620,15 +820,16 @@ c.JupyterHub.spawner_class = 'systemdspawner.SystemdSpawner'
 #  
 #          This should be the full `https://hub.domain.tld[:port]`.
 #  
-#  Provides additional cross-site protections for javascript served by single-
+#          Provides additional cross-site protections for javascript served by
-#  user servers.
+#  single-user servers.
 #  
 #          Requires `<username>.hub.domain.tld` to resolve to the same host as
 #  `hub.domain.tld`.
 #  
 #          In general, this is most easily achieved with wildcard DNS.
 #  
-#  When using SSL (i.e. always) this also requires a wildcard SSL certificate.
+#          When using SSL (i.e. always) this also requires a wildcard SSL
+#  certificate.
 #  Default: ''
 # c.JupyterHub.subdomain_host = ''
 
@@ -644,32 +845,32 @@ c.JupyterHub.spawner_class = 'systemdspawner.SystemdSpawner'
 #  Default: {}
 # c.JupyterHub.tornado_settings = {}
 
-## Trust user-provided tokens (via JupyterHub.service_tokens) to have good
+## Trust user-provided tokens (via JupyterHub.service_tokens)
-#  entropy.
+#          to have good entropy.
 #  
-#  If you are not inserting additional tokens via configuration file, this flag
+#          If you are not inserting additional tokens via configuration file,
-#  has no effect.
+#          this flag has no effect.
 #  
-#  In JupyterHub 0.8, internally generated tokens do not pass through additional
+#          In JupyterHub 0.8, internally generated tokens do not
-#  hashing because the hashing is costly and does not increase the entropy of
+#          pass through additional hashing because the hashing is costly
-#  already-good UUIDs.
+#          and does not increase the entropy of already-good UUIDs.
 #  
-#  User-provided tokens, on the other hand, are not trusted to have good entropy
+#          User-provided tokens, on the other hand, are not trusted to have good entropy by default,
-#  by default, and are passed through many rounds of hashing to stretch the
+#          and are passed through many rounds of hashing to stretch the entropy of the key
-#  entropy of the key (i.e. user-provided tokens are treated as passwords instead
+#          (i.e. user-provided tokens are treated as passwords instead of random keys).
-#  of random keys). These keys are more costly to check.
+#          These keys are more costly to check.
 #  
-#  If your inserted tokens are generated by a good-quality mechanism, e.g.
+#          If your inserted tokens are generated by a good-quality mechanism,
-#  `openssl rand -hex 32`, then you can set this flag to True to reduce the cost
+#          e.g. `openssl rand -hex 32`, then you can set this flag to True
-#  of checking authentication tokens.
+#          to reduce the cost of checking authentication tokens.
 #  Default: False
 # c.JupyterHub.trust_user_provided_tokens = False
 
 ## Names to include in the subject alternative name.
 #  
-#  These names will be used for server name verification. This is useful if
+#          These names will be used for server name verification. This is useful
-#  JupyterHub is being run behind a reverse proxy or services using ssl are on
+#          if JupyterHub is being run behind a reverse proxy or services using ssl
-#  different hosts.
+#          are on different hosts.
 #  
 #          Use with internal_ssl
 #  Default: []
@@ -677,21 +878,36 @@ c.JupyterHub.spawner_class = 'systemdspawner.SystemdSpawner'
 
 ## Downstream proxy IP addresses to trust.
 #  
-#  This sets the list of IP addresses that are trusted and skipped when
+#          This sets the list of IP addresses that are trusted and skipped when processing
-#  processing the `X-Forwarded-For` header. For example, if an external proxy is
+#          the `X-Forwarded-For` header. For example, if an external proxy is used for TLS
-#  used for TLS termination, its IP address should be added to this list to
+#          termination, its IP address should be added to this list to ensure the correct
-#  ensure the correct client IP addresses are recorded in the logs instead of the
+#          client IP addresses are recorded in the logs instead of the proxy server's IP
-#  proxy server's IP address.
+#          address.
 #  Default: []
 # c.JupyterHub.trusted_downstream_ips = []
 
 ## Upgrade the database automatically on start.
 #  
-#  Only safe if database is regularly backed up. Only SQLite databases will be
+#          Only safe if database is regularly backed up.
-#  backed up to a local file automatically.
+#          Only SQLite databases will be backed up to a local file automatically.
 #  Default: False
 # c.JupyterHub.upgrade_db = False
 
+## Return 503 rather than 424 when request comes in for a non-running server.
+#  
+#  Prior to JupyterHub 2.0, we returned a 503 when any request came in for a user
+#  server that was currently not running. By default, JupyterHub 2.0 will return
+#  a 424 - this makes operational metric dashboards more useful.
+#  
+#  JupyterLab < 3.2 expected the 503 to know if the user server is no longer
+#  running, and prompted the user to start their server. Set this config to true
+#  to retain the old behavior, so JupyterLab < 3.2 can continue to show the
+#  appropriate UI when the user server is stopped.
+#  
+#  This option will be removed in a future release.
+#  Default: False
+# c.JupyterHub.use_legacy_stopped_server_status_code = False
+
 ## Callable to affect behavior of /user-redirect/
 #  
 #  Receives 4 parameters: 1. path - URL path that was provided after /user-
@@ -711,10 +927,14 @@ c.JupyterHub.spawner_class = 'systemdspawner.SystemdSpawner'
 #  
 #      Subclass this, and override the following methods:
 #  
-#  - load_state - get_state - start - stop - poll
+#      - load_state
+#      - get_state
+#      - start
+#      - stop
+#      - poll
 #  
-#  As JupyterHub supports multiple users, an instance of the Spawner subclass is
+#      As JupyterHub supports multiple users, an instance of the Spawner subclass
-#  created for each user. If there are 20 JupyterHub users, there will be 20
+#      is created for each user. If there are 20 JupyterHub users, there will be 20
 #      instances of the subclass.
 
 ## Extra arguments to be passed to the single-user server.
@@ -862,12 +1082,32 @@ c.JupyterHub.spawner_class = 'systemdspawner.SystemdSpawner'
 #  Default: 30
 # c.Spawner.http_timeout = 30
 
+## The URL the single-user server should connect to the Hub.
+#  
+#  If the Hub URL set in your JupyterHub config is not reachable from spawned
+#  notebooks, you can set differnt URL by this config.
+#  
+#  Is None if you don't need to change the URL.
+#  Default: None
+# c.Spawner.hub_connect_url = None
+
 ## The IP address (or hostname) the single-user server should listen on.
 #  
+#  Usually either '127.0.0.1' (default) or '0.0.0.0'.
+#  
 #  The JupyterHub proxy implementation should be able to send packets to this
 #  interface.
-#  Default: ''
+#  
-# c.Spawner.ip = ''
+#  Subclasses which launch remotely or in containers should override the default
+#  to '0.0.0.0'.
+#  
+#  .. versionchanged:: 2.0
+#      Default changed to '127.0.0.1', from ''.
+#      In most cases, this does not result in a change in behavior,
+#      as '' was interpreted as 'unspecified',
+#      which used the subprocesses' own default, itself usually '127.0.0.1'.
+#  Default: '127.0.0.1'
+# c.Spawner.ip = '127.0.0.1'
 
 ## Minimum number of bytes a single-user notebook server is guaranteed to have
 #  available.
@@ -918,6 +1158,35 @@ c.JupyterHub.spawner_class = 'systemdspawner.SystemdSpawner'
 #  Default: ''
 # c.Spawner.notebook_dir = ''
 
+## Allowed scopes for oauth tokens issued by this server's oauth client.
+#  
+#          This sets the maximum and default scopes
+#          assigned to oauth tokens issued by a single-user server's
+#          oauth client (i.e. tokens stored in browsers after authenticating with the server),
+#          defining what actions the server can take on behalf of logged-in users.
+#  
+#          Default is an empty list, meaning minimal permissions to identify users,
+#          no actions can be taken on their behalf.
+#  
+#          If callable, will be called with the Spawner as a single argument.
+#          Callables may be async.
+#  Default: traitlets.Undefined
+# c.Spawner.oauth_client_allowed_scopes = traitlets.Undefined
+
+## Allowed roles for oauth tokens.
+#  
+#          Deprecated in 3.0: use oauth_client_allowed_scopes
+#  
+#          This sets the maximum and default roles
+#          assigned to oauth tokens issued by a single-user server's
+#          oauth client (i.e. tokens stored in browsers after authenticating with the server),
+#          defining what actions the server can take on behalf of logged-in users.
+#  
+#          Default is an empty list, meaning minimal permissions to identify users,
+#          no actions can be taken on their behalf.
+#  Default: traitlets.Undefined
+# c.Spawner.oauth_roles = traitlets.Undefined
+
 ## An HTML form for options a user can specify on launching their server.
 #  
 #  The surrounding `<form>` element and the submit button are already provided.
@@ -1021,8 +1290,8 @@ c.JupyterHub.spawner_class = 'systemdspawner.SystemdSpawner'
 
 ## List of SSL alt names
 #  
-#  May be set in config if all spawners should have the same value(s), or set at
+#          May be set in config if all spawners should have the same value(s),
-#  runtime by Spawner that know their names.
+#          or set at runtime by Spawner that know their names.
 #  Default: []
 # c.Spawner.ssl_alt_names = []
 
@@ -1046,6 +1315,9 @@ c.JupyterHub.spawner_class = 'systemdspawner.SystemdSpawner'
 
 ## Set of users that will have admin rights on this JupyterHub.
 #  
+#  Note: As of JupyterHub 2.0, full admin rights should not be required, and more
+#  precise permissions can be managed via roles.
+#  
 #  Admin users have extra privileges:
 #   - Use the admin panel to see list of users logged in
 #   - Add / remove users in some authenticators
@@ -1057,6 +1329,7 @@ c.JupyterHub.spawner_class = 'systemdspawner.SystemdSpawner'
 #  
 #  Defaults to an empty set, in which case no user has admin access.
 #  Default: set()
+# c.Authenticator.admin_users = set()
 c.Authenticator.admin_users = set(['admin'])
 c.Authenticator.dbm_path = "{{ jupyterhub_venv }}/etc/passwords.dbm"
 
@@ -1064,7 +1337,8 @@ c.Authenticator.dbm_path = "{{ jupyterhub_venv }}/etc/passwords.dbm"
 #  
 #  Use this with supported authenticators to restrict which users can log in.
 #  This is an additional list that further restricts users, beyond whatever
-#  restrictions the authenticator has in place.
+#  restrictions the authenticator has in place. Any user in this list is granted
+#  the 'user' role on hub startup.
 #  
 #  If empty, does not perform any additional restriction.
 #  
@@ -1073,10 +1347,11 @@ c.Authenticator.dbm_path = "{{ jupyterhub_venv }}/etc/passwords.dbm"
 #  Default: set()
 # c.Authenticator.allowed_users = set()
 
-## The max age (in seconds) of authentication info before forcing a refresh of
+## The max age (in seconds) of authentication info
-#  user auth info.
+#          before forcing a refresh of user auth info.
 #  
-#  Refreshing auth info allows, e.g. requesting/re-validating auth tokens.
+#          Refreshing auth info allows, e.g. requesting/re-validating auth
+#  tokens.
 #  
 #          See :meth:`.refresh_user` for what happens when user auth info is refreshed
 #          (nothing by default).
@@ -1088,13 +1363,27 @@ c.Authenticator.dbm_path = "{{ jupyterhub_venv }}/etc/passwords.dbm"
 #          rather than starting with a "Login with..." link at `/hub/login`
 #  
 #          To work, `.login_url()` must give a URL other than the default `/hub/login`,
-#  such as an oauth handler or another automatic login handler, registered with
+#          such as an oauth handler or another automatic login handler,
-#  `.get_handlers()`.
+#          registered with `.get_handlers()`.
 #  
 #          .. versionadded:: 0.8
 #  Default: False
 # c.Authenticator.auto_login = False
 
+## Automatically begin login process for OAuth2 authorization requests
+#  
+#  When another application is using JupyterHub as OAuth2 provider, it sends
+#  users to `/hub/api/oauth2/authorize`. If the user isn't logged in already, and
+#  auto_login is not set, the user will be dumped on the hub's home page, without
+#  any context on what to do next.
+#  
+#  Setting this to true will automatically redirect users to login if they aren't
+#  logged in *only* on the `/hub/api/oauth2/authorize` endpoint.
+#  
+#  .. versionadded:: 1.5
+#  Default: False
+# c.Authenticator.auto_login_oauth2_authorize = False
+
 ## Set of usernames that are not allowed to log in.
 #  
 #  Use this with supported authenticators to restrict which users can not log in.
@@ -1112,29 +1401,31 @@ c.Authenticator.dbm_path = "{{ jupyterhub_venv }}/etc/passwords.dbm"
 
