Update README.html.

diff --git a/README.html b/README.html
index 4c88b27f753fd3a179a48944e488d84c5de7a38a..78a6c4efed0209d389f9a4c941969c185126b257 100644 (file)
--- a/README.html
+++ b/README.html
@@ -3,7 +3,7 @@
 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
 <head>
-<!-- 2023-12-29 Fri 14:26 -->
+<!-- 2023-12-30 Sat 14:12 -->
 <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
 <meta name="viewport" content="width=device-width, initial-scale=1" />
 <title>A Small Institute</title>
@@ -48,7 +48,7 @@ connects to Front making the institute email, cloud, etc. available to
 members off campus.
 </p>
 
-<pre class="example" id="orgb84bde2">
+<pre class="example" id="orgee983ec">
                 =                                                   
               _|||_                                                 
         =-The-Institute-=                                           
@@ -71,7 +71,7 @@ members off campus.
                 | |                                                 
 ============== Gate ================================================
                 |                                            Private
-                +----Ethernet switch                                
+                +----(Ethernet switch)                              
                         |                                           
                         +----Core                                   
                         +----Servers (NAS, DVR, etc.)               
@@ -902,15 +902,31 @@ replace <code>{{ domain_name }}</code> in the code with <code>small.example.org<
 <div class="org-src-container">
 <a href="public/vars.yml"><q>public/vars.yml</q></a><pre class="src src-conf">---
 domain_name: small.example.org
-domain_priv: small.private
 </pre>
 </div>
 
 <p>
-The private version of the institute's domain name should end with one
-of the top-level domains expected for this purpose: <code>.intranet</code>,
-<code>.internal</code>, <code>.private</code>, <code>.corp</code>, <code>.home</code> or <code>.lan</code>.<sup><a id="fnr.1" class="footref" href="#fn.1" role="doc-backlink">1</a></sup>
+The institute's private domain is treated as sensitive information,
+and so is "tangled" into the example file <a href="private/vars.yml"><q>private/vars.yml</q></a> rather
+than <a href="public/vars.yml"><q>public/vars.yml</q></a>.  The example file is used for testing, and
+serves as the template for an actual, private, <q>private/var.yml</q> file
+that customizes this Ansible code for an actual, private, small
+institute.
+</p>
+
+<p>
+The institute's private domain name should end with one of the
+top-level domains set aside for this purpose: <code>.intranet</code>,
+<code>.internal</code>, <code>.private</code>, <code>.corp</code>, <code>.home</code> or <code>.lan</code>.<sup><a id="fnr.1" class="footref" href="#fn.1" role="doc-backlink">1</a></sup>  It is
+hoped that doing so will increase that chances that some abomination
+like DNS-over-HTTPS will pass us by.
 </p>
+
+<div class="org-src-container">
+<a href="private/vars.yml"><q>private/vars.yml</q></a><pre class="src src-conf">---
+domain_priv: small.private
+</pre>
+</div>
 </div>
 </div>
 <div id="outline-container-orgda60362" class="outline-3">
@@ -1014,7 +1030,7 @@ example result follows the code.
 </pre>
 </div>
 
-<div class="TEXT" id="org0021adc">
+<div class="TEXT" id="orgb3b7bab">
 <p>
 =&gt; 10.62.17.0/24
 </p>
@@ -1024,14 +1040,14 @@ example result follows the code.
 <p>
 The four private networks are named and given example CIDRs in the
 code block below.  The small institute treats these addresses as
-sensitive information so the code block below "tangles" into
+sensitive information so again the code block below "tangles" into
 <a href="private/vars.yml"><q>private/vars.yml</q></a> rather than <a href="public/vars.yml"><q>public/vars.yml</q></a>.  Two of the
 addresses are in <code>192.168</code> subnets because they are part of a test
 configuration using mostly-default VirtualBoxes (described <a href="#org74b454f">here</a>).
 </p>
 
 <div class="org-src-container">
-<a href="private/vars.yml"><q>private/vars.yml</q></a><pre class="src src-conf">---
+<a href="private/vars.yml"><q>private/vars.yml</q></a><pre class="src src-conf">
 private_net_cidr:           192.168.56.0/24
 public_vpn_net_cidr:        10.177.86.0/24
 campus_vpn_net_cidr:        10.84.138.0/24
@@ -1429,7 +1445,7 @@ USB-Ethernet adapter, or a wireless adapter connected to a
 campground Wi-Fi access point, etc.</li>
 </ol>
 
