Renumber (already sorted) footnotes. Update README.html.

diff --git a/README.html b/README.html
index ccb6f52ad9f1d95df6fd2642d48fffaefa129d9b..98664c69b16ed21235ff2f75553b3422889d471f 100644 (file)
--- a/README.html
+++ b/README.html
@@ -3,7 +3,7 @@
 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
 <head>
-<!-- 2024-01-01 Mon 10:48 -->
+<!-- 2024-01-02 Tue 13:37 -->
 <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
 <meta name="viewport" content="width=device-width, initial-scale=1" />
 <title>A Small Institute</title>
@@ -48,7 +48,7 @@ connects to Front making the institute email, cloud, etc. available to
 members off campus.
 </p>
 
-<pre class="example" id="org818b89f">
+<pre class="example" id="orgb9b8e48">
                 =                                                   
               _|||_                                                 
         =-The-Institute-=                                           
@@ -1030,7 +1030,7 @@ example result follows the code.
 </pre>
 </div>
 
-<div class="TEXT" id="org979a726">
+<div class="TEXT" id="org296b7f8">
 <p>
 =&gt; 10.62.17.0/24
 </p>
@@ -1445,7 +1445,7 @@ USB-Ethernet adapter, or a wireless adapter connected to a
 campground Wi-Fi access point, etc.</li>
 </ol>
 
-<pre class="example" id="org654e520">
+<pre class="example" id="org43284fb">
 =============== | ==================================================
                 |                                           Premises
           (Campus ISP)                                              
@@ -1468,7 +1468,7 @@ This avoids the need for a second Wi-Fi access point and leads to the
 following topology.
 </p>
 