 ## Delete any users from the database that do not pass validation
 #  
-#  When JupyterHub starts, `.add_user` will be called on each user in the
+#          When JupyterHub starts, `.add_user` will be called
-#  database to verify that all users are still valid.
+#          on each user in the database to verify that all users are still valid.
 #  
-#  If `delete_invalid_users` is True, any users that do not pass validation will
+#          If `delete_invalid_users` is True,
-#  be deleted from the database. Use this if users might be deleted from an
+#          any users that do not pass validation will be deleted from the database.
-#  external system, such as local user accounts.
+#          Use this if users might be deleted from an external system,
+#          such as local user accounts.
 #  
-#  If False (default), invalid users remain in the Hub's database and a warning
+#          If False (default), invalid users remain in the Hub's database
-#  will be issued. This is the default to avoid data loss due to config changes.
+#          and a warning will be issued.
+#          This is the default to avoid data loss due to config changes.
 #  Default: False
 # c.Authenticator.delete_invalid_users = False
 
 ## Enable persisting auth_state (if available).
 #  
-#  auth_state will be encrypted and stored in the Hub's database. This can
+#          auth_state will be encrypted and stored in the Hub's database.
-#  include things like authentication tokens, etc. to be passed to Spawners as
+#          This can include things like authentication tokens, etc.
-#  environment variables.
+#          to be passed to Spawners as environment variables.
 #  
 #          Encrypting auth_state requires the cryptography package.
 #  
-#  Additionally, the JUPYTERHUB_CRYPT_KEY environment variable must contain one
+#          Additionally, the JUPYTERHUB_CRYPT_KEY environment variable must
-#  (or more, separated by ;) 32B encryption keys. These can be either base64 or
+#          contain one (or more, separated by ;) 32B encryption keys.
-#  hex-encoded.
+#          These can be either base64 or hex-encoded.
 #  
 #          If encryption is unavailable, auth_state cannot be persisted.
 #  
@@ -1142,6 +1433,16 @@ c.Authenticator.dbm_path = "{{ jupyterhub_venv }}/etc/passwords.dbm"
 #  Default: False
 # c.Authenticator.enable_auth_state = False
 
+## Let authenticator manage user groups
+#  
+#          If True, Authenticator.authenticate and/or .refresh_user
+#          may return a list of group names in the 'groups' field,
+#          which will be assigned to the user.
+#  
+#          All group-assignment APIs are disabled if this is True.
+#  Default: False
+# c.Authenticator.manage_groups = False
+
 ## An optional hook function that you can implement to do some bootstrapping work
 #  during authentication. For example, loading user account details from an
 #  external system.
@@ -1176,14 +1477,14 @@ c.Authenticator.dbm_path = "{{ jupyterhub_venv }}/etc/passwords.dbm"
 
 ## Force refresh of auth prior to spawn.
 #  
-#  This forces :meth:`.refresh_user` to be called prior to launching a server, to
+#          This forces :meth:`.refresh_user` to be called prior to launching
-#  ensure that auth state is up-to-date.
+#          a server, to ensure that auth state is up-to-date.
 #  
-#  This can be important when e.g. auth tokens that may have expired are passed
+#          This can be important when e.g. auth tokens that may have expired
-#  to the spawner via environment variables from auth_state.
+#          are passed to the spawner via environment variables from auth_state.
 #  
-#  If refresh_user cannot refresh the user auth data, launch will fail until the
+#          If refresh_user cannot refresh the user auth data,
-#  user logs in again.
+#          launch will fail until the user logs in again.
 #  Default: False
 # c.Authenticator.refresh_pre_spawn = False
 
@@ -1217,23 +1518,5 @@ c.Authenticator.dbm_path = "{{ jupyterhub_venv }}/etc/passwords.dbm"
 # c.CryptKeeper.keys = []
 
 ## The number of threads to allocate for encryption
-#  Default: 4
+#  Default: 2
-# c.CryptKeeper.n_threads = 4
+# c.CryptKeeper.n_threads = 2
-
-#------------------------------------------------------------------------------
-# Pagination(Configurable) configuration
-#------------------------------------------------------------------------------
-## Default number of entries per page for paginated results.
-#  Default: 100
-# c.Pagination.default_per_page = 100
-
-## Maximum number of entries per page for paginated results.
-#  Default: 250
-# c.Pagination.max_per_page = 250
-
-#------------------------------------------------------------------------------
-#  Systemdspawner config
-#------------------------------------------------------------------------------
-c.SystemdSpawner.dynamic_users = True
-c.SystemdSpawner.user_workingdir = '/opt/iiab/notebooks/{USERNAME}'
-

roles/kalite/tasks/install.yml

@@ -1,3 +1,8 @@
+- name: Record (initial) disk space used
+  shell: df -B1 --output=used / | tail -1
+  register: df1
+
+
 - name: Download {{ kalite_requirements }} to {{ pip_packages_dir }}/kalite.txt
   get_url:
     url: "{{ kalite_requirements }}"
@@ -10,36 +15,46 @@
 #  ignore_errors: yes
 #  when: is_raspbian
 
-- name: 'Install packages: python2, python-setuptools, virtualenv (for Python 2)'
+- name: 'Install packages: python2, python-setuptools, virtualenv (for Python 2) -- if Ubuntu 22.04 / Mint 21'
   package:
     name:
       - python2
       - python-setuptools    # Provides setuptools-44 on recent OS's (last version compatible with python2)
-      - virtualenv           # For Ansible module 'pip' when used with 'virtualenv_command: /usr/bin/virtualenv' and 'virtualenv_python: python2.7' -- compare package 'python3-venv' used by roles {calibre-web, jupyterhub, lokole}
+      - virtualenv           # Drags in 'python3-virtualenv' which in turn drags in 'python3-pip' -- for Ansible module 'pip' when used with 'virtualenv_command: /usr/bin/virtualenv' and 'virtualenv_python: python2.7' -- compare package 'python3-venv' used by roles {calibre-web, jupyterhub, lokole}
     state: present
-  #when: not (is_debian_9 or is_debian_10 or is_ubuntu_16 or is_ubuntu_17 or is_ubuntu_18 or is_ubuntu_19)
+  when: is_ubuntu_2204    # Also covers is_linuxmint_21
-  # 2020-03-31: Testing for {is_raspbian_9, is_raspbian_10} is not currently nec, as testing for {is_debian_9, is_debian_10} covers that already.
 
-- name: Use pip to pin setuptools to 44 in {{ kalite_venv }}    # WAS: if Raspbian/Debian > 10 or Ubuntu > 19
+- name: Run scripts/install_python2.sh to install python2 and virtualenv -- if Debian 12 or RasPiOS 12
+  command: "{{ iiab_dir }}/scripts/install_python2.sh"
+  when: is_debian_12    # Also covers is_raspbian_12
+
+- name: Use pip to pin setuptools to 44 in {{ kalite_venv }} -- if Ubuntu 22.04 / Mint 21, Ubuntu 23.10, Debian 12 or RasPiOS 12
   pip:
     name: setuptools==44
     virtualenv: "{{ kalite_venv }}"    # /usr/local/kalite/venv
     virtualenv_site_packages: no
-    virtualenv_command: /usr/bin/virtualenv
+    virtualenv_command: virtualenv    # Traditionally /usr/bin/virtual/env -- but install_python2.sh (for Ubuntu 23.10+) sets up /usr/local/bin/virtualenv
     virtualenv_python: python2.7
     extra_args: "--no-use-pep517 --no-cache-dir --no-python-version-warning"
-  #when: not (is_debian_9 or is_debian_10 or is_ubuntu_16 or is_ubuntu_17 or is_ubuntu_18 or is_ubuntu_19)
+  when: is_ubuntu_2204 or is_ubuntu_2310 or is_debian_12    # Also covers is_linuxmint_21 and is_raspbian_12
-  # long form of (is_debian_11+ or is_ubuntu_20+)
 
-- name: Use pip to install ka-lite-static to {{ kalite_venv }}
+- name: Use pip to install ka-lite-static to {{ kalite_venv }} -- if Ubuntu 22.04 / Mint 21, Ubuntu 23.10, Debian 12 or RasPiOS 12
   pip:
     name: ka-lite-static
     version: "{{ kalite_version }}"
     virtualenv: "{{ kalite_venv }}"
     virtualenv_site_packages: no
-    virtualenv_command: /usr/bin/virtualenv
+    virtualenv_command: virtualenv
     virtualenv_python: python2.7
     extra_args: "--no-cache-dir"
+  when: is_ubuntu_2204 or is_ubuntu_2310 or is_debian_12    # Also covers is_linuxmint_21 and is_raspbian_12
+
+# 2024-04-30: Sadly no longer works with Ubuntu 24.04 LTS final release (#3731).
+# So roles/kalite is OS-restricted during initial install, SEE: roles/7-edu-apps/tasks/main.yml
+# CLARIF: If install_python2_kalite-venv_u2404.sh proves no longer useful, it will deprecated in coming months.
+- name: Run scripts/install_python2_kalite-venv_u2404.sh -- if Ubuntu 24.04+ or Mint 22
+  command: bash "{{ iiab_dir }}/scripts/install_python2_kalite-venv_u2404.sh"
+  when: is_ubuntu and not is_linuxmint and os_ver is version('ubuntu-2404', '>=') or is_linuxmint_22
 
 - name: "Install from templates: venv wrapper /usr/bin/kalite, unit file /etc/systemd/system/kalite-serve.service"
   template:
@@ -50,30 +65,11 @@
     - { src: 'kalite.sh.j2', dest: '/usr/bin/kalite', mode: '0755' }
     - { src: 'kalite-serve.service.j2', dest: '/etc/systemd/system/kalite-serve.service', mode: '0644' }
 
-# Useless stanza, for 2 reasons: (1) http://box/kalite was never made to work
-# (2) /etc/apache2/sites-available does not exist on many IIAB's w/o Apache
-# - name: "Install from template: /etc/{{ apache_conf_dir }}/kalite.conf (useless, as http://box/kalite was never made to work)"
-#   template:
-#     src: kalite.conf
-#     dest: "/etc/{{ apache_conf_dir }}"    # apache2/sites-available on debuntu
-#   when: apache_installed is defined
-
 - name: Fix KA Lite bug in regex parsing ifconfig output (ifcfg/parser.py) for @m-anish's network names that contain dashes    # WAS: if Raspbian/Debian > 10 or Ubuntu > 19
   replace:
     path: "{{ kalite_venv }}/lib/python2.7/site-packages/kalite/packages/dist/ifcfg/parser.py"    # /usr/local/kalite/venv
     regexp: 'a-zA-Z0-9'
     replace: 'a-zA-Z0-9\-'
-  #when: not (is_debian_9 or is_debian_10 or is_ubuntu_16 or is_ubuntu_17 or is_ubuntu_18 or is_ubuntu_19)
-  # 2020-03-31: Testing for {is_raspbian_9, is_raspbian_10} is not currently nec, as testing for {is_debian_9, is_debian_10} covers that already.
-  # JV: why not just is_ubuntu_20? AH: to make this work on Ubuntu 21+ and ideally Debian/RasPiOS 11+ too?
-
-# - name: Fix KA Lite bug in regex parsing ifconfig output (ifcfg/parser.py) for @m-anish's network names that contain dashes, if Raspbian/Debian < 11 or Ubuntu < 20
-#   replace:
-#     path: "{{ kalite_venv }}/local/lib/python2.7/site-packages/kalite/packages/dist/ifcfg/parser.py"
-#     regexp: 'a-zA-Z0-9'
-#     replace: 'a-zA-Z0-9\-'
-#   when: is_debian_9 or is_debian_10 or is_ubuntu_16 or is_ubuntu_17 or is_ubuntu_18 or is_ubuntu_19
-#   # 2020-03-31: Testing for {is_raspbian_9, is_raspbian_10} is not currently nec, as testing for {is_debian_9, is_debian_10} covers that already.
 