-<pre class="example" id="org16dbe19">
+<pre class="example" id="org1547ba5">
 =============== | ==================================================
                 |                                           Premises
           (Campus ISP)                                              
@@ -1452,7 +1468,7 @@ This avoids the need for a second Wi-Fi access point and leads to the
 following topology.
 </p>
 
-<pre class="example" id="orga5f2d99">
+<pre class="example" id="org547d050">
 =============== | ==================================================
                 |                                           Premises
            (House ISP)                                              
@@ -1624,8 +1640,8 @@ uses the institute's CA and server certificates, and expects client
 certificates signed by the institute CA.
 </p>
 </div>
-<div id="outline-container-org9d81c0f" class="outline-3">
-<h3 id="org9d81c0f"><span class="section-number-3">6.1.</span> Include Particulars</h3>
+<div id="outline-container-org0b6eaeb" class="outline-3">
+<h3 id="org0b6eaeb"><span class="section-number-3">6.1.</span> Include Particulars</h3>
 <div class="outline-text-3" id="text-6-1">
 <p>
 The <code>front</code> role's tasks contain references to several common
@@ -1657,8 +1673,8 @@ The code block below is the first to tangle into
 </div>
 </div>
 </div>
-<div id="outline-container-orgcc676de" class="outline-3">
-<h3 id="orgcc676de"><span class="section-number-3">6.2.</span> Configure Hostname</h3>
+<div id="outline-container-org53f705c" class="outline-3">
+<h3 id="org53f705c"><span class="section-number-3">6.2.</span> Configure Hostname</h3>
 <div class="outline-text-3" id="text-6-2">
 <p>
 This task ensures that Front's <q>/etc/hostname</q> and <q>/etc/mailname</q> are
@@ -1782,8 +1798,8 @@ separate code block named <code>enable-resolved</code>.<sup><a id="fnr.2" class=
 </div>
 </div>
 </div>
-<div id="outline-container-orga3a919f" class="outline-3">
-<h3 id="orga3a919f"><span class="section-number-3">6.4.</span> Add Administrator to System Groups</h3>
+<div id="outline-container-org0432f89" class="outline-3">
+<h3 id="org0432f89"><span class="section-number-3">6.4.</span> Add Administrator to System Groups</h3>
 <div class="outline-text-3" id="text-6-4">
 <p>
 The administrator often needs to read (directories of) log files owned
@@ -1842,8 +1858,8 @@ those stored in <a href="Secret/ssh_front/etc/ssh/"><q>Secret/ssh_front/etc/ssh/
 </div>
 </div>
 </div>
-<div id="outline-container-org718cfbd" class="outline-3">
-<h3 id="org718cfbd"><span class="section-number-3">6.6.</span> Configure Monkey</h3>
+<div id="outline-container-org41d0afc" class="outline-3">
+<h3 id="org41d0afc"><span class="section-number-3">6.6.</span> Configure Monkey</h3>
 <div class="outline-text-3" id="text-6-6">
 <p>
 The small institute runs cron jobs and web scripts that generate
@@ -1899,8 +1915,8 @@ Monkey uses Rsync to keep the institute's public web site up-to-date.
 </div>
 </div>
 </div>
-<div id="outline-container-orgb504c59" class="outline-3">
-<h3 id="orgb504c59"><span class="section-number-3">6.8.</span> Install Unattended Upgrades</h3>
+<div id="outline-container-org98f9cd5" class="outline-3">
+<h3 id="org98f9cd5"><span class="section-number-3">6.8.</span> Install Unattended Upgrades</h3>
 <div class="outline-text-3" id="text-6-8">
 <p>
 The institute prefers to install security updates as soon as possible.
@@ -1915,8 +1931,8 @@ The institute prefers to install security updates as soon as possible.
 </div>
 </div>
 </div>
-<div id="outline-container-org55ba8e2" class="outline-3">
-<h3 id="org55ba8e2"><span class="section-number-3">6.9.</span> Configure User Accounts</h3>
+<div id="outline-container-orged63f05" class="outline-3">
+<h3 id="orged63f05"><span class="section-number-3">6.9.</span> Configure User Accounts</h3>
 <div class="outline-text-3" id="text-6-9">
 <p>
 User accounts are created immediately so that Postfix and Dovecot can
@@ -1959,8 +1975,8 @@ recipient" replies.  The <a href="#orge7fe793">Account Management</a> chapter de
 </div>
 </div>
 </div>
-<div id="outline-container-orgfab713c" class="outline-3">
-<h3 id="orgfab713c"><span class="section-number-3">6.10.</span> Trust Institute Certificate Authority</h3>