-<pre class="example" id="orgd355647">
+<pre class="example" id="org51ead45">
 =============== | ==================================================
                 |                                           Premises
            (House ISP)                                              
@@ -1640,8 +1640,8 @@ uses the institute's CA and server certificates, and expects client
 certificates signed by the institute CA.
 </p>
 </div>
-<div id="outline-container-orga19a7f7" class="outline-3">
-<h3 id="orga19a7f7"><span class="section-number-3">6.1.</span> Include Particulars</h3>
+<div id="outline-container-org3c15e11" class="outline-3">
+<h3 id="org3c15e11"><span class="section-number-3">6.1.</span> Include Particulars</h3>
 <div class="outline-text-3" id="text-6-1">
 <p>
 The <code>front</code> role's tasks contain references to several common
@@ -1673,8 +1673,8 @@ The code block below is the first to tangle into
 </div>
 </div>
 </div>
-<div id="outline-container-org17efad4" class="outline-3">
-<h3 id="org17efad4"><span class="section-number-3">6.2.</span> Configure Hostname</h3>
+<div id="outline-container-org39d7e52" class="outline-3">
+<h3 id="org39d7e52"><span class="section-number-3">6.2.</span> Configure Hostname</h3>
 <div class="outline-text-3" id="text-6-2">
 <p>
 This task ensures that Front's <q>/etc/hostname</q> and <q>/etc/mailname</q> are
@@ -1798,8 +1798,8 @@ separate code block named <code>enable-resolved</code>.<sup><a id="fnr.2" class=
 </div>
 </div>
 </div>
-<div id="outline-container-orgd9de325" class="outline-3">
-<h3 id="orgd9de325"><span class="section-number-3">6.4.</span> Add Administrator to System Groups</h3>
+<div id="outline-container-org56dc8b5" class="outline-3">
+<h3 id="org56dc8b5"><span class="section-number-3">6.4.</span> Add Administrator to System Groups</h3>
 <div class="outline-text-3" id="text-6-4">
 <p>
 The administrator often needs to read (directories of) log files owned
@@ -1858,8 +1858,8 @@ those stored in <a href="Secret/ssh_front/etc/ssh/"><q>Secret/ssh_front/etc/ssh/
 </div>
 </div>
 </div>
-<div id="outline-container-orgcd7d36c" class="outline-3">
-<h3 id="orgcd7d36c"><span class="section-number-3">6.6.</span> Configure Monkey</h3>
+<div id="outline-container-org63b4dba" class="outline-3">
+<h3 id="org63b4dba"><span class="section-number-3">6.6.</span> Configure Monkey</h3>
 <div class="outline-text-3" id="text-6-6">
 <p>
 The small institute runs cron jobs and web scripts that generate
@@ -1915,8 +1915,8 @@ Monkey uses Rsync to keep the institute's public web site up-to-date.
 </div>
 </div>
 </div>
-<div id="outline-container-org6e09cb9" class="outline-3">
-<h3 id="org6e09cb9"><span class="section-number-3">6.8.</span> Install Unattended Upgrades</h3>
+<div id="outline-container-org59be0a3" class="outline-3">
+<h3 id="org59be0a3"><span class="section-number-3">6.8.</span> Install Unattended Upgrades</h3>
 <div class="outline-text-3" id="text-6-8">
 <p>
 The institute prefers to install security updates as soon as possible.
@@ -1931,8 +1931,8 @@ The institute prefers to install security updates as soon as possible.
 </div>
 </div>
 </div>
-<div id="outline-container-orge46b03e" class="outline-3">
-<h3 id="orge46b03e"><span class="section-number-3">6.9.</span> Configure User Accounts</h3>
+<div id="outline-container-orgae89ce8" class="outline-3">
+<h3 id="orgae89ce8"><span class="section-number-3">6.9.</span> Configure User Accounts</h3>
 <div class="outline-text-3" id="text-6-9">
 <p>
 User accounts are created immediately so that Postfix and Dovecot can
@@ -1975,8 +1975,8 @@ recipient" replies.  The <a href="#orge7fe793">Account Management</a> chapter de
 </div>
 </div>
 </div>
-<div id="outline-container-org24c5c7d" class="outline-3">
-<h3 id="org24c5c7d"><span class="section-number-3">6.10.</span> Trust Institute Certificate Authority</h3>
+<div id="outline-container-org986ecf6" class="outline-3">
+<h3 id="org986ecf6"><span class="section-number-3">6.10.</span> Trust Institute Certificate Authority</h3>
 <div class="outline-text-3" id="text-6-10">
 <p>
 Front should recognize the institute's Certificate Authority as
@@ -2008,8 +2008,8 @@ X.509 certificates is available in <a href="#org6519b0c">Keys</a>.
 </div>
 </div>
 </div>
-<div id="outline-container-orge1c2554" class="outline-3">
-<h3 id="orge1c2554"><span class="section-number-3">6.11.</span> Install Server Certificate</h3>
+<div id="outline-container-org5d3587e" class="outline-3">
+<h3 id="org5d3587e"><span class="section-number-3">6.11.</span> Install Server Certificate</h3>
 <div class="outline-text-3" id="text-6-11">
 <p>
 The servers on Front use the same certificate (and key) to
@@ -2273,8 +2273,8 @@ created by a more specialized role.
 </div>
 </div>
 </div>
-<div id="outline-container-org0bf70c2" class="outline-3">
-<h3 id="org0bf70c2"><span class="section-number-3">6.14.</span> Configure Dovecot IMAPd</h3>
+<div id="outline-container-orgef69b4b" class="outline-3">
+<h3 id="orgef69b4b"><span class="section-number-3">6.14.</span> Configure Dovecot IMAPd</h3>
 <div class="outline-text-3" id="text-6-14">
 <p>
 Front uses Dovecot's IMAPd to allow user Fetchmail jobs on Core to
@@ -2738,8 +2738,8 @@ the users' <q>~/Public/HTML/</q> directories.
 </div>
 </div>
 </div>
-<div id="outline-container-orge8ed770" class="outline-3">
-<h3 id="orge8ed770"><span class="section-number-3">6.16.</span> Configure OpenVPN</h3>