 - name: Create dir {{ kalite_root }}
   file:
@@ -90,6 +86,17 @@
 
 # RECORD KA Lite AS INSTALLED
 
+- name: Record (final) disk space used
+  shell: df -B1 --output=used / | tail -1
+  register: df2
+
+- name: Add 'kalite_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }}
+  ini_file:
+    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+    section: kalite
+    option: kalite_disk_usage
+    value: "{{ df2.stdout|int - df1.stdout|int }}"
+
 - name: "Set 'kalite_installed: True'"
   set_fact:
     kalite_installed: True

roles/kiwix/README.rst

@@ -14,7 +14,7 @@ Locations
 
 - Your ZIM files go in ``/library/zims/content``
 - Your ZIM index files used to go in directories under ``/library/zims/index`` (these index files are increasingly no longer necessary, as most ZIM files produced since 2017 contain an internal search index instead!)
-- The URL is http://box/kiwix or http://box.lan/kiwix (both proxied for AWStats)
+- The URL is http://box/kiwix or http://box.lan/kiwix (both proxied for AWStats, Matomo, ETC)
 - Use URL http://box:3000/kiwix if you want to avoid the proxy
 
 Your ``/library/zims/library.xml`` (containing essential metadata for the ZIM files you've installed) can be regenerated if necessary, by running:

roles/kiwix/defaults/main.yml

@@ -8,11 +8,11 @@
 # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
 
 
-# INSTRUCTIONS TO REINSTALL Kiwix:
+# ONLINE UPGRADE INSTRUCTIONS:
-# (1) VERIFY THESE VARS IN /etc/iiab/local_vars.yml
+# (1) VERIFY VARS IN /etc/iiab/local_vars.yml
 #     kiwix_install: True
 #     kiwix_enabled: True
-# (2) RUN: cd /opt/iiab/iiab; ./runrole --reinstall kiwix
+# (2) RUN: cd /opt/iiab/iiab; sudo ./runrole --reinstall kiwix
 
 
 # FYI /library/zims contains 3 important things:
@@ -25,13 +25,13 @@ kiwix_base_url: https://download.kiwix.org/release/kiwix-tools/
 #kiwix_base_url: https://download.kiwix.org/nightly/2022-10-04/
 #kiwix_base_url: "{{ iiab_download_url }}/"    # e.g. https://download.iiab.io/packages/
 
-kiwix_arch_dict:
+kiwix_arch_dict:      # 'dpkg --print-architecture' key would be: (to mitigate #3516 in future, if truly nec?)
-  #i386:
+  #i386:              # ?
-  i686: i586
+  i686: i586          # ?
-  x86_64: x86_64
+  x86_64: x86_64      # amd64
-  armv6l: armhf
+  armv6l: armv6       # armhf
-  armv7l: armhf
+  armv7l: armv8       # armhf  BEWARE: armhf version of kiwix-tools suddenly FAILS on 64-bit RasPiOS, since 3.5.0 released 2023-04-28 -- #3574, PR #3576
-  aarch64: armhf
+  aarch64: aarch64    # arm64  BEWARE: "32-bit" RasPiOS suddenly boots 64-bit kernel since March 2023 -- #3516, explained at https://github.com/iiab/iiab/pull/3422#issuecomment-1533441463
 
 # ansible_architecture might also work, if not quite as well:
 # https://stackoverflow.com/questions/66828315/what-is-the-difference-between-ansible-architecture-and-ansible-machine-on-a/66828837#66828837
@@ -42,6 +42,7 @@ kiwix_arch: "{{ kiwix_arch_dict[ansible_machine] | default('unsupported') }}"
 # Latest official kiwix-tools release, per Kiwix permalink redirects:
 # https://www.kiwix.org/en/downloads/kiwix-serve/
 # https://github.com/kiwix/container-images/issues/236
+# https://github.com/kiwix/kiwix-tools/issues/623
 kiwix_tar_gz: "kiwix-tools_linux-{{ kiwix_arch }}.tar.gz"
 #kiwix_tar_gz: "kiwix-tools_linux-{{ kiwix_arch }}-3.3.0-1.tar.gz"    # Version can be hard-coded if you prefer (as was done til 2022-10-04)
 

roles/kiwix/tasks/install.yml

@@ -6,6 +6,11 @@
   when: kiwix_arch == "unsupported"
 
 
+- name: Record (initial) disk space used
+  shell: df -B1 --output=used / | tail -1
+  register: df1
+
+
 # 1. PUT IN PLACE: /opt/iiab/downloads/kiwix-tools_linux-*.tar.gz, move /opt/iiab/kiwix/bin aside if nec, create essential dirs, and test.zim if nec (library.xml is created later, by enable-or-disable.yml)
 
 # 2022-10-04: get_url might be removed in future (unarchive below can handle
@@ -19,6 +24,24 @@
     timeout: "{{ download_timeout }}"
   register: kiwix_dl    # PATH /opt/iiab/downloads + ACTUAL filename put in kiwix_dl.dest, for unarchive ~28 lines below
 
+# - name: "2023-05-14: TEMPORARY PATCH REVERTING TO KIWIX-TOOLS 3.4.0 IF BUGGY 32-BIT (armhf) VERSION 3.5.0 IS DETECTED -- #3574"
+#   get_url:
+#     url: https://download.kiwix.org/release/kiwix-tools/kiwix-tools_linux-armhf-3.4.0.tar.gz
+#     dest: "{{ downloads_dir }}"
+#     timeout: "{{ download_timeout }}"
+#   #register: kiwix_dl    # CLOBBERS kiwix_dl.dest WHEN THIS STANZA DOES NOT RUN :/
+#   when: kiwix_dl.dest == "/opt/iiab/downloads/kiwix-tools_linux-armhf-3.5.0.tar.gz"
+#
+# # Ansible does not allow changing individuals subfields in a dictionary, but
+# # this crude hack works, overwriting the entire kiwix_dl dictionary var with
+# # the single (needed) key/value pair.  (Or "register: tmp_dl" could be set
+# # above, if its other [subfields, key/value pairs, etc] really mattered...)
+# - name: "2023-05-15: TEMPORARY PATCH REVERTING TO KIWIX-TOOLS 3.4.0 IF BUGGY 32-BIT (armhf) VERSION 3.5.0 IS DETECTED -- #3574"
+#   set_fact:
+#     kiwix_dl:
+#       dest: /opt/iiab/downloads/kiwix-tools_linux-armhf-3.4.0.tar.gz
+#   when: kiwix_dl.dest == "/opt/iiab/downloads/kiwix-tools_linux-armhf-3.5.0.tar.gz"
+
 - name: Does {{ kiwix_path }}/bin already exist? (as a directory, symlink or file)
   stat:
     path: "{{ kiwix_path }}/bin"    # /opt/iiab/kiwix
@@ -58,6 +81,8 @@
     src: "{{ kiwix_dl.dest }}"    # See ~28 lines above, e.g. /opt/iiab/downloads/kiwix-tools_linux-x86_64-3.3.0-1.tar.gz
     dest: "{{ kiwix_path }}/bin"
     extra_opts: --strip-components=1
+    owner: root    # 2023-05-14: When unpacking let's avoid bogus owner/group,
+    group: root    # arising from UID/GID on Kiwix's build machine.
 
 
 # 3. ENABLE MODS FOR APACHE PROXY IF DEBUNTU
@@ -98,6 +123,17 @@
 
 # 5. RECORD Kiwix AS INSTALLED
 
+- name: Record (final) disk space used
+  shell: df -B1 --output=used / | tail -1
+  register: df2
+
+- name: Add 'kiwix_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }}
+  ini_file:
+    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+    section: kiwix
+    option: kiwix_disk_usage
+    value: "{{ df2.stdout|int - df1.stdout|int }}"
+
 - name: "Set 'kiwix_installed: True'"
   set_fact:
     kiwix_installed: True

roles/kolibri/README.rst

@@ -24,7 +24,7 @@ Please look in `/opt/iiab/iiab/roles/kolibri/defaults/main.yml <defaults/main.ym
 Automatic Device Provisioning
 -----------------------------
 
-When kolibri_provision is enabled (e.g. in `/etc/iiab/local_vars.yml <http://FAQ.IIAB.IO#What_is_local_vars.yml_and_how_do_I_customize_it.3F>`_) the installation will set up the following defaults::
+When kolibri_provision is enabled (e.g. in `/etc/iiab/local_vars.yml <http://FAQ.IIAB.IO#What_is_local_vars.yml_and_how_do_I_customize_it%3F>`_) the installation will set up the following defaults::
 
   kolibri_facility: Kolibri-in-a-Box   
   kolibri_language: en      # See KOLIBRI_SUPPORTED_LANGUAGES at the bottom of https://github.com/learningequality/kolibri/blob/develop/kolibri/utils/i18n.py

roles/kolibri/defaults/main.yml

@@ -3,11 +3,21 @@
 
 # kolibri_language: en    # See KOLIBRI_SUPPORTED_LANGUAGES at the bottom of https://github.com/learningequality/kolibri/blob/develop/kolibri/utils/i18n.py
 
+# Kolibri folder to store its data and configuration files.
+# kolibri_home: "{{ content_base }}/kolibri"    # /library/kolibri
+
+# kolibri_user: kolibri    # Whereas a vanilla install of Kolibri auto-identifies
+# and saves a 'desktop-like' user like {iiab-admin, pi} to /etc/kolibri/username
+# (generally the user with lowest UID >= 1000) to allow access to USB devices:
+# https://kolibri.readthedocs.io/en/latest/install/ubuntu-debian.html#changing-the-owner-of-kolibri-system-service
+# https://github.com/learningequality/kolibri-installer-debian/issues/115
+
 # kolibri_http_port: 8009
 
 # All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml
 # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
 
+
 # 2019-09-27: Pinning to a particular version is unfortunately NOT supported
 # with our new apt approach (.deb installer) at this time.
 # 2019-06-21: Uncomment this pinning line if you want a particular version of
@@ -16,8 +26,12 @@
 # https://github.com/iiab/iiab/issues/1675
 # https://github.com/learningequality/kolibri/issues/5664
 
-# 2022-07-30: UNCOMMENT THE FOLLOWING LINE TO TEST A PARTICULAR .deb INSTALL
+# 2024-04-08: Kolibri 0.16.1+ restores install via apt
+# https://github.com/learningequality/kolibri/issues/11892#issuecomment-2043073998
+# 2022-07-30: UNCOMMENT ONE OF THE FOLLOWING LINES TO TEST A PARTICULAR .deb INSTALL
 # kolibri_deb_url: https://learningequality.org/r/kolibri-deb-latest
+# 2024-02-17: https://github.com/learningequality/kolibri/issues/11892
+# kolibri_deb_url: https://learningequality.org/r/kolibri-deb-next
 # 2019-11-21 issue #2045 - above URL had redirected to this broken Kolibri 0.12.9 release:
 # https://storage.googleapis.com/le-releases/downloads/kolibri/v0.12.9/kolibri_0.12.9-0ubuntu1_all.deb
 #
@@ -30,19 +44,11 @@
 # Corresponding to:
 # https://launchpad.net/~learningequality/+archive/ubuntu/kolibri
 
-# Kolibri folder to store its data and configuration files.
-kolibri_home: "{{ content_base }}/kolibri"    # /library/kolibri
-
 kolibri_url_without_slash: /kolibri
 kolibri_url: "{{ kolibri_url_without_slash }}/"    # /kolibri/
 
 kolibri_exec_path: /usr/bin/kolibri
 
-kolibri_user: kolibri    # Whereas a vanilla install of Kolibri auto-identifies
-# and saves a 'desktop' user like {iiab-admin, pi} to /etc/kolibri/username,
-# towards guaranteeing access to USB devices, per:
-# https://kolibri.readthedocs.io/en/latest/install.html#changing-the-owner-of-kolibri-system-service
-
 # To populate /library/kolibri with essential/minimum files and dirs.  This
 # provisions Kolibri with facility name, admin acnt / password, preset type,
 # and language.  You can set this to 'False' when reinstalling Kolibri:

roles/kolibri/tasks/install.yml

@@ -4,16 +4,40 @@
 # https://github.com/learningequality/pi-gen/blob/master/stage2/04-hostapd/offline.yml
 # https://github.com/learningequality/pi-gen/blob/master/stage2/04-hostapd/online.yml
 
+# Install Kolibri » Debian/Ubuntu
+# https://kolibri.readthedocs.io/en/latest/install/ubuntu-debian.html
+
+# Advanced management
+# https://kolibri.readthedocs.io/en/latest/manage/advanced.html
+
+# Working with Kolibri from the command line
+# https://kolibri.readthedocs.io/en/latest/manage/command_line.html
+
+# Customize Kolibri settings with the [ /library/kolibri/options.ini ] file
+# https://kolibri.readthedocs.io/en/latest/manage/options_ini.html
+
+# Test Kolibri server performance
+# https://kolibri.readthedocs.io/en/latest/manage/performance.html
+
+# Provisioning many servers
+# https://kolibri.readthedocs.io/en/latest/install/provision.html
+
+
+- name: Record (initial) disk space used
+  shell: df -B1 --output=used / | tail -1
+  register: df1
+
+
 - name: Create Linux user {{ kolibri_user }} and add it to groups {{ apache_user }}, disk
   user:
     name: "{{ kolibri_user }}"
-    groups:
+    groups: "{{ apache_user }}"    # 2023-03-29: Not really necessary (Kolibri is demonstrated to work without group 'www-data').  But it likely doesn't hurt.
-      - "{{ apache_user }}"
+      #- disk    # 2023-03-29: Tested to be unnec with USB sticks (with 64-bit RasPiOS).  FWIW group 'disk' is "Mostly equivalent to root access" according to https://wiki.debian.org/SystemGroups
-      - disk
     state: present
     shell: /bin/false
     system: yes
     create_home: no
+    home: "{{ kolibri_home }}"
 
 - name: Create directory {{ kolibri_home }} for Kolibri content, configuration, sqlite3 databases ({{ kolibri_user }}:{{ apache_user }}, by default 0755)
   file:
@@ -38,22 +62,13 @@
     dest: /etc/kolibri/daemon.conf
 