+<div id="outline-container-orge3e0d1d" class="outline-3">
+<h3 id="orge3e0d1d"><span class="section-number-3">6.10.</span> Trust Institute Certificate Authority</h3>
 <div class="outline-text-3" id="text-6-10">
 <p>
 Front should recognize the institute's Certificate Authority as
@@ -1992,8 +2008,8 @@ X.509 certificates is available in <a href="#org6519b0c">Keys</a>.
 </div>
 </div>
 </div>
-<div id="outline-container-org203c172" class="outline-3">
-<h3 id="org203c172"><span class="section-number-3">6.11.</span> Install Server Certificate</h3>
+<div id="outline-container-orgd63b568" class="outline-3">
+<h3 id="orgd63b568"><span class="section-number-3">6.11.</span> Install Server Certificate</h3>
 <div class="outline-text-3" id="text-6-11">
 <p>
 The servers on Front use the same certificate (and key) to
@@ -2257,8 +2273,8 @@ created by a more specialized role.
 </div>
 </div>
 </div>
-<div id="outline-container-org49d8726" class="outline-3">
-<h3 id="org49d8726"><span class="section-number-3">6.14.</span> Configure Dovecot IMAPd</h3>
+<div id="outline-container-orgeaf598f" class="outline-3">
+<h3 id="orgeaf598f"><span class="section-number-3">6.14.</span> Configure Dovecot IMAPd</h3>
 <div class="outline-text-3" id="text-6-14">
 <p>
 Front uses Dovecot's IMAPd to allow user Fetchmail jobs on Core to
@@ -2722,8 +2738,8 @@ the users' <q>~/Public/HTML/</q> directories.
 </div>
 </div>
 </div>
-<div id="outline-container-org760a95a" class="outline-3">
-<h3 id="org760a95a"><span class="section-number-3">6.16.</span> Configure OpenVPN</h3>
+<div id="outline-container-orgb68db3f" class="outline-3">
+<h3 id="orgb68db3f"><span class="section-number-3">6.16.</span> Configure OpenVPN</h3>
 <div class="outline-text-3" id="text-6-16">
 <p>
 Front uses OpenVPN to provide the institute's public VPN service.  The
@@ -3047,8 +3063,8 @@ Debian install and remote access to a privileged, administrator's
 account.  (For details, see <a href="#org8d60b7b">The Core Machine</a>.)
 </p>
 </div>
-<div id="outline-container-org2f3c047" class="outline-3">
-<h3 id="org2f3c047"><span class="section-number-3">7.1.</span> Include Particulars</h3>
+<div id="outline-container-org271236c" class="outline-3">
+<h3 id="org271236c"><span class="section-number-3">7.1.</span> Include Particulars</h3>
 <div class="outline-text-3" id="text-7-1">
 <p>
 The first task, as in <a href="#org9240129">The Front Role</a>, is to include the institute
@@ -3070,8 +3086,8 @@ particulars and membership roll.
 </div>
 </div>
 </div>
-<div id="outline-container-orgef1bdc1" class="outline-3">
-<h3 id="orgef1bdc1"><span class="section-number-3">7.2.</span> Configure Hostname</h3>
+<div id="outline-container-org6602011" class="outline-3">
+<h3 id="org6602011"><span class="section-number-3">7.2.</span> Configure Hostname</h3>
 <div class="outline-text-3" id="text-7-2">
 <p>
 This task ensures that Core's <q>/etc/hostname</q> and <q>/etc/mailname</q> are
@@ -3104,8 +3120,8 @@ proper email delivery.
 </div>
 </div>
 </div>
-<div id="outline-container-orge776843" class="outline-3">
-<h3 id="orge776843"><span class="section-number-3">7.3.</span> Enable Systemd Resolved</h3>
+<div id="outline-container-org7dcd4cf" class="outline-3">
+<h3 id="org7dcd4cf"><span class="section-number-3">7.3.</span> Enable Systemd Resolved</h3>
 <div class="outline-text-3" id="text-7-3">
 <p>
 Core starts the <code>systemd-networkd</code> and <code>systemd-resolved</code> service
@@ -3149,8 +3165,8 @@ units on boot.  See <a href="#org5738867">Enable Systemd Resolved</a>.
 </div>
 </div>
 </div>
-<div id="outline-container-org85c46f2" class="outline-3">
-<h3 id="org85c46f2"><span class="section-number-3">7.4.</span> Configure Systemd Resolved</h3>
+<div id="outline-container-org1951472" class="outline-3">
+<h3 id="org1951472"><span class="section-number-3">7.4.</span> Configure Systemd Resolved</h3>
 <div class="outline-text-3" id="text-7-4">
 <p>
 Core runs the campus name server, so Resolved is configured to use it
@@ -3617,8 +3633,8 @@ craps up <q>/var/log/</q> and the Systemd journal.
 </div>
 </div>
 </div>
-<div id="outline-container-orgd3224ac" class="outline-3">
-<h3 id="orgd3224ac"><span class="section-number-3">7.8.</span> Add Administrator to System Groups</h3>