+<div id="outline-container-org0c71d3a" class="outline-3">
+<h3 id="org0c71d3a"><span class="section-number-3">6.16.</span> Configure OpenVPN</h3>
 <div class="outline-text-3" id="text-6-16">
 <p>
 Front uses OpenVPN to provide the institute's public VPN service.  The
@@ -3063,8 +3063,8 @@ Debian install and remote access to a privileged, administrator's
 account.  (For details, see <a href="#org8d60b7b">The Core Machine</a>.)
 </p>
 </div>
-<div id="outline-container-org533be49" class="outline-3">
-<h3 id="org533be49"><span class="section-number-3">7.1.</span> Include Particulars</h3>
+<div id="outline-container-orgdc88f33" class="outline-3">
+<h3 id="orgdc88f33"><span class="section-number-3">7.1.</span> Include Particulars</h3>
 <div class="outline-text-3" id="text-7-1">
 <p>
 The first task, as in <a href="#org9240129">The Front Role</a>, is to include the institute
@@ -3086,8 +3086,8 @@ particulars and membership roll.
 </div>
 </div>
 </div>
-<div id="outline-container-org07d9cd4" class="outline-3">
-<h3 id="org07d9cd4"><span class="section-number-3">7.2.</span> Configure Hostname</h3>
+<div id="outline-container-org6836eeb" class="outline-3">
+<h3 id="org6836eeb"><span class="section-number-3">7.2.</span> Configure Hostname</h3>
 <div class="outline-text-3" id="text-7-2">
 <p>
 This task ensures that Core's <q>/etc/hostname</q> and <q>/etc/mailname</q> are
@@ -3120,8 +3120,8 @@ proper email delivery.
 </div>
 </div>
 </div>
-<div id="outline-container-org3d1f119" class="outline-3">
-<h3 id="org3d1f119"><span class="section-number-3">7.3.</span> Enable Systemd Resolved</h3>
+<div id="outline-container-org7ecb710" class="outline-3">
+<h3 id="org7ecb710"><span class="section-number-3">7.3.</span> Enable Systemd Resolved</h3>
 <div class="outline-text-3" id="text-7-3">
 <p>
 Core starts the <code>systemd-networkd</code> and <code>systemd-resolved</code> service
@@ -3165,8 +3165,8 @@ units on boot.  See <a href="#org5738867">Enable Systemd Resolved</a>.
 </div>
 </div>
 </div>
-<div id="outline-container-org0612ed1" class="outline-3">
-<h3 id="org0612ed1"><span class="section-number-3">7.4.</span> Configure Systemd Resolved</h3>
+<div id="outline-container-orgd4cda12" class="outline-3">
+<h3 id="orgd4cda12"><span class="section-number-3">7.4.</span> Configure Systemd Resolved</h3>
 <div class="outline-text-3" id="text-7-4">
 <p>
 Core runs the campus name server, so Resolved is configured to use it
@@ -3633,8 +3633,8 @@ craps up <q>/var/log/</q> and the Systemd journal.
 </div>
 </div>
 </div>
-<div id="outline-container-org7708cdb" class="outline-3">
-<h3 id="org7708cdb"><span class="section-number-3">7.8.</span> Add Administrator to System Groups</h3>
+<div id="outline-container-orgcc94373" class="outline-3">
+<h3 id="orgcc94373"><span class="section-number-3">7.8.</span> Add Administrator to System Groups</h3>
 <div class="outline-text-3" id="text-7-8">
 <p>
 The administrator often needs to read (directories of) log files owned
@@ -3654,8 +3654,8 @@ these groups speeds up debugging.
 </div>
 </div>
 </div>
-<div id="outline-container-org63b4dba" class="outline-3">
-<h3 id="org63b4dba"><span class="section-number-3">7.9.</span> Configure Monkey</h3>
+<div id="outline-container-org8f1faaa" class="outline-3">
+<h3 id="org8f1faaa"><span class="section-number-3">7.9.</span> Configure Monkey</h3>
 <div class="outline-text-3" id="text-7-9">
 <p>
 The small institute runs cron jobs and web scripts that generate
@@ -3755,8 +3755,8 @@ with Nextcloud on the command line.
 </div>
 </div>
 </div>
-<div id="outline-container-orgae89ce8" class="outline-3">
-<h3 id="orgae89ce8"><span class="section-number-3">7.12.</span> Configure User Accounts</h3>
+<div id="outline-container-orgf7e8da6" class="outline-3">
+<h3 id="orgf7e8da6"><span class="section-number-3">7.12.</span> Configure User Accounts</h3>
 <div class="outline-text-3" id="text-7-12">
 <p>
 User accounts are created immediately so that backups can begin
@@ -3798,8 +3798,8 @@ describes the <code>members</code> and <code>usernames</code> variables.
 </div>
 </div>
 </div>
-<div id="outline-container-org13d2912" class="outline-3">
-<h3 id="org13d2912"><span class="section-number-3">7.13.</span> Trust Institute Certificate Authority</h3>
+<div id="outline-container-orga70c44f" class="outline-3">
+<h3 id="orga70c44f"><span class="section-number-3">7.13.</span> Trust Institute Certificate Authority</h3>
 <div class="outline-text-3" id="text-7-13">
 <p>
 Core should recognize the institute's Certificate Authority as
@@ -3831,8 +3831,8 @@ X.509 certificates is available in <a href="#org6519b0c">Keys</a>.
 </div>
 </div>
 </div>
-<div id="outline-container-org5877f54" class="outline-3">
-<h3 id="org5877f54"><span class="section-number-3">7.14.</span> Install Server Certificate</h3>
+<div id="outline-container-orgdce1a93" class="outline-3">
+<h3 id="orgdce1a93"><span class="section-number-3">7.14.</span> Install Server Certificate</h3>
 <div class="outline-text-3" id="text-7-14">
 <p>
 The servers on Core use the same certificate (and key) to authenticate
@@ -4085,8 +4085,8 @@ installed by more specialized roles.
 </div>
 </div>
 </div>
-<div id="outline-container-orgef69b4b" class="outline-3">
-<h3 id="orgef69b4b"><span class="section-number-3">7.18.</span> Configure Dovecot IMAPd</h3>
+<div id="outline-container-org23f499c" class="outline-3">
+<h3 id="org23f499c"><span class="section-number-3">7.18.</span> Configure Dovecot IMAPd</h3>