 
-- name: apt install latest Kolibri .deb from {{ kolibri_deb_url }} (populates {{ kolibri_home }}, migrates database)    # i.e. /library/kolibri
+# https://kolibri.readthedocs.io/en/latest/install/ubuntu-debian.html claims:
-  apt:
-    deb: "{{ kolibri_deb_url }}"    # https://learningequality.org/r/kolibri-deb-latest
-  environment:
-    KOLIBRI_HOME: "{{ kolibri_home }}"    # These don't do a thing for now but
-    KOLIBRI_USER: "{{ kolibri_user }}"    # both can't hurt & Might Help Later
-  when: kolibri_deb_url is defined
-
-- block:    # ELSE...
-
-  # https://kolibri.readthedocs.io/en/latest/install/ubuntu-debian.html says:
 # "When you use the PPA installation method, upgrades to newer versions
 # will be automatic, provided there is internet access available."
 #
-  # IN REALITY: apt upgrading Kolibri is risky, as 3 pink/blue screens prompt
+# IN REALITY: apt upgrading Kolibri is messy, as up-to-5 debconf screens prompt
-  # PPL WHO DON'T KNOW TO TYPE IN things like Linux username 'kolibri' :/ #3356
+# PPL WHO DON'T KNOW with the wrong default username, instead of 'kolibri' :/
+# https://github.com/learningequality/kolibri-installer-debian/pull/117
 
 # 2022-08-31: keyring /etc/apt/trusted.gpg DEPRECATED as detailed on #3343
 - name: Download Kolibri's apt key to /usr/share/keyrings/learningequality-kolibri.gpg
@@ -61,17 +76,20 @@
     gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys DC5BAA93F9E4AE4F0411F97C74F88ADB3194DD81
     gpg --yes --output /usr/share/keyrings/learningequality-kolibri.gpg --export DC5BAA93F9E4AE4F0411F97C74F88ADB3194DD81
 
-  - name: Add signed Kolibri PPA 'jammy' (if Ubuntu 22.04+ or Mint 21 or Debian 12)
+# 2024-06-25: Strongly consider PPA "kolibri-proposed" in future...
+# https://github.com/learningequality/kolibri/issues/11892
+# https://kolibri.readthedocs.io/en/latest/install/ubuntu-debian.html
+- name: Add signed Kolibri PPA 'jammy'
   apt_repository:
     repo: "deb [signed-by=/usr/share/keyrings/learningequality-kolibri.gpg] http://ppa.launchpad.net/learningequality/kolibri/ubuntu jammy main"
-    when: is_ubuntu and os_ver is version('ubuntu-2204', '>=') or is_linuxmint_21 or is_debian_12
+#   when: is_ubuntu and os_ver is version('ubuntu-2204', '>=') or is_linuxmint_21 or is_debian_12
-    #when: is_ubuntu_2204 or is_ubuntu_2210 or is_debian_12    # MINT 21 COVERED BY is_ubuntu_2204
+#   #when: is_ubuntu_2204 or is_ubuntu_2210 or is_debian_12    # MINT 21 COVERED BY is_ubuntu_2204
 
-  - name: Add signed Kolibri PPA 'focal' (if other/older OS's)
+# - name: Add signed Kolibri PPA 'focal' (if other/older OS's)
-    apt_repository:
+#   apt_repository:
-      repo: "deb [signed-by=/usr/share/keyrings/learningequality-kolibri.gpg] http://ppa.launchpad.net/learningequality/kolibri/ubuntu focal main"
+#     repo: "deb [signed-by=/usr/share/keyrings/learningequality-kolibri.gpg] http://ppa.launchpad.net/learningequality/kolibri/ubuntu focal main"
-    when: not (is_ubuntu and os_ver is version('ubuntu-2204', '>=') or is_linuxmint_21 or is_debian_12)
+#   when: not (is_ubuntu and os_ver is version('ubuntu-2204', '>=') or is_linuxmint_21 or is_debian_12)
-    #when: not (is_ubuntu_2204 or is_ubuntu_2210 or is_debian_12)
+#   #when: not (is_ubuntu_2204 or is_ubuntu_2210 or is_debian_12)
 
 # - name: Add Kolibri PPA repo 'ppa:learningequality/kolibri' (if is_ubuntu and not is_linuxmint)
 #   apt_repository:
@@ -106,15 +124,36 @@
 #     codename: focal    # UPDATE THIS TO 'jammy' AFTER "RasPiOS Bookworm" (based on Debian 12) IS RELEASED! (ETA Q3 2023)
 #   when: is_debian or is_linuxmint_20
 
-  - name: apt install kolibri (populates {{ kolibri_home }}, migrates database)    # i.e. /library/kolibri
+
+# 2024-08-07: Hack no longer needed!  As Kolibri 0.17.0 now installs via "kolibri" PPA (https://launchpad.net/~learningequality/+archive/ubuntu/kolibri).
+# Hopefully "kolibri-proposed" PPA will install 0.18 pre-releases soon, on Python 3.13 too!  https://github.com/learningequality/kolibri/issues/11892
+
+# - name: '2024-06-25 TEMPORARY HACK: Hard code kolibri_deb_url to Kolibri 0.17.x (pre-release or final release) if Python >= 3.12 -- kolibri-proposed PPA should do this automatically in future!'
+#   set_fact:
+#     kolibri_deb_url: https://github.com/learningequality/kolibri/releases/download/v0.17.0/kolibri_0.17.0-0ubuntu1_all.deb
+#   when: python_version is version('3.12', '>=')    # For Ubuntu 24.04, Mint 22, pre-releases of Ubuntu 24.10, and Debian 13 (even if/when "Trixie" changes from Python 3.12 to 3.13!)  Regarding PPA kolibri-proposed not quite being ready yet, see: learningequality/kolibri#11316 -> learningequality/kolibri#11892
+
+- name: apt install kolibri (using apt source specified above, if kolibri_deb_url ISN'T defined)
   apt:
     name: kolibri
-    environment:
-      KOLIBRI_HOME: "{{ kolibri_home }}"    # These don't do a thing for now but
-      KOLIBRI_USER: "{{ kolibri_user }}"    # both can't hurt & Might Help Later
-
   when: kolibri_deb_url is undefined
+  # environment:
+  #   KOLIBRI_HOME: "{{ kolibri_home }}"    # 2023-03-27: These don't do a thing
+  #   KOLIBRI_USER: "{{ kolibri_user }}"    # for now.
 
+- name: apt install {{ kolibri_deb_url }} (if kolibri_deb_url IS defined)
+  apt:
+    deb: "{{ kolibri_deb_url }}"    # e.g. https://learningequality.org/r/kolibri-deb-latest
+  when: kolibri_deb_url is defined
+  # environment:
+  #   KOLIBRI_HOME: "{{ kolibri_home }}"    # 2023-03-27: These don't do a thing
+  #   KOLIBRI_USER: "{{ kolibri_user }}"    # for now.
+
+
+- name: Run 'rm -rf /root/.kolibri' to remove "unavoidable" pollution created above
+  file:
+    state: absent
+    path: /root/.kolibri
 
 - name: 'Install from template: /etc/systemd/system/kolibri.service'
   template:
@@ -123,8 +162,8 @@
 
 - name: Stop 'kolibri' systemd service, for Kolibri provisioning (after daemon_reload)
   systemd:
-    name: kolibri
     daemon_reload: yes
+    name: kolibri
     state: stopped
 
 
@@ -145,9 +184,13 @@
 #   become_user: "{{ kolibri_user }}"
 #   when: kolibri_provision
 
+# Run "kolibri manage help provisiondevice" to see CLI options, e.g.:
+#   --facility_settings FACILITY_SETTINGS
+#                         JSON file containing facility settings
+#   --device_settings DEVICE_SETTINGS
+#                         JSON file containing device settings
 - name: 'Provision Kolibri, while setting: facility name, admin acnt / password, preset type, and language'
   shell: >
-    export KOLIBRI_HOME="{{ kolibri_home }}" &&
     "{{ kolibri_exec_path }}" manage provisiondevice --facility "{{ kolibri_facility }}"
     --superusername "{{ kolibri_admin_user }}" --superuserpassword "{{ kolibri_admin_password }}"
     --preset "{{ kolibri_preset }}" --language_id "{{ kolibri_language }}"
@@ -156,15 +199,22 @@
   become: yes
   become_user: "{{ kolibri_user }}"
   when: kolibri_provision
+  environment:
+    KOLIBRI_HOME: "{{ kolibri_home }}"     # 2023-03-27: Required!
+    #KOLIBRI_USER: "{{ kolibri_user }}"    # 2023-03-27: Not nec due to /etc/kolibri/username ?
 
-- name: chown -R {{ kolibri_user }}:{{ apache_user }} {{ kolibri_home }} for good measure?
-  file:
-    path: "{{ kolibri_home }}"     # /library/kolibri
-    owner: "{{ kolibri_user }}"    # kolibri
-    group: "{{ apache_user }}"     # www-data (on Debian/Ubuntu/Raspbian)
-    recurse: yes
-  when: kolibri_provision
 
+# 2023-03-25: Likely overkill (let's strongly consider removing this stanza?)
+# Certainly, setting owner (recursively) is advised when moving /library/kolibri :
+# https://kolibri.readthedocs.io/en/latest/install/ubuntu-debian.html#changing-the-owner-of-kolibri-system-service
+# 2023-03-27: Commented out on a provisional basis (Spring Cleaning)
+# - name: chown -R {{ kolibri_user }}:{{ apache_user }} {{ kolibri_home }} for good measure?
+#   file:
+#     path: "{{ kolibri_home }}"     # /library/kolibri
+#     owner: "{{ kolibri_user }}"    # kolibri
+#     group: "{{ apache_user }}"     # www-data (on Debian/Ubuntu/Raspbian)
+#     recurse: yes
+#   when: kolibri_provision
 
 # 2019-10-07: Moved to roles/httpd/tasks/main.yml
 # 2019-09-29: roles/kiwix/tasks/kiwix_install.yml installs 4 Apache modules
@@ -176,6 +226,17 @@
 
 # RECORD Kolibri AS INSTALLED
 
+- name: Record (final) disk space used
+  shell: df -B1 --output=used / | tail -1
+  register: df2
+
+- name: Add 'kolibri_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }}
+  ini_file:
+    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+    section: kolibri
+    option: kolibri_disk_usage
+    value: "{{ df2.stdout|int - df1.stdout|int }}"
+
 - name: "Set 'kolibri_installed: True'"
   set_fact:
     kolibri_installed: True

roles/lokole/tasks/install.yml

@@ -2,12 +2,16 @@
 # https://github.com/iiab/iiab/blob/master/roles/www_base/templates/iiab-refresh-wiki-docs.sh#L51-L52
 
 
-- name: Install 14 packages for Lokole
+- name: Record (initial) disk space used
+  shell: df -B1 --output=used / | tail -1
+  register: df1
+
+
+- name: Install 12 packages for Lokole
   apt:
     name:
       #- python3    # 2022-12-21: IIAB pre-req, see scripts/local_facts.fact
-      - python3-pip
+      #- python3-pip
-      - python3-venv
       - python3-dev
       - python3-bcrypt    # 2019-10-14: Should work across modern Linux OS's
       #- bcrypt does not exist on Ubuntu 19.10
@@ -134,6 +138,17 @@
 
 # RECORD Lokole AS INSTALLED
 
+- name: Record (final) disk space used
+  shell: df -B1 --output=used / | tail -1
+  register: df2
+
+- name: Add 'lokole_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }}
+  ini_file:
+    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+    section: lokole
+    option: lokole_disk_usage
+    value: "{{ df2.stdout|int - df1.stdout|int }}"
+
 - name: "Set 'lokole_installed: True'"
   set_fact:
     lokole_installed: True

roles/matomo/README.adoc

@@ -4,7 +4,7 @@ https://matomo.org/[Matomo] is a web analytics alternative to Google Analytics,
 
 == Install it
 
-Prior to installing Matomo with IIAB, the default URL (http://box.lan/matomo) can be customized in https://wiki.iiab.io/go/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it.3F[/etc/iiab/local_vars.yml]
+Prior to installing Matomo with IIAB, the default URL (http://box.lan/matomo) can be customized in https://wiki.iiab.io/go/FAQ#What_is_local_vars.yml_and_how_do_I_customize_it%3F[/etc/iiab/local_vars.yml]
 