+<div id="outline-container-org642538c" class="outline-3">
+<h3 id="org642538c"><span class="section-number-3">7.8.</span> Add Administrator to System Groups</h3>
 <div class="outline-text-3" id="text-7-8">
 <p>
 The administrator often needs to read (directories of) log files owned
@@ -3638,8 +3654,8 @@ these groups speeds up debugging.
 </div>
 </div>
 </div>
-<div id="outline-container-org41d0afc" class="outline-3">
-<h3 id="org41d0afc"><span class="section-number-3">7.9.</span> Configure Monkey</h3>
+<div id="outline-container-orgcd7d36c" class="outline-3">
+<h3 id="orgcd7d36c"><span class="section-number-3">7.9.</span> Configure Monkey</h3>
 <div class="outline-text-3" id="text-7-9">
 <p>
 The small institute runs cron jobs and web scripts that generate
@@ -3739,8 +3755,8 @@ with Nextcloud on the command line.
 </div>
 </div>
 </div>
-<div id="outline-container-orged63f05" class="outline-3">
-<h3 id="orged63f05"><span class="section-number-3">7.12.</span> Configure User Accounts</h3>
+<div id="outline-container-orge46b03e" class="outline-3">
+<h3 id="orge46b03e"><span class="section-number-3">7.12.</span> Configure User Accounts</h3>
 <div class="outline-text-3" id="text-7-12">
 <p>
 User accounts are created immediately so that backups can begin
@@ -3782,8 +3798,8 @@ describes the <code>members</code> and <code>usernames</code> variables.
 </div>
 </div>
 </div>
-<div id="outline-container-org7a2d68e" class="outline-3">
-<h3 id="org7a2d68e"><span class="section-number-3">7.13.</span> Trust Institute Certificate Authority</h3>
+<div id="outline-container-orgee4deb9" class="outline-3">
+<h3 id="orgee4deb9"><span class="section-number-3">7.13.</span> Trust Institute Certificate Authority</h3>
 <div class="outline-text-3" id="text-7-13">
 <p>
 Core should recognize the institute's Certificate Authority as
@@ -3815,8 +3831,8 @@ X.509 certificates is available in <a href="#org6519b0c">Keys</a>.
 </div>
 </div>
 </div>
-<div id="outline-container-org3f537e9" class="outline-3">
-<h3 id="org3f537e9"><span class="section-number-3">7.14.</span> Install Server Certificate</h3>
+<div id="outline-container-orgcb67daf" class="outline-3">
+<h3 id="orgcb67daf"><span class="section-number-3">7.14.</span> Install Server Certificate</h3>
 <div class="outline-text-3" id="text-7-14">
 <p>
 The servers on Core use the same certificate (and key) to authenticate
@@ -4069,8 +4085,8 @@ installed by more specialized roles.
 </div>
 </div>
 </div>
-<div id="outline-container-orgeaf598f" class="outline-3">
-<h3 id="orgeaf598f"><span class="section-number-3">7.18.</span> Configure Dovecot IMAPd</h3>
+<div id="outline-container-org0bf70c2" class="outline-3">
+<h3 id="org0bf70c2"><span class="section-number-3">7.18.</span> Configure Dovecot IMAPd</h3>
 <div class="outline-text-3" id="text-7-18">
 <p>
 Core uses Dovecot's IMAPd to store and serve member emails.  As on
@@ -5954,8 +5970,8 @@ applied first, by which Gate gets a campus machine's DNS and Postfix
 configurations, etc.
 </p>
 </div>
-<div id="outline-container-orgc5bdd96" class="outline-3">
-<h3 id="orgc5bdd96"><span class="section-number-3">8.1.</span> Include Particulars</h3>
+<div id="outline-container-org87223bf" class="outline-3">
+<h3 id="org87223bf"><span class="section-number-3">8.1.</span> Include Particulars</h3>
 <div class="outline-text-3" id="text-8-1">
 <p>
 The following should be familiar boilerplate by now.
@@ -6329,8 +6345,8 @@ the daemon listens <i>only</i> on the Gate-WiFi network interface.
 </div>
 </div>
 </div>
-<div id="outline-container-orgd63b568" class="outline-3">
-<h3 id="orgd63b568"><span class="section-number-3">8.6.</span> Install Server Certificate</h3>
+<div id="outline-container-orge1c2554" class="outline-3">
+<h3 id="orge1c2554"><span class="section-number-3">8.6.</span> Install Server Certificate</h3>
 <div class="outline-text-3" id="text-8-6">
 <p>
 The (OpenVPN) server on Gate uses an institute certificate (and key)
@@ -6357,8 +6373,8 @@ and Front) do.
 </div>
 </div>
 </div>
-<div id="outline-container-orgb68db3f" class="outline-3">
-<h3 id="orgb68db3f"><span class="section-number-3">8.7.</span> Configure OpenVPN</h3>
+<div id="outline-container-orge8ed770" class="outline-3">
+<h3 id="orge8ed770"><span class="section-number-3">8.7.</span> Configure OpenVPN</h3>