 <div class="outline-text-3" id="text-7-18">
 <p>
 Core uses Dovecot's IMAPd to store and serve member emails.  As on
@@ -5970,8 +5970,8 @@ applied first, by which Gate gets a campus machine's DNS and Postfix
 configurations, etc.
 </p>
 </div>
-<div id="outline-container-org0b6416c" class="outline-3">
-<h3 id="org0b6416c"><span class="section-number-3">8.1.</span> Include Particulars</h3>
+<div id="outline-container-org662043e" class="outline-3">
+<h3 id="org662043e"><span class="section-number-3">8.1.</span> Include Particulars</h3>
 <div class="outline-text-3" id="text-8-1">
 <p>
 The following should be familiar boilerplate by now.
@@ -6345,8 +6345,8 @@ the daemon listens <i>only</i> on the Gate-WiFi network interface.
 </div>
 </div>
 </div>
-<div id="outline-container-org5d3587e" class="outline-3">
-<h3 id="org5d3587e"><span class="section-number-3">8.6.</span> Install Server Certificate</h3>
+<div id="outline-container-orgdf7fcb2" class="outline-3">
+<h3 id="orgdf7fcb2"><span class="section-number-3">8.6.</span> Install Server Certificate</h3>
 <div class="outline-text-3" id="text-8-6">
 <p>
 The (OpenVPN) server on Gate uses an institute certificate (and key)
@@ -6373,8 +6373,8 @@ and Front) do.
 </div>
 </div>
 </div>
-<div id="outline-container-org0c71d3a" class="outline-3">
-<h3 id="org0c71d3a"><span class="section-number-3">8.7.</span> Configure OpenVPN</h3>
+<div id="outline-container-org50c9363" class="outline-3">
+<h3 id="org50c9363"><span class="section-number-3">8.7.</span> Configure OpenVPN</h3>
 <div class="outline-text-3" id="text-8-7">
 <p>
 Gate uses OpenVPN to provide the institute's campus VPN service.  Its
@@ -6537,8 +6537,8 @@ Wireless campus devices can get a key to the campus VPN from the
 configured manually.
 </p>
 </div>
-<div id="outline-container-org3c15e11" class="outline-3">
-<h3 id="org3c15e11"><span class="section-number-3">9.1.</span> Include Particulars</h3>
+<div id="outline-container-orgb125545" class="outline-3">
+<h3 id="orgb125545"><span class="section-number-3">9.1.</span> Include Particulars</h3>
 <div class="outline-text-3" id="text-9-1">
 <p>
 The following should be familiar boilerplate by now.
@@ -6554,8 +6554,8 @@ The following should be familiar boilerplate by now.
 </div>
 </div>
 </div>
-<div id="outline-container-org39d7e52" class="outline-3">
-<h3 id="org39d7e52"><span class="section-number-3">9.2.</span> Configure Hostname</h3>
+<div id="outline-container-orgedbf31b" class="outline-3">
+<h3 id="orgedbf31b"><span class="section-number-3">9.2.</span> Configure Hostname</h3>
 <div class="outline-text-3" id="text-9-2">
 <p>
 Clients should be using the expected host name.
@@ -6582,8 +6582,8 @@ Clients should be using the expected host name.
 </div>
 </div>
 </div>
-<div id="outline-container-org7ecb710" class="outline-3">
-<h3 id="org7ecb710"><span class="section-number-3">9.3.</span> Enable Systemd Resolved</h3>
+<div id="outline-container-orgbbe5d19" class="outline-3">
+<h3 id="orgbbe5d19"><span class="section-number-3">9.3.</span> Enable Systemd Resolved</h3>
 <div class="outline-text-3" id="text-9-3">
 <p>
 Campus machines start the <code>systemd-networkd</code> and <code>systemd-resolved</code>
@@ -6627,8 +6627,8 @@ service units on boot.  See <a href="#org5738867">Enable Systemd Resolved</a>.
 </div>
 </div>
 </div>
-<div id="outline-container-orgd4cda12" class="outline-3">
-<h3 id="orgd4cda12"><span class="section-number-3">9.4.</span> Configure Systemd Resolved</h3>
+<div id="outline-container-org08eac1f" class="outline-3">
+<h3 id="org08eac1f"><span class="section-number-3">9.4.</span> Configure Systemd Resolved</h3>
 <div class="outline-text-3" id="text-9-4">
 <p>
 Campus machines use the campus name server on Core (or <code>dns.google</code>),
@@ -6699,8 +6699,8 @@ and file timestamps.
 </div>
 </div>
 </div>
-<div id="outline-container-org56dc8b5" class="outline-3">
-<h3 id="org56dc8b5"><span class="section-number-3">9.6.</span> Add Administrator to System Groups</h3>
+<div id="outline-container-orgbdf09f0" class="outline-3">
+<h3 id="orgbdf09f0"><span class="section-number-3">9.6.</span> Add Administrator to System Groups</h3>
 <div class="outline-text-3" id="text-9-6">
 <p>
 The administrator often needs to read (directories of) log files owned
@@ -6720,8 +6720,8 @@ these groups speeds up debugging.
 </div>
 </div>
 </div>
-<div id="outline-container-org986ecf6" class="outline-3">
-<h3 id="org986ecf6"><span class="section-number-3">9.7.</span> Trust Institute Certificate Authority</h3>
+<div id="outline-container-orgdf9b654" class="outline-3">
+<h3 id="orgdf9b654"><span class="section-number-3">9.7.</span> Trust Institute Certificate Authority</h3>
 <div class="outline-text-3" id="text-9-7">
 <p>
 Campus hosts should recognize the institute's Certificate Authority as
@@ -6753,8 +6753,8 @@ keys, certificates and passwords, see <a href="#org6519b0c">Keys</a>.)
 </div>
 </div>
 </div>
-<div id="outline-container-org59be0a3" class="outline-3">
-<h3 id="org59be0a3"><span class="section-number-3">9.8.</span> Install Unattended Upgrades</h3>
+<div id="outline-container-org8491295" class="outline-3">
+<h3 id="org8491295"><span class="section-number-3">9.8.</span> Install Unattended Upgrades</h3>
 <div class="outline-text-3" id="text-9-8">
 <p>
 The institute prefers to install security updates as soon as possible.
@@ -9660,7 +9660,8 @@ ansible-playbook -l gate -t base-install site.yml
 