 One way to do that is by changing these 2 lines:
 

roles/matomo/tasks/install.yml

@@ -12,6 +12,26 @@
 # fatal: [127.0.0.1]: FAILED! => {"cache_control": "private, no-cache, no-store", "changed": false, "connection": "close", "content_type": "text/html; charset=utf-8", "date": "Wed, 15 Jun 2022 05:07:41 GMT", "elapsed": 0, "expires": "Thu, 19 Nov 1981 08:52:00 GMT", "msg": "Status code was 500 and not [200]: HTTP Error 500: Internal Server Error", "pragma": "no-cache", "redirected": false, "server": "nginx/1.18.0 (Ubuntu)", "set_cookie": "MATOMO_SESSID=psak3aem27vrdrt8t2f016600f; path=/; HttpOnly; SameSite=Lax", "status": 500, "transfer_encoding": "chunked", "url": "http://box.lan/matomo/index.php?action=welcome", "x_matomo_request_id": "fbfd2"}
 
 
+- name: "Set 'mysql_install: True' and 'mysql_enabled: True'"
+  set_fact:
+    mysql_install: True
+    mysql_enabled: True
+
+- name: MYSQL - run 'mysql' role (attempt to install & enable MySQL / MariaDB)
+  include_role:
+    name: mysql
+
+- name: FAIL (STOP THE INSTALL) IF 'mysql_installed is undefined'
+  fail:
+    msg: "Matomo install cannot proceed, as MySQL / MariaDB is not installed."
+  when: mysql_installed is undefined
+
+
+- name: Record (initial) disk space used
+  shell: df -B1 --output=used / | tail -1
+  register: df1
+
+
 # https://matomo.org/faq/on-premise/matomo-requirements/
 - name: Install Matomo's recommended PHP extensions
   package:
@@ -47,7 +67,7 @@
     priv: "{{ matomo_db_name }}.*:ALL"
     #login_unix_socket: /var/run/mysqld/mysqld.sock
 
-- name: Download and Extract Matomo (~1 min)
+- name: Download and Extract Matomo (~3 min)
   unarchive:
     src: "{{ matomo_dl_url }}"    # e.g. https://builds.matomo.org/matomo.tar.gz
     dest: "{{ matomo_path }}"     # e.g. /library/www
@@ -239,6 +259,17 @@
 
 # RECORD Matomo AS INSTALLED
 
+- name: Record (final) disk space used
+  shell: df -B1 --output=used / | tail -1
+  register: df2
+
+- name: Add 'matomo_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }}
+  ini_file:
+    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+    section: matomo
+    option: matomo_disk_usage
+    value: "{{ df2.stdout|int - df1.stdout|int }}"
+
 - name: "Set 'matomo_installed: True'"
   set_fact:
     matomo_installed: True

roles/matomo/tasks/main.yml

@@ -21,7 +21,7 @@
 
 - block:
 
-  - name: Enable/Disable/Reload NGINX for OSM, if nginx_enabled
+  - name: Enable/Disable/Reload NGINX for Matomo
     include_tasks: nginx.yml
 
   - name: Install Matomo if 'matomo_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml

roles/matomo/tasks/nginx.yml

@@ -1,10 +1,10 @@
-- name: Enable http://box/maps & http://box/matomo via NGINX, by installing {{ nginx_conf_dir }}/matomo-nginx.conf from template
+- name: Enable http://box/matomo via NGINX, by installing {{ nginx_conf_dir }}/matomo-nginx.conf from template
   template:
     src: matomo-nginx.conf.j2
     dest: "{{ nginx_conf_dir }}/matomo-nginx.conf"    # /etc/nginx/conf.d
   when: matomo_enabled
 
-- name: Disable http://box/maps & http://box/matomo via NGINX, by removing {{ nginx_conf_dir }}/matomo-nginx.conf
+- name: Disable http://box/matomo via NGINX, by removing {{ nginx_conf_dir }}/matomo-nginx.conf
   file:
     path: "{{ nginx_conf_dir }}/matomo-nginx.conf"    # /etc/nginx/conf.d
     state: absent

roles/matomo/templates/matomo-nginx.conf.j2

@@ -1,3 +1,5 @@
+location ~ ^/matomo/(config|tmp|core|lang) { deny all; return 403; }
+
 location ~ ^/matomo(.*)\.php(.*)$ {
     alias /library/www/matomo$1.php$2;    # /library/www/matomo
     proxy_set_header X-Real-IP  $remote_addr;

roles/mediawiki/defaults/main.yml

@@ -4,7 +4,7 @@
 # All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml
 # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
 
-mediawiki_major_version: 1.39    # "1.35" also works
+mediawiki_major_version: "1.43"    # "1.40" quotes nec if trailing zero
 mediawiki_minor_version: 0
 mediawiki_version: "{{ mediawiki_major_version }}.{{ mediawiki_minor_version }}"
 

roles/mediawiki/tasks/install.yml

@@ -1,3 +1,23 @@
+- name: "Set 'mysql_install: True' and 'mysql_enabled: True'"
+  set_fact:
+    mysql_install: True
+    mysql_enabled: True
+
+- name: MYSQL - run 'mysql' role (attempt to install & enable MySQL / MariaDB)
+  include_role:
+    name: mysql
+
+- name: FAIL (STOP THE INSTALL) IF 'mysql_installed is undefined'
+  fail:
+    msg: "MediaWiki install cannot proceed, as MySQL / MariaDB is not installed."
+  when: mysql_installed is undefined
+
+
+- name: Record (initial) disk space used
+  shell: df -B1 --output=used / | tail -1
+  register: df1
+
+
 # https://www.mediawiki.org/wiki/Manual:Installation_requirements#PHP
 - name: 'Install packages: php{{ php_version }}-intl, php{{ php_version }}-mbstring, php{{ php_version }}-xml'
   package:
@@ -95,6 +115,17 @@
 
 # RECORD MediaWiki AS INSTALLED
 
+- name: Record (final) disk space used
+  shell: df -B1 --output=used / | tail -1
+  register: df2
+
+- name: Add 'mediawiki_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }}
+  ini_file:
+    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+    section: mediawiki
+    option: mediawiki_disk_usage
+    value: "{{ df2.stdout|int - df1.stdout|int }}"
+
 - name: "Set 'mediawiki_installed: True'"
   set_fact:
     mediawiki_installed: True

roles/minetest/tasks/install.yml

@@ -1,3 +1,8 @@
+- name: Record (initial) disk space used
+  shell: df -B1 --output=used / | tail -1
+  register: df1
+
+
 - name: Check for Minetest world file ({{ minetest_world_dir }}/world.mt)
   stat:
     path: "{{ minetest_world_dir }}/world.mt"
@@ -7,9 +12,6 @@
   file:
     state: directory
     path: /library/games
-    # owner: root
-    # group: root
-    # mode: '0755'
 
 - include_tasks: minetest_install.yml
   when: not minetest_world.stat.exists
@@ -35,8 +37,20 @@
       url: https://content.minetest.net/packages/sfan5/worldedit/releases/13367/download/
   when: minetest_default_game == "minetest"
 
+
 # RECORD Minetest AS INSTALLED
 
+- name: Record (final) disk space used
+  shell: df -B1 --output=used / | tail -1
+  register: df2
+
+- name: Add 'minetest_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }}
+  ini_file:
+    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+    section: minetest
+    option: minetest_disk_usage
+    value: "{{ df2.stdout|int - df1.stdout|int }}"
+
 - name: "Set 'minetest_installed: True'"
   set_fact:
     minetest_installed: True

roles/mongodb/defaults/main.yml

@@ -20,7 +20,18 @@
 # All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml
 # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
 
-mongodb_64bit_version: 6.0    # 2022-10-23: 4.4 fails on Debian 12 x86_64:
+mongodb_arch_dict:
+  armv6l: unsupported    # WAS: 3.0
+  armv7l: unsupported    # WAS: 3.0
+  aarch64: 5.0
+  i386: unsupported
+  x86_64: 6.0
+
+mongodb_version: "{{ mongodb_arch_dict[ansible_machine] | default('unknown') }}"    # A bit safer than ansible_architecture (see kiwix/defaults/main.yml)
+
+#mongodb_arm64_version: 5.0    # 2023-02-24: MongoDB 6.0.4 fails to install on
+#                              # 64-bit RasPiOS 11, as it doesn't offer libssl3.
+#mongodb_amd64_version: 6.0    # 2022-10-23: 4.4 fails on Debian 12 x86_64:
 # "No package matching 'mongodb-org' is available".  5.0+ fail on "pre-2011"
 # CPU's w/o AVX, and on RPi due to MongoDB compiling these for v8.2-A (RPi 4 is
 # ARM v8-A).  SO IIAB ALWAYS OVERLAYS andyfelong.com's 5.0.5 IF 5.0+ SPECIFIED.

roles/mongodb/tasks/install.yml

@@ -1,8 +1,14 @@
 # MongoDB Install Docs:
+# https://www.mongodb.com/community/forums/t/installing-mongodb-over-ubuntu-22-04/159931/90
 # https://www.mongodb.com/docs/manual/tutorial/install-mongodb-on-ubuntu/
 # https://www.mongodb.com/docs/manual/installation/
 
 
+- name: Record (initial) disk space used
+  shell: df -B1 --output=used / | tail -1
+  register: df1
+
+
 # 1. INSTALL MongoDB PACKAGES AND/OR BINARIES
 
 # 2019-02-02: Sugarizer with Node.js 10.x requires MongoDB 2.6+ so
@@ -15,71 +21,83 @@
 # CLARIF: mongodb_stretch_3_0_14_core.zip IS IN FACT 3.0.14 (core) BUT...
 #         mongodb_stretch_3_0_14_tools.zip IS REALLY 3.0.15 (tools)
 
-- block:
+# - debug:
-  - name: Create dir /tmp/mongodb-3.0.1x (aarch32)
+#     msg: '9-STANZA BLOCK BELOW, RUNS *IF* 32-BIT -- i.e. not (ansible_architecture == "aarch64" or ansible_architecture == "x86_64") -- WILL LIKELY BE REMOVED SOON IN 2023, as MongoDB 3.0.1 is insufficient for Sugarizer Server 1.5.0''s new MongoDB 3.2+ REQUIREMENT: https://github.com/iiab/iiab/pull/3478#issuecomment-1444395170'
-    file:
-      path: /tmp/mongodb-3.0.1x
-      state: directory
 
-  - name: Download & unzip 20MB https://download.iiab.io/packages/mongodb_stretch_3_0_14_core.zip to /tmp/mongodb-3.0.1x (aarch32)
+# - block:
-    unarchive:
+#   - name: Create dir /tmp/mongodb-3.0.1x (aarch32)
-      remote_src: yes
+#     file:
-      src: "{{ iiab_download_url }}/mongodb_stretch_3_0_14_core.zip"    # https://download.iiab.io/packages
+#       path: /tmp/mongodb-3.0.1x
-      dest: /tmp/mongodb-3.0.1x
+#       state: directory
 
-  - name: Install (move) its 3 CORE binaries from /tmp/mongodb-3.0.1x/core to /usr/bin (aarch32)
+#   - name: Download & unzip 20MB https://download.iiab.io/packages/mongodb_stretch_3_0_14_core.zip to /tmp/mongodb-3.0.1x (aarch32)
-    shell: mv /tmp/mongodb-3.0.1x/core/* /usr/bin
+#     unarchive:
+#       remote_src: yes
+#       src: "{{ iiab_download_url }}/mongodb_stretch_3_0_14_core.zip"    # https://download.iiab.io/packages
+#       dest: /tmp/mongodb-3.0.1x
 
-  - name: Download & unzip 15MB https://download.iiab.io/packages/mongodb_stretch_3_0_14_tools.zip [IN FACT THIS ONE'S 3.0.15] to /tmp/mongodb-3.0.1x (aarch32)
+#   - name: Install (move) its 3 CORE binaries from /tmp/mongodb-3.0.1x/core to /usr/bin (aarch32)
-    unarchive:
+#     shell: mv /tmp/mongodb-3.0.1x/core/* /usr/bin
-      remote_src: yes
-      src: "{{ iiab_download_url }}/mongodb_stretch_3_0_14_tools.zip"
-      dest: /tmp/mongodb-3.0.1x
 
-  - name: Install (move) its 9 TOOLS binaries from /opt/iiab/downloads/mongodb-3.0.1x/tools to /usr/bin (aarch32)
+#   - name: Download & unzip 15MB https://download.iiab.io/packages/mongodb_stretch_3_0_14_tools.zip [IN FACT THIS ONE'S 3.0.15] to /tmp/mongodb-3.0.1x (aarch32)
-    shell: mv /tmp/mongodb-3.0.1x/tools/* /usr/bin
+#     unarchive:
+#       remote_src: yes
+#       src: "{{ iiab_download_url }}/mongodb_stretch_3_0_14_tools.zip"
+#       dest: /tmp/mongodb-3.0.1x
 
-  - name: Create Linux group mongodb (aarch32)
+#   - name: Install (move) its 9 TOOLS binaries from /opt/iiab/downloads/mongodb-3.0.1x/tools to /usr/bin (aarch32)
-    group:
+#     shell: mv /tmp/mongodb-3.0.1x/tools/* /usr/bin
-      name: mongodb
-      state: present
 