 <div class="outline-text-3" id="text-8-7">
 <p>
 Gate uses OpenVPN to provide the institute's campus VPN service.  Its
@@ -6521,8 +6537,8 @@ Wireless campus devices can get a key to the campus VPN from the
 configured manually.
 </p>
 </div>
-<div id="outline-container-org0b6eaeb" class="outline-3">
-<h3 id="org0b6eaeb"><span class="section-number-3">9.1.</span> Include Particulars</h3>
+<div id="outline-container-orga19a7f7" class="outline-3">
+<h3 id="orga19a7f7"><span class="section-number-3">9.1.</span> Include Particulars</h3>
 <div class="outline-text-3" id="text-9-1">
 <p>
 The following should be familiar boilerplate by now.
@@ -6538,8 +6554,8 @@ The following should be familiar boilerplate by now.
 </div>
 </div>
 </div>
-<div id="outline-container-org53f705c" class="outline-3">
-<h3 id="org53f705c"><span class="section-number-3">9.2.</span> Configure Hostname</h3>
+<div id="outline-container-org17efad4" class="outline-3">
+<h3 id="org17efad4"><span class="section-number-3">9.2.</span> Configure Hostname</h3>
 <div class="outline-text-3" id="text-9-2">
 <p>
 Clients should be using the expected host name.
@@ -6572,8 +6588,8 @@ Clients should be using the expected host name.
 </div>
 </div>
 </div>
-<div id="outline-container-org7dcd4cf" class="outline-3">
-<h3 id="org7dcd4cf"><span class="section-number-3">9.3.</span> Enable Systemd Resolved</h3>
+<div id="outline-container-org3d1f119" class="outline-3">
+<h3 id="org3d1f119"><span class="section-number-3">9.3.</span> Enable Systemd Resolved</h3>
 <div class="outline-text-3" id="text-9-3">
 <p>
 Campus machines start the <code>systemd-networkd</code> and <code>systemd-resolved</code>
@@ -6617,8 +6633,8 @@ service units on boot.  See <a href="#org5738867">Enable Systemd Resolved</a>.
 </div>
 </div>
 </div>
-<div id="outline-container-org1951472" class="outline-3">
-<h3 id="org1951472"><span class="section-number-3">9.4.</span> Configure Systemd Resolved</h3>
+<div id="outline-container-org0612ed1" class="outline-3">
+<h3 id="org0612ed1"><span class="section-number-3">9.4.</span> Configure Systemd Resolved</h3>
 <div class="outline-text-3" id="text-9-4">
 <p>
 Campus machines use the campus name server on Core (or <code>dns.google</code>),
@@ -6689,8 +6705,8 @@ and file timestamps.
 </div>
 </div>
 </div>
-<div id="outline-container-org0432f89" class="outline-3">
-<h3 id="org0432f89"><span class="section-number-3">9.6.</span> Add Administrator to System Groups</h3>
+<div id="outline-container-orgd9de325" class="outline-3">
+<h3 id="orgd9de325"><span class="section-number-3">9.6.</span> Add Administrator to System Groups</h3>
 <div class="outline-text-3" id="text-9-6">
 <p>
 The administrator often needs to read (directories of) log files owned
@@ -6710,8 +6726,8 @@ these groups speeds up debugging.
 </div>
 </div>
 </div>
-<div id="outline-container-orge3e0d1d" class="outline-3">
-<h3 id="orge3e0d1d"><span class="section-number-3">9.7.</span> Trust Institute Certificate Authority</h3>
+<div id="outline-container-org24c5c7d" class="outline-3">
+<h3 id="org24c5c7d"><span class="section-number-3">9.7.</span> Trust Institute Certificate Authority</h3>
 <div class="outline-text-3" id="text-9-7">
 <p>
 Campus hosts should recognize the institute's Certificate Authority as
@@ -6743,8 +6759,8 @@ keys, certificates and passwords, see <a href="#org6519b0c">Keys</a>.)
 </div>
 </div>
 </div>
-<div id="outline-container-org98f9cd5" class="outline-3">
-<h3 id="org98f9cd5"><span class="section-number-3">9.8.</span> Install Unattended Upgrades</h3>
+<div id="outline-container-org6e09cb9" class="outline-3">
+<h3 id="org6e09cb9"><span class="section-number-3">9.8.</span> Install Unattended Upgrades</h3>
 <div class="outline-text-3" id="text-9-8">
 <p>
 The institute prefers to install security updates as soon as possible.
@@ -9434,19 +9450,18 @@ is lacking in a number of respects.
 The current network monitoring is rudimentary.  It could use some
 love, like intrusion detection via Snort or similar.  Services on
 Front are not monitored except that the <q>webupdate</q> script should be
-emailing <code>sysadm</code> whenever it cannot update Front.
+emailing <code>sysadm</code> whenever it cannot update Front (every 15 minutes!).
 </p>
 