 <div class="footdef"><sup><a id="fn.1" class="footnum" href="#fnr.1" role="doc-backlink">1</a></sup> <div class="footpara" role="doc-footnote"><p class="footpara">
 The recommended private top-level domains are listed in
-"Appendix G. Private DNS Namespaces" of RFC6762 (Multicast DNS). <a href="https://www.rfc-editor.org/rfc/rfc6762#appendix-G">link</a>
+"Appendix G. Private DNS Namespaces" of RFC6762 (Multicast
+DNS). <a href="https://www.rfc-editor.org/rfc/rfc6762#appendix-G">https://www.rfc-editor.org/rfc/rfc6762#appendix-G</a>
 </p></div></div>
 
 <div class="footdef"><sup><a id="fn.2" class="footnum" href="#fnr.2" role="doc-backlink">2</a></sup> <div class="footpara" role="doc-footnote"><p class="footpara">
@@ -9693,7 +9694,7 @@ routes on Front and Gate, making the simulation less&#x2026; similar.
 </div></div>
 <div id="postamble" class="status">
 <p class="author">Author: Matt Birkholz</p>
-<p class="date">Created: 2024-01-01 Mon 10:48</p>
+<p class="date">Created: 2024-01-02 Tue 13:37</p>
 <p class="validation"><a href="https://validator.w3.org/check?uri=referer">Validate</a></p>
 </div>
 </body>