-  - name: Create Linux user mongodb (aarch32)
+#   - name: Create Linux group mongodb (aarch32)
-    user:
+#     group:
-      name: mongodb
+#       name: mongodb
-      group: mongodb    # primary group
+#       state: present
-      groups: mongodb
-      home: /var/lib/mongodb
-      shell: /usr/sbin/nologin
 
-  - name: Install {{ mongodb_conf }} from template (aarch32)
+#   - name: Create Linux user mongodb (aarch32)
-    template:
+#     user:
-      src: mongod.conf.j2
+#       name: mongodb
-      dest: "{{ mongodb_conf }}"    # /etc/mongod.conf
+#       group: mongodb    # primary group
+#       groups: mongodb
+#       home: /var/lib/mongodb
+#       shell: /usr/sbin/nologin
 
-  - name: 'Create 2 dirs: /var/lib/mongodb, /var/log/mongodb (mongodb:mongodb)'
+#   - name: Install {{ mongodb_conf }} from template (aarch32)
-    file:
+#     template:
-      state: directory
+#       src: mongod.conf.j2
-      path: "{{ item }}"
+#       dest: "{{ mongodb_conf }}"    # /etc/mongod.conf
-      owner: mongodb
-      group: mongodb
-    with_items:
-      - /var/lib/mongodb
-      - /var/log/mongodb
 
-  # end block
+#   - name: 'Create 2 dirs: /var/lib/mongodb, /var/log/mongodb (mongodb:mongodb)'
-  when: not (ansible_architecture == "x86_64" or ansible_architecture == "aarch64")
+#     file:
+#       state: directory
+#       path: "{{ item }}"
+#       owner: mongodb
+#       group: mongodb
+#     with_items:
+#       - /var/lib/mongodb
+#       - /var/log/mongodb
 
-# 32-bit OS's are handled above: this should handle aarch32 including 32-bit
+#   # end block
+#   when: not (ansible_architecture == "x86_64" or ansible_architecture == "aarch64")    # ansible_machine is a bit safer than ansible_architecture (see kiwix/defaults/main.yml)
+
+# - debug:
+#     msg: 9-STANZA BLOCK ABOVE, RAN *IF* 32-BIT -- i.e. not (ansible_architecture == "aarch64" or ansible_architecture == "x86_64")
+
+# 32-bit OS's [WERE] handled above: this should handle aarch32 including 32-bit
 # Ubuntu from https://ubuntu.com/download/raspberry-pi but Ubuntu 20.04+ and
 # 22.04+ 32-bit might fail untested, and 32-bit Intel might puke as this was
 # orginally deployed for Raspbian.  (Haven't seen bootable 32-bit Intel
 # installers for a while now.)  64-bit OS's proceed below.
 
-- block:
+
-  - name: Add mongodb.org signing key (only 64-bit support available) for MongoDB version {{ mongodb_64bit_version }}
+# - debug:
-    shell: wget -qO - https://www.mongodb.org/static/pgp/server-{{ mongodb_64bit_version }}.asc | apt-key add -
+#     msg: 16-STANZA BLOCK BELOW, RUNS *IF* 64-BIT -- i.e. ansible_architecture == "aarch64" or ansible_architecture == "x86_64"
-    #shell: wget -qO - https://pgp.mongodb.com/server-{{ mongodb_64bit_version }}.asc | apt-key add -
+
+# - block:
+- name: Add mongodb.org signing key (only 64-bit available) for MongoDB version {{ mongodb_version }}
+  # https://www.mongodb.com/community/forums/t/installing-mongodb-over-ubuntu-22-04/159931/90
+  shell: wget -qO - https://www.mongodb.org/static/pgp/server-{{ mongodb_version }}.asc | gpg --dearmor > /usr/share/keyrings/mongodb.gpg
+  #shell: wget -qO - https://www.mongodb.org/static/pgp/server-{{ mongodb_version }}.asc | apt-key add -
+  #shell: wget -qO - https://pgp.mongodb.com/server-{{ mongodb_version }}.asc | apt-key add -
   #args:
   #  warn: no
   # Ansible 2.14 ERROR:
@@ -87,28 +105,48 @@
   # Supported parameters include: removes, strip_empty_ends, _raw_params,
   # _uses_shell, stdin_add_newline, creates, chdir, executable, argv, stdin."
 
-  # 2022-10-23: MongoDB only allows auto-install of Debian's x86_64, AND IN ANY
+# 2023-01-19: MongoDB only offers x86_64 for Debian, AND IN ANY CASE all their
-  # CASE all their MongoDB 6.0's are ONLY COMPILED FOR ARM v8.2-A i.e. FAIL ON
+# MongoDB 6.0's are ONLY COMPILED FOR ARM v8.2-A i.e. FAIL ON ARM v8-A RPi 4,
-  # ARM v8-A RPi 4, LIKE THEIR MongoDB 5.0 tested 2022-06-07 ~120 lines below.
+# LIKE THEIR MongoDB 5.0 tested 2022-06-07 ~137 lines below.  Tested on Deb 11.
-  # -> CAN THIS ENTIRE STANZA BE *DELETED* -- ALWAYS USING UBUNTU REPO BELOW ?
+# -> DELETE THIS STANZA AFTER DEBIAN 12 IS SOLID -- USING UBUNTU REPO BELOW ?
-  - name: Install mongodb-org's Debian bullseye source/repo [ arch=amd64 ] for MongoDB version {{ mongodb_64bit_version }}
+- name: Install mongodb-org's Debian bullseye source/repo [ arch=amd64 ] for MongoDB version {{ mongodb_version }}, if x86_64 Debian < 12
   apt_repository:
     # 2020-10-28 and 2022-06-09: https://repo.mongodb.org/apt/debian/dists/
     # supports only {Buster 10, Stretch 9, Jessie 8, Wheezy 7}.  So Bullseye
     # 11 and Bookworm 12 (testing branch) revert to buster for now:
     # 2022-09-27: Changed from 'buster' to 'bullseye' (i.e. Debian 11) as
     # this was recently added to https://repo.mongodb.org/apt/debian/dists/
-      repo: deb https://repo.mongodb.org/apt/debian bullseye/mongodb-org/{{ mongodb_64bit_version }} main
+    repo: deb [ arch=amd64 signed-by=/usr/share/keyrings/mongodb.gpg ] https://repo.mongodb.org/apt/debian bullseye/mongodb-org/{{ mongodb_version }} main
+    #repo: deb https://repo.mongodb.org/apt/debian bullseye/mongodb-org/{{ mongodb_version }} main
     #repo: deb https://repo.mongodb.org/apt/debian {{ ansible_distribution_release }}/mongodb-org/4.4 main
     #filename: mongodb-org
-    when: is_debian and ansible_architecture == "x86_64"
+  when: is_debian and os_ver is version('debian-12', '<') and ansible_architecture == "x86_64"
 
-  # 2022-10-23: RasPiOS Bullseye *MAY* FAIL when 'focal' changed to 'jammy' ?
+- name: Install mongodb-org's Ubuntu jammy source/repo [ arch=amd64 ] for MongoDB version {{ mongodb_version }}, if other x86_64 OS
-  - name: Otherwise install mongodb-org's Ubuntu focal source/repo [ arch=amd64,arm64 ] for MongoDB version {{ mongodb_64bit_version }}
   apt_repository:
-      repo: deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/{{ mongodb_64bit_version }} multiverse
+    repo: deb [ arch=amd64 signed-by=/usr/share/keyrings/mongodb.gpg ] https://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/{{ mongodb_version }} multiverse
+  when: not (is_debian and os_ver is version('debian-12', '<')) and ansible_architecture == "x86_64"
+
+# 2023-01-19: Tested on x86_64 VM's with Ubuntu 22.04 & Debian 12.  Based on
+# MongoDB 6.0.3 (released 2022-11-15) instructions here:
+# https://www.mongodb.com/community/forums/t/installing-mongodb-over-ubuntu-22-04/159931/90
+# WHEREAS 64-bit Raspberry Pi is likely NOT supported for now, as MongoDB 6.0
+# IS ONLY COMPILED FOR ARM v8.2-A i.e. FAIL ON ARM v8-A RPi 4 (JUST LIKE THEIR
+# MongoDB 5.0, tested 2022-06-07 ~116 lines below).  Though MongoDB 6.0.3+ on
+# 64-bit Ubuntu on Raspberry Pi hardware (MIGHT) hypothetically be possible:
+# https://www.mongodb.com/developer/products/mongodb/mongodb-on-raspberry-pi/
+# So IIAB overlays MongoDB 5.0.5 64-bit RPi binaries for now (~141 LINES BELOW!)
+- name: Otherwise, install mongodb-org's Ubuntu focal source/repo [ arch=arm64 ] for MongoDB version {{ mongodb_version }}
+  apt_repository:
+    repo: deb [ arch=arm64 signed-by=/usr/share/keyrings/mongodb.gpg ] https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/{{ mongodb_version }} multiverse
+    #repo: deb [ arch=amd64,arm64 signed-by=/usr/share/keyrings/mongodb.gpg ] https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/{{ mongodb_version }} multiverse
+    #repo: deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/{{ mongodb_version }} multiverse
     #filename: mongodb-org
-    when: not (is_debian and ansible_architecture == "x86_64")
+  when: not ansible_architecture == "x86_64"
+  #when: is_ubuntu or is_debian and os_ver is version('debian-12', '>=')
+  #when: is_ubuntu and os_ver is version('ubuntu-2204', '>=') or is_linuxmint and os_ver is version('linuxmint-12', '>=') or is_debian and os_ver is version('debian-12', '>=')
+  #when: not (is_debian and ansible_architecture == "x86_64")
+
 
 # 2022-10-23: Force-install MongoDB on Ubuntu 22.04+, Mint 21 & Debian 12;
 # as each includes libssl3 not libssl1.1 (#3190).  LATER REMOVE ALL 7 STANZAS
@@ -121,48 +159,95 @@
 # sudo apt-get install libssl1.1
 # rm /etc/apt/sources.list.d/focal-security.list
 
-  - name: Install source/repo "deb http://security.ubuntu.com/ubuntu focal-security main" at /etc/apt/sources.list.d/security_ubuntu_com_ubuntu.list if Ubuntu 22.04+ x86_64 or Mint 21
+# 2023-02-25: RETROFITTING libssl1.1 STILL NEC on Ubuntu 22.04+ and Debian 12+
-    apt_repository:
+# *IF* MongoDB < 6.0 (e.g. RPi, where MongoDB 6.0 is a complete non-starter!)
-      repo: deb http://security.ubuntu.com/ubuntu focal-security main
+#
-      #filename: focal-security    # If filename focal-security.list is preferred
+# Whereas libssl1.1 is thankfully NO LONGER NEC on x86_64, where MongoDB can
-    when: is_ubuntu and os_ver is version('ubuntu-2204', '>=') and ansible_architecture == "x86_64" or is_linuxmint_21
+# finally use libssl3 instead, since 2022-11-15:
+# https://www.mongodb.com/community/forums/t/installing-mongodb-over-ubuntu-22-04/159931/90
 
-  - name: Install source/repo "deb http://ports.ubuntu.com/ubuntu-ports focal-security main" at /etc/apt/sources.list.d/ports_ubuntu_com_ubuntu_ports.list if ubuntu 22.04+ aarch64
+- debug:
+    msg: 5-STANZA BLOCK FOLLOWS, TO FORCE INSTALL libssl1.1 -- runs *IF* mandated mongodb_version ({{ mongodb_version }}) < 6.0 (i.e. for aarch64/arm64) on Ubuntu 22.04+ or Debian 12+ -- whereas Linux Mint should never need libssl1.1
+
+- block:
+
+  - name: Install OLD source/repo "deb http://ports.ubuntu.com/ubuntu-ports focal-security main" at /etc/apt/sources.list.d/ports_ubuntu_com_ubuntu_ports.list if Ubuntu
     apt_repository:
       repo: deb http://ports.ubuntu.com/ubuntu-ports focal-security main
-    when: is_ubuntu and os_ver is version('ubuntu-2204', '>=') and ansible_architecture == "aarch64"
+    when: is_ubuntu
 
-  - name: Install source/repo "deb http://security.debian.org/debian-security bullseye-security main" at /etc/apt/sources.list.d/security_debian_org_debian_security.list if Debian 12
+  - name: Install OLD source/repo "deb http://security.debian.org/debian-security bullseye-security main" at /etc/apt/sources.list.d/security_debian_org_debian_security.list if Debian
     apt_repository:
       repo: deb http://security.debian.org/debian-security bullseye-security main
       #repo: deb https://deb.debian.org/debian-security bullseye-security main    # New way, likely equivalent
-    when: is_debian_12
+    when: is_debian
 
-  - name: Install libssl1.1 if Ubuntu 22.04+ or Mint 21 or Debian 12 (required by MongoDB below)
+  - name: Force install libssl1.1
     package:
       name: libssl1.1
       state: present
-    when: is_ubuntu and os_ver is version('ubuntu-2204', '>=') or is_linuxmint_21 or is_debian_12
 
