Wordsmithing around the firewall rules. And punt Systemd timers.

Replacing a cron job, esp. one you wanted email from (in the event of
a failure, or whenever), is a hassle with Systemd timers.  You will
need webupdate.timer, webupdate.service, webupdate-fail.service, and
/usr/local/sbin/webupdate-fail.  5 lines of Ansible become 100.

diff --git a/README.org b/README.org
index cbb56d8c922573fe8547d2789dd311cac6a30064..a79ba0d797ad0cf143e76b7199ef46dd30708e77 100644 (file)
--- a/README.org
+++ b/README.org
@@ -5198,10 +5198,10 @@ set in =/etc/ufw/sysctl.conf=.
 
 NAT is enabled per the ~ufw-framework(8)~ manual page, by introducing
 ~nat~ table rules in a block at the end of =/etc/ufw/before.rules=.
-They translate packets going to the ISP.  These can come from the
-private Ethernet or the untrusted Ethernet (campus IoT, including
-Wi-Fi APs).  Hosts on the other institute networks (the two VPNs)
-should not be routing their Internet traffic through their VPN.
+The rules translate packets going to the ISP.  These packets can come
+from the private Ethernet or the wild Ethernet.  Hosts on the other
+institute networks (the two VPNs) should not be routing their Internet
+traffic through their WireGuard™ interface.
 
 #+NAME: ufw-nat
 #+CAPTION: ~ufw-nat~
@@ -5213,10 +5213,10 @@ should not be routing their Internet traffic through their VPN.
 Forwarding rules are also needed.  The ~nat~ table is a /post/ routing
 rule set, so the default routing policy (~DENY~) will drop packets
 before NAT can translate them.  The following rules are added to allow
-packets to be forwarded from the campus Ethernet or its wild subnet to
-an ISP on the ~isp~ interface.  A generic routing rule in UFW accepts
-any related or established packet (according to the kernel's
-connection tracking).
+packets to be forwarded from the campus or wild Ethernets to an ISP on
+the ~isp~ interface.  A generic routing rule in UFW accepts any
+related or established packet (according to the kernel's connection
+tracking).
 
 #+NAME: ufw-forward-nat
 #+CAPTION: ~ufw-forward-nat~
@@ -5226,7 +5226,7 @@ connection tracking).
 #+END_SRC
 
 Forwarding rules are also needed to route packets from the campus VPN
-(the ~wg0~ WireGuard™ tunnel device) to the institute's LAN and back.
+(the WireGuard™ interface, ~wg0~) to the institute's LAN and back.
 The public VPN on Front will also be included since its packets arrive
 at Gate's ~lan~ interface, coming from Core.  Thus forwarding between
 public and campus VPNs is also allowed.
@@ -5245,7 +5245,8 @@ default, log and reject packets, even those from subnet to the same
 subnet (if it is a WireGuard™ subnet?).
 
 Note that there are no forwarding rules to allow packets to pass from
-the ~wild~ device to the ~lan~ device, just the ~wg0~ device.
+the ~wild~ device to the ~lan~ device, only from ~wg0~ device is
+forwarded to ~lan~.
 
 ** Configure UFW
 
@@ -8132,9 +8133,6 @@ Pro-active monitoring might include notifying ~root~ of any vandalism
 corrected by Monkey's quarter-hourly web update.  This is a
 non-trivial task that must ignore intentional changes.
 
-Monkey's ~cron~ jobs on Core should be ~systemd.timer~ and ~.service~
-units.
-
 The institute's reverse domains (e.g. ~86.177.10.in-addr.arpa~) are
 not available on Front, yet.