 <p>
 Pro-active monitoring might include notifying <code>root</code> of any vandalism
 corrected by Monkey's quarter-hourly web update.  This is a
-non-trivial task that must ignore intentional changes and save suspect
-changes.
+non-trivial task that must ignore intentional changes.
 </p>
 
 <p>
-Monkey's <code>cron</code> jobs on Core should presumably become <code>systemd.timer</code>
-and <code>.service</code> units.
+Monkey's <code>cron</code> jobs on Core should be <code>systemd.timer</code> and <code>.service</code>
+units.
 </p>
 
 <p>
@@ -9467,19 +9482,19 @@ continue to work for some time.
 <p>
 The <code>./inst client android dick-phone dick</code> command generates <q>.ovpn</q>
 files that require the member to remember to check the "Use this
-connection only for resources on its network" box in the IPv4 tab of
-the Add VPN dialog.  The <code>./inst client</code> command should include a
-setting in the Debian <q>.ovpn</q> files that NetworkManager will recognize
-as the desired setting.
+connection only for resources on its network" box in the IPv4 (and
+IPv6) tab(s) of the Add VPN dialog.  The command should include an
+OpenVPN setting that the NetworkManager file importer recognizes as
+the desired setting.
 </p>
 
 <p>
 The VPN service is overly complex.  The OpenVPN 2.4.7 clients allow
 multiple server addresses, but the <code>openvpn(8)</code> manual page suggests
-per connection parameters are a restricted set that does <i>not</i> include
-the essential <code>verify-x509-name</code>.  Use the same name on separate
-certificates for Gate and Front?  Use the same certificate and key on
-Gate and Front?
+per connection parameters are restricted to a set that does <i>not</i>
+include the essential <code>verify-x509-name</code>.  Use the same name on
+separate certificates for Gate and Front?  Use the same certificate
+and key on Gate and Front?
 </p>
 
 <p>
@@ -9687,7 +9702,7 @@ routes on Front and Gate, making the simulation less&#x2026; similar.
 </div></div>
 <div id="postamble" class="status">
 <p class="author">Author: Matt Birkholz</p>
-<p class="date">Created: 2023-12-29 Fri 14:26</p>
+<p class="date">Created: 2023-12-30 Sat 14:12</p>
 <p class="validation"><a href="https://validator.w3.org/check?uri=referer">Validate</a></p>
 </div>
 </body>