-  - name: Remove source/repo "deb http://security.debian.org/debian-security bullseye-security main" at /etc/apt/sources.list.d/security_debian_org_debian_security.list if Debian 12
+  - name: Remove OLD source/repo "deb http://security.debian.org/debian-security bullseye-security main" at /etc/apt/sources.list.d/security_debian_org_debian_security.list if Debian
     apt_repository:
       repo: deb http://security.debian.org/debian-security bullseye-security main
       #repo: deb https://deb.debian.org/debian-security bullseye-security main    # New way, likely equivalent
       state: absent
-    when: is_debian_12
+    when: is_debian
 
-  - name: Remove source/repo "deb http://ports.ubuntu.com/ubuntu-ports focal-security main" at /etc/apt/sources.list.d/ports_ubuntu_com_ubuntu_ports.list if ubuntu 22.04+ aarch64
+  - name: Remove OLD source/repo "deb http://ports.ubuntu.com/ubuntu-ports focal-security main" at /etc/apt/sources.list.d/ports_ubuntu_com_ubuntu_ports.list if Ubuntu
     apt_repository:
       repo: deb http://ports.ubuntu.com/ubuntu-ports focal-security main
       state: absent
-    when: is_ubuntu and os_ver is version('ubuntu-2204', '>=') and ansible_architecture == "aarch64"
+    when: is_ubuntu
+
+  when: mongodb_version is version('6.0', '<') and (is_ubuntu and os_ver is version('ubuntu-2204', '>=') or is_debian and os_ver is version('debian-12', '>='))
+
+- debug:
+    msg: 5-STANZA BLOCK ABOVE, RAN *IF* FORCED INSTALL OF libssl1.1 WAS NEEDED
+
+# - name: Install source/repo "deb http://security.ubuntu.com/ubuntu focal-security main" at /etc/apt/sources.list.d/security_ubuntu_com_ubuntu.list if Ubuntu 22.04+ x86_64 or Mint 21
+#   apt_repository:
+#     repo: deb http://security.ubuntu.com/ubuntu focal-security main
+#     #filename: focal-security    # If filename focal-security.list is preferred
+#   when: is_ubuntu and os_ver is version('ubuntu-2204', '>=') and ansible_architecture == "x86_64" or is_linuxmint_21
+
+# - name: Install source/repo "deb http://ports.ubuntu.com/ubuntu-ports focal-security main" at /etc/apt/sources.list.d/ports_ubuntu_com_ubuntu_ports.list if ubuntu 22.04+ aarch64
+#   apt_repository:
+#     repo: deb http://ports.ubuntu.com/ubuntu-ports focal-security main
+#   when: is_ubuntu and os_ver is version('ubuntu-2204', '>=') and ansible_architecture == "aarch64"
+
+# - name: Install source/repo "deb http://security.debian.org/debian-security bullseye-security main" at /etc/apt/sources.list.d/security_debian_org_debian_security.list if Debian 12
+#   apt_repository:
+#     repo: deb http://security.debian.org/debian-security bullseye-security main
+#     #repo: deb https://deb.debian.org/debian-security bullseye-security main    # New way, likely equivalent
+#   when: is_debian_12
+
+# - name: Install libssl1.1 if Ubuntu 22.04+ or Mint 21 or Debian 12 (required by MongoDB below)
+#   package:
+#     name: libssl1.1
+#     state: present
+#   when: is_ubuntu and os_ver is version('ubuntu-2204', '>=') or is_linuxmint_21 or is_debian_12
+
+# - name: Remove source/repo "deb http://security.debian.org/debian-security bullseye-security main" at /etc/apt/sources.list.d/security_debian_org_debian_security.list if Debian 12
+#   apt_repository:
+#     repo: deb http://security.debian.org/debian-security bullseye-security main
+#     #repo: deb https://deb.debian.org/debian-security bullseye-security main    # New way, likely equivalent
+#     state: absent
+#   when: is_debian_12
+
+# - name: Remove source/repo "deb http://ports.ubuntu.com/ubuntu-ports focal-security main" at /etc/apt/sources.list.d/ports_ubuntu_com_ubuntu_ports.list if ubuntu 22.04+ aarch64
+#   apt_repository:
+#     repo: deb http://ports.ubuntu.com/ubuntu-ports focal-security main
+#     state: absent
+#   when: is_ubuntu and os_ver is version('ubuntu-2204', '>=') and ansible_architecture == "aarch64"
+
+# - name: Remove source/repo "deb http://security.ubuntu.com/ubuntu focal-security main" at /etc/apt/sources.list.d/security_ubuntu_com_ubuntu.list if Ubuntu 22.04+ x86_64 or Mint 21
+#   apt_repository:
+#     repo: deb http://security.ubuntu.com/ubuntu focal-security main
+#     state: absent
+#     #filename: focal-security    # 100% IGNORED during repo deletion
+# when: is_ubuntu and os_ver is version('ubuntu-2204', '>=') and ansible_architecture == "x86_64" or is_linuxmint_21
 
-  - name: Remove source/repo "deb http://security.ubuntu.com/ubuntu focal-security main" at /etc/apt/sources.list.d/security_ubuntu_com_ubuntu.list if Ubuntu 22.04+ x86_64 or Mint 21
-    apt_repository:
-      repo: deb http://security.ubuntu.com/ubuntu focal-security main
-      state: absent
-      #filename: focal-security    # 100% IGNORED during repo deletion
-    when: is_ubuntu and os_ver is version('ubuntu-2204', '>=') and ansible_architecture == "x86_64" or is_linuxmint_21
 
 # # Debian 10 aarch64 might work below but is blocked in main.yml
 # - name: Use mongodb-org's Ubuntu focal repo for RasPiOS-aarch64
@@ -187,6 +272,7 @@
 #     filename: mongodb-org
 #   when: is_ubuntu and not is_linuxmint
 
+
 - name: "Install packages: mongodb-org, mongodb-org-server"
   package:
     name:
@@ -207,6 +293,7 @@
     regexp: '^\s*port:'
     line: "  port: {{ mongodb_port }}"    # 27017
 
+
 # 2022-06-07 #3236 MongoDB 5.0.9 "Illegal instruction" on RPi 4...
 # https://www.mongodb.com/community/forums/t/core-dump-on-mongodb-5-0-on-rpi-4/115291/14
 # ...as ARM v8-A < ARM v8.2-A ...also reveals:
@@ -228,19 +315,22 @@
 # https://andyfelong.com/downloads/raspbian_mongodb_5.0.5.gz
 # https://andyfelong.com/2021/08/mongodb-4-4-under-raspberry-pi-os-64-bit-raspbian64/
 
-  - name: If hardware is Raspberry Pi and mongodb_64bit_version >= 5.0, run 'apt-mark hold mongodb-org mongodb-org-server' -- so MongoDB 5.0.5 binaries {mongo, mongod, mongos} can be installed without apt interfering in future
+- name: If hardware is Raspberry Pi and mongodb_version >= 5.0, run 'apt-mark hold mongodb-org mongodb-org-server' -- so MongoDB 5.0.5 binaries {mongo, mongod, mongos} can be installed without apt interfering in future
   command: apt-mark hold mongodb-org mongodb-org-server
-    when: rpi_model != "none" and mongodb_64bit_version is version('5.0', '>=')
+  when: rpi_model != "none" and mongodb_version is version('5.0', '>=')
 
-  - name: If hardware is Raspberry Pi and mongodb_64bit_version >= 5.0, unarchive 76MB {{ iiab_download_url }}//packages/raspbian_mongodb_5.0.5.gz OVERWRITING 5.0.9+ {mongo, mongod, mongos} in /usr/bin
+- name: If hardware is Raspberry Pi and mongodb_version >= 5.0, unarchive 76MB {{ iiab_download_url }}//packages/raspbian_mongodb_5.0.5.gz OVERWRITING 5.0.9+ {mongo, mongod, mongos} in /usr/bin
   unarchive:
     remote_src: yes
     src: "{{ iiab_download_url }}/raspbian_mongodb_5.0.5.gz"
     dest: /usr/bin
-    when: rpi_model != "none" and mongodb_64bit_version is version('5.0', '>=')
+  when: rpi_model != "none" and mongodb_version is version('5.0', '>=')
 
-  # end block
+#   # end block
-  when: ansible_architecture == "aarch64" or ansible_architecture == "x86_64"
+#   when: ansible_architecture == "aarch64" or ansible_architecture == "x86_64"
+
+# - debug:
+#     msg: 16-STANZA BLOCK ABOVE, RAN *IF* 64-BIT -- i.e. ansible_architecture == "aarch64" or ansible_architecture == "x86_64"    # ansible_machine is a bit safer than ansible_architecture (see kiwix/defaults/main.yml)
 
 
 # 2. CONFIGURE MongoDB FOR IIAB
@@ -282,6 +372,17 @@
 
 # 3. RECORD MongoDB AS INSTALLED
 
+- name: Record (final) disk space used
+  shell: df -B1 --output=used / | tail -1
+  register: df2
+
+- name: Add 'mongodb_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }}
+  ini_file:
+    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+    section: mongodb
+    option: mongodb_disk_usage
+    value: "{{ df2.stdout|int - df1.stdout|int }}"
+
 - name: "Set 'mongodb_installed: True'"
   set_fact:
     mongodb_installed: True

roles/mongodb/tasks/main.yml

@@ -34,19 +34,25 @@
     var: is_debian
 - debug:
     var: is_raspbian
+- debug:
+    var: mongodb_version
 
-# # might be able to lift this once we know using bionic would work
+# WARNING: Since March 2023, 32-bit RasPiOS can act as 64-bit on RPi 4 and
-# - name: EXIT 'mongodb' ROLE & CONTINUE, IF 'is_debian_10 and aarch64 and not is_raspbian' i.e. TRUE DEBIAN with arch64
+# RPi 400 (unlike RPi 3!)  SEE: https://github.com/iiab/iiab/pull/3422 and #3516
-#   fail:    # FORCE IT RED THIS ONCE!
+- name: Run command 'dpkg --print-architecture' to identify OS architecture (CPU arch as revealed by ansible_architecture ~= ansible_machine is NO LONGER enough!)
-#     msg: ATTEMPTED MongoDB INSTALLATION WITH (TRUE) DEBIAN aarch64, which is not supported upstream.  Nevertheless IIAB will continue (consider this a warning!)
+  command: dpkg --print-architecture
-#   when: (ansible_architecture == "aarch64") and is_debian_10 and not is_raspbian
+  register: dpkg_arch
-#   ignore_errors: yes
+- debug:
-
+    msg: "'dpkg --print-architecture' output: {{ dpkg_arch.stdout }}"
-# ELSE...
-
 
 - block:
 
+  - name: EXIT 'mongodb' ROLE, if 'dpkg --print-architecture' appears to be 32-bit (i.e. does not contain "64") or mongodb_version == "unsupported" or ansible_machine not found
+    fail:    # FORCE IT RED THIS ONCE!
+      msg: MongoDB 3.2+ (as needed by Sugarizer Server 1.5.0) is NO LONGER SUPPORTED on 32-bit Raspberry Pi OS.
+    when: not dpkg_arch.stdout is search("64") or mongodb_version == "unsupported" or mongodb_version == "unknown"
+    #when: dpkg_arch.stdout == "armhf" or mongodb_version == "unsupported" or mongodb_version == "unknown"
+
   - name: Install MongoDB if 'mongodb_installed' not defined, e.g. in {{ iiab_state_file }}    # /etc/iiab/iiab_state.yml
     include_tasks: install.yml
     when: mongodb_installed is undefined

roles/monit/tasks/install.yml

@@ -1,3 +1,8 @@
+- name: Record (initial) disk space used
+  shell: df -B1 --output=used / | tail -1
+  register: df1
+
+
 - name: Install 'monit' package
   package:
     name: monit
@@ -35,6 +40,17 @@
 
 # RECORD Monit AS INSTALLED
 
+- name: Record (final) disk space used
+  shell: df -B1 --output=used / | tail -1
+  register: df2
+
+- name: Add 'monit_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }}
+  ini_file:
+    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+    section: monit
+    option: monit_disk_usage
+    value: "{{ df2.stdout|int - df1.stdout|int }}"
+
 - name: "Set 'monit_installed: True'"
   set_fact:
     monit_installed: True

roles/moodle/defaults/main.yml

@@ -8,11 +8,11 @@
 # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
 
 
-# 2022-11-27: Currently testing Moodle's master branch is mandatory if your
+# October 2024: Currently testing Moodle's main branch is mandatory if your
-# OS PHP >= 8.2, see moodle/tasks/install.yml for detail!  OR, *IF* your
+# OS PHP >= 8.4, see moodle/tasks/install.yml for detail!  OR, *IF* your
-# OS PHP < 8.2, then {{ moodle_version }} will be attempted:
+# OS PHP < 8.4, then {{ moodle_version }} will be attempted:
-moodle_version: MOODLE_401_STABLE    # Moodle 4.1 LTS
+moodle_version: MOODLE_405_STABLE    # Moodle 4.5
-#moodle_version: master              # e.g. to try Moodle's "weekly" 4.2dev pre-release *EVEN IF* OS PHP < 8.2
+#moodle_version: main                # e.g. to try Moodle's "weekly" 5.0dev pre-release *EVEN IF* OS PHP < 8.4
 moodle_repo_url: https://github.com/moodle/moodle
 #moodle_repo_url: git://git.moodle.org/moodle.git    # 2020-10-16: VERY Slow!
 

roles/moodle/tasks/install.yml

@@ -6,6 +6,20 @@
 # 2021-06-28: This ALSO now happens in /etc/php/{{ php_version }}/cli/php.ini
 # (as required by Moodle's CLI installer, DESPITE it using fpm/php.ini later!)
 