diff --git a/README.org b/README.org
index 256dee224c1a51d480ca8fa93dcbb383240e2548..3e01f0df13fdaaae6439b80845323f33f0ef3ad3 100644 (file)
--- a/README.org
+++ b/README.org
@@ -745,7 +745,7 @@ institute.
 
 The institute's private domain name should end with one of the
 top-level domains set aside for this purpose: ~.intranet~,
-~.internal~, ~.private~, ~.corp~, ~.home~ or ~.lan~.[fn:5]  It is
+~.internal~, ~.private~, ~.corp~, ~.home~ or ~.lan~.[fn:1]  It is
 hoped that doing so will increase that chances that some abomination
 like DNS-over-HTTPS will pass us by.
 
@@ -1327,7 +1327,7 @@ to enable "persistent logging", yet).  In Debian 12 there is a
 ~systemd~ package).
 
 These tasks are included in all of the roles, and so are given in a
-separate code block named ~enable-resolved~.[fn:1]
+separate code block named ~enable-resolved~.[fn:2]
 
 #+CAPTION: [[file:roles_t/front/tasks/main.yml][=roles_t/front/tasks/main.yml=]]
 #+BEGIN_SRC conf :tangle roles_t/front/tasks/main.yml :noweb yes
@@ -1842,7 +1842,7 @@ from Qualys SSL Labs ([[https://www.ssllabs.com/]]).
 The ~apache-ciphers~ block below is included last in the Apache2
 configuration, so that its ~SSLCipherSuite~ directive can override
 (narrow) any list of ciphers set earlier (e.g. by Let's
-Encrypt![fn:2]).  The protocols and cipher suites specified here were
+Encrypt![fn:3]).  The protocols and cipher suites specified here were
 taken from [[https://www.ssllabs.com/projects/best-practices]] in 2022.
 
 #+NAME: apache-ciphers
@@ -5976,7 +5976,7 @@ records.  The mapping is stored among other things in
 
 A new member's record in the ~members~ mapping will have the ~status~
 key value ~current~.  That key gets value ~former~ when the member
-leaves.[fn:3]  Access by former members is revoked by invalidating the
+leaves.[fn:4]  Access by former members is revoked by invalidating the
 Unix account passwords, removing any authorized SSH keys from Front
 and Core, and disabling their VPN certificates.
 
@@ -6781,7 +6781,7 @@ The networks used in the test:
   ~front~ is not accessible to the administrator's notebook (the
   host).  To work around this restriction, ~front~ gets a second
   network interface connected to the ~vboxnet1~ network and used only
-  for ssh access from the host.[fn:4]
+  for ssh access from the host.[fn:5]
 
 As in [[*The Hardware][The Hardware]], all machines start with their primary Ethernet
 adapters attached to the NAT Network ~premises~ so that they can
@@ -7652,22 +7652,23 @@ innocuous, disabled) default state.
 
 * Footnotes
 
-[fn:5] The recommended private top-level domains are listed in
-"Appendix G. Private DNS Namespaces" of RFC6762 (Multicast DNS). [[https://www.rfc-editor.org/rfc/rfc6762#appendix-G][link]]
+[fn:1] The recommended private top-level domains are listed in
+"Appendix G. Private DNS Namespaces" of RFC6762 (Multicast
+DNS). [[https://www.rfc-editor.org/rfc/rfc6762#appendix-G]]
 
-[fn:1] Why not create a role named ~all~ and put these tasks that are
+[fn:2] Why not create a role named ~all~ and put these tasks that are
 the same on all machines in that role?  If there were more than a
 stable handful, and no tangling mechanism to do the duplication, a
 catch-all role would be a higher priority.
 
-[fn:2] The cipher set specified by Let's Encrypt is large enough to
+[fn:3] The cipher set specified by Let's Encrypt is large enough to
 turn orange many parts of an SSL Report from Qualys SSL Labs.
 
-[fn:3] Presumably, eventually, a former member's home directories are
+[fn:4] Presumably, eventually, a former member's home directories are
 archived to external storage, their other files are given new
 ownerships, and their Unix accounts are deleted.  This has never been
 done, and is left as a manual exercise.
 
-[fn:4] Front is accessible via Gate but routing from the host address
+[fn:5] Front is accessible via Gate but routing from the host address
 on ~vboxnet0~ through Gate requires extensive interference with the
 routes on Front and Gate, making the simulation less... similar.