+# 2023-12-17: Upgrade instructions via CLI
+# https://docs.moodle.org/en/Administration_via_command_line
+#
+# EXAMPLE:
+# cd /opt/iiab/moodle
+# sudo -u www-data /usr/bin/php admin/cli/maintenance.php --enable
+# cd /opt/iiab
+# mv moodle moodle.bkp
+# git clone https://github.com/moodle/moodle -b MOODLE_403_STABLE --depth 1    # As a regular 'git pull' will likely fail, due to original clone's '--depth 1' -- but no worries: total clone download is just ~100 MB, which expands to ~400 MB
+# cp moodle.bkp/config.php moodle/
+# cd moodle
+# sudo -u www-data /usr/bin/php admin/cli/upgrade.php    # Or later log in to Moodle, to complete the upgrade (i.e. click "Continue" 4-5 times)
+# sudo -u www-data /usr/bin/php admin/cli/maintenance.php --disable
+
 
 - name: "Set 'postgresql_install: True' and 'postgresql_enabled: True'"
   set_fact:
@@ -17,6 +31,11 @@
     name: postgresql
 
 
+- name: Record (initial) disk space used
+  shell: df -B1 --output=used / | tail -1
+  register: df1
+
+
 # 2021-07-02: Let's monitor & learn from these 2 pages year-by-year:
 # https://docs.moodle.org/19/en/PHP_settings_by_Moodle_version#PHP_Extensions_and_libraries
 # https://github.com/moodlebox/moodlebox/blob/master/roles/packages/vars/main.yml
@@ -30,7 +49,7 @@
       #- php{{ php_version }}-common     # 2021-06-27: Auto-installed as an apt dependency.  REGARDLESS: php{{ php_version }}-common superset php{{ php_version }}-cli is auto-installed by php{{ php_version }}-fpm in nginx/tasks/install.yml
       #- php{{ php_version }}-cli        # 2021-06-27: Compare to php{{ php_version }}-common just above!  2020-06-15: In the past this included (below) mbstring?  However this is not true on Ubuntu Server 20.04 LTS.
       - php{{ php_version }}-curl        # 2021-06-27: Likewise installed in nextcloud/tasks/install.yml, pbx/tasks/freepbx_dependencies.yml, wordpress/tasks/install.yml
-      #- php{{ php_version }}-exif       # 2022-11-27: Recommended by Moodle 4.1, required by Moodle 4.2 (for image metadata, rotation, etc?)  apt package(s) NOT REQUIRED as it's somehow already installed with PHP's core, as confirmed by 'php -m' & 'php -i' on Ubuntu 22.04 and RasPiOS.
+      #- php{{ php_version }}-exif       # 2022-11-27: Recommended by Moodle 4.1, possibly required by Moodle 4.2 (for image metadata, rotation, etc?)  apt package(s) NOT REQUIRED as it's somehow already installed with PHP's core, as confirmed by 'php -m' & 'php -i' on Ubuntu 22.04 and RasPiOS.
       - php{{ php_version }}-gd          # 2021-06-27: Likewise installed in nextcloud/tasks/install.yml, pbx/tasks/freepbx_dependencies.yml
       - php{{ php_version }}-intl        # 2020-12-03: Required by Moodle 3.10+ -- Likewise installed in mediawiki/tasks/install.yml, nextcloud/tasks/install.yml, wordpress/tasks/install.yml
       - php{{ php_version }}-mbstring    # 2020-06-15: Required by Moodle 3.9+ -- Likewise installed in mediawiki/tasks/install.yml, nextcloud/tasks/install.yml, pbx/tasks/freepbx_dependencies.yml, wordpress/tasks/install.yml
@@ -49,21 +68,49 @@
   when: php_settings_done is undefined
 
 
-- name: "MOODLE PRE-RELEASE TESTING: Download (clone) {{ moodle_repo_url }} branch 'master' to {{ moodle_base }} (~389 MB initially, ~416 MB later) if OS PHP {{ php_version }} >= 8.2"
+- name: Does /opt/iiab/moodle exist?
-  git:
+  stat:
-    repo: "{{ moodle_repo_url }}"    # https://github.com/moodle/moodle
+    path: /opt/iiab/moodle
-    dest: "{{ moodle_base }}"        # /opt/iiab/moodle
+  register: opt_iiab_moodle
-    depth: 1
-    version: master    # For "weekly" Moodle pre-releases: https://download.moodle.org/releases/development/ (e.g. 3.5beta+ in May 2018, 4.1dev in Sept 2022, 4.2dev in Dec 2022)
-  when: php_version is version('8.2', '>=')
 
-- name: Download (clone) {{ moodle_repo_url }} branch '{{ moodle_version }}' to {{ moodle_base }} (~389 MB initially, ~416 MB later) if OS PHP {{ php_version }} < 8.2
+# 2023-04-30: Allows re-running (e.g. 'sudo iiab') if git clone was already
+# begun, avoiding this error: (arises from 'www-data' ownership)
+#   "Failed to set a new url https://github.com/moodle/moodle for origin:
+#   fatal: detected dubious ownership in repository at '/opt/iiab/moodle'
+#   To add an exception for this directory, call:
+#   git config --global --add safe.directory /opt/iiab/moodle"
+
+- name: If /opt/iiab/moodle exists, move it to /tmp/opt-iiab-moodle.old (TO BE DELETED ON NEXT BOOT) -- allows re-running if git clone (below) was already begun
+  shell: rm -rf /tmp/opt-iiab-moodle.old && mv /opt/iiab/moodle /tmp/opt-iiab-moodle.old
+  when: opt_iiab_moodle.stat.exists
+
+
+# WARNING: Since March 2023, 32-bit RasPiOS can act as 64-bit on RPi 4 and
+# RPi 400 (unlike RPi 3!)  SEE: https://github.com/iiab/iiab/pull/3516
+- name: Run command 'dpkg --print-architecture' to identify OS architecture (CPU arch as revealed by ansible_architecture ~= ansible_machine is NO LONGER enough!)
+  command: dpkg --print-architecture
+  register: dpkg_arch
+
+- name: "2023-04-30: MOODLE 4.2+ REQUIRES PHP 8 AND *FULL* 64-BIT OPERATION -- SO WE REVERT TO TRYING THE OLDER MOODLE 4.1 LTS WHEN NECESSARY -- NOTE PHP 7.x END-OF-LIFE WAS NOVEMBER 2022"
+  set_fact:
+    moodle_version: MOODLE_401_STABLE    # i.e. Moodle 4.1 LTS
+  when: php_version is version('8.0', '<') or not dpkg_arch.stdout is search("64")
+
+- name: Download (clone) {{ moodle_repo_url }} branch '{{ moodle_version }}' to {{ moodle_base }} (~476 MB initially, ~504 MB later) if OS PHP {{ php_version }} < 8.4
   git:
     repo: "{{ moodle_repo_url }}"    # https://github.com/moodle/moodle
     dest: "{{ moodle_base }}"        # /opt/iiab/moodle
     depth: 1
-    version: "{{ moodle_version }}"    # e.g. MOODLE_401_STABLE (Moodle 4.1)
+    version: "{{ moodle_version }}"    # e.g. MOODLE_404_STABLE (Moodle 4.4)
-  when: php_version is version('8.2', '<')
+  when: php_version is version('8.4', '<')
+
+- name: "MOODLE PRE-RELEASE TESTING: Download (clone) {{ moodle_repo_url }} branch 'main' to {{ moodle_base }} (~476 MB initially, ~504 MB later) if OS PHP {{ php_version }} >= 8.4"
+  git:
+    repo: "{{ moodle_repo_url }}"
+    dest: "{{ moodle_base }}"
+    depth: 1
+    version: main    # For "weekly" Moodle pre-releases: https://download.moodle.org/releases/development/ (e.g. 3.5beta+ in May 2018, 4.1dev in Sept 2022, 4.2dev in Dec 2022, 4.3dev in May 2023, 4.4dev in Oct 2023, 4.5dev in Apr 2024, 5.0dev in Oct 2024)
+  when: php_version is version('8.4', '>=')
 
 - name: chown -R {{ apache_user }}:{{ apache_user }} {{ moodle_base }} (by default dirs 755 & files 644)
   file:
@@ -141,7 +188,7 @@
 # 2021-11-19: Resolves Moodle error https://github.com/iiab/iiab/issues/3024
 - name: Set cron job to run /opt/iiab/moodle/admin/cli/cron.php every minute (* * * * *) in /var/spool/cron/crontabs/www-data -- per https://docs.moodle.org/310/en/Cron
   cron:
-    name: https://docs.moodle.org/310/en/Cron
+    name: https://docs.moodle.org/en/Cron
     user: www-data
     job: "/usr/bin/php /opt/iiab/moodle/admin/cli/cron.php >/dev/null"
 
@@ -167,6 +214,17 @@
 
 # RECORD Moodle AS INSTALLED
 
+- name: Record (final) disk space used
+  shell: df -B1 --output=used / | tail -1
+  register: df2
+
+- name: Add 'moodle_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }}
+  ini_file:
+    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+    section: moodle
+    option: moodle_disk_usage
+    value: "{{ df2.stdout|int - df1.stdout|int }}"
+
 - name: "Set 'moodle_installed: True'"
   set_fact:
     moodle_installed: True

roles/moodle/templates/moodle-nginx.conf.j2

@@ -29,7 +29,7 @@ location ~ ^/moodle(.*)\.php(.*)$ {
     # Uncomment to override /etc/php/<VERSION>/fpm/php.ini -- FYI Stage 4's
     # roles/www_options/tasks/main.yml FORCES these same settings and more
     # (equivalent to 'nginx_high_php_limits: True') when 'moodle_install: True' 
-    #fastcgi_param PHP_VALUE "max_execution_time=300\n upload_max_filesize=500M\n post_max_size=500M\n max_input_vars=5000";
+    #fastcgi_param PHP_VALUE "max_execution_time=300\n upload_max_filesize=10000M\n post_max_size=10000M\n max_input_vars=5000";
 }
 
 location ~ ^/moodle {

roles/mosquitto/tasks/install.yml

@@ -1,3 +1,8 @@
+- name: Record (initial) disk space used
+  shell: df -B1 --output=used / | tail -1
+  register: df1
+
+
 - name: "Install packages: mosquitto, mosquitto-clients"
   package:
     name: "{{ item }}"
@@ -32,6 +37,17 @@
 
 # RECORD Mosquitto AS INSTALLED
 
+- name: Record (final) disk space used
+  shell: df -B1 --output=used / | tail -1
+  register: df2
+
+- name: Add 'mosquitto_disk_usage = {{ df2.stdout|int - df1.stdout|int }}' to {{ iiab_ini_file }}
+  ini_file:
+    path: "{{ iiab_ini_file }}"    # /etc/iiab/iiab.ini
+    section: mosquitto
+    option: mosquitto_disk_usage
+    value: "{{ df2.stdout|int - df1.stdout|int }}"
+
 - name: "Set 'mosquitto_installed: True'"
   set_fact:
     mosquitto_installed: True

roles/munin/tasks/enable-or-disable.yml

@@ -1,3 +1,9 @@
+# SEE ALSO roles/network/tasks/install.yml
+- name: TEMPORARILY REVERT net.ipv6.conf.all.disable_ipv6 to 0 in /etc/sysctl.conf for #3434
+  sysctl:
+    name: net.ipv6.conf.all.disable_ipv6
+    value: 0
+
 - name: Enable & Start 'munin-node' systemd service
   systemd:
     name: munin-node
@@ -6,6 +12,12 @@
     state: started
   when: munin_enabled
 
+# SEE ALSO roles/network/tasks/install.yml
+- name: RESTORE net.ipv6.conf.all.disable_ipv6 to 1 in /etc/sysctl.conf for #3434
+  sysctl:
+    name: net.ipv6.conf.all.disable_ipv6
+    value: 1
+
 - name: Disable & Stop 'munin-node' systemd service
   systemd:
     name: munin-node