Update README.html.

diff --git a/README.html b/README.html
index 6d80ea5026dcd25a0cc8d0bb8c539e50e451272c..69e5a54960ee99092eb0b40656adef414cadc4f0 100644 (file)
--- a/README.html
+++ b/README.html
@@ -3,7 +3,7 @@
 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
 <head>
-<!-- 2026-01-12 Mon 12:12 -->
+<!-- 2026-01-18 Sun 16:36 -->
 <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
 <meta name="viewport" content="width=device-width, initial-scale=1" />
 <title>Birchwood Abbey Networks</title>
@@ -24,8 +24,8 @@ idiosyncrasies.  The roles herein are abbey specific, emphasized by
 the <code>abbey-</code> prefix on their names.  These roles are applied <i>after</i>
 the generic institutional roles (again, documented <a href="Institute/README.html">here</a>).
 </p>
-<div id="outline-container-orgd39ba36" class="outline-2">
-<h2 id="orgd39ba36"><span class="section-number-2">1.</span> Overview</h2>
+<div id="outline-container-org04d6e4c" class="outline-2">
+<h2 id="org04d6e4c"><span class="section-number-2">1.</span> Overview</h2>
 <div class="outline-text-2" id="text-1">
 <p>
 A Small Institute makes security and privacy top priorities but
@@ -64,7 +64,7 @@ map is very similar, with differences mainly in terminology,
 philosophy, attitude.
 </p>
 
-<pre class="example" id="orgb65e1e6">
+<pre class="example" id="org90d1082">
                 |                                                   
                 =                                                   
               _|||_                                                 
@@ -103,8 +103,8 @@ philosophy, attitude.
 </pre>
 </div>
 </div>
-<div id="outline-container-org9e30af2" class="outline-2">
-<h2 id="org9e30af2"><span class="section-number-2">2.</span> The Abbey Particulars</h2>
+<div id="outline-container-orgd67a975" class="outline-2">
+<h2 id="orgd67a975"><span class="section-number-2">2.</span> The Abbey Particulars</h2>
 <div class="outline-text-2" id="text-2">
 <p>
 The abbey's public particulars are included below.  They are the
@@ -134,8 +134,8 @@ into <a href="private_ex/vars-abbey.yml"><q>private_ex/vars-abbey.yml</q></a>.
 </p>
 </div>
 </div>
-<div id="outline-container-orgfbff0c5" class="outline-2">
-<h2 id="orgfbff0c5"><span class="section-number-2">3.</span> The Abbey Front Role</h2>
+<div id="outline-container-orgd060277" class="outline-2">
+<h2 id="orgd060277"><span class="section-number-2">3.</span> The Abbey Front Role</h2>
 <div class="outline-text-2" id="text-3">
 <p>
 Birchwood Abbey's front door is a Digital Ocean Droplet configured as
@@ -144,8 +144,8 @@ with Apache2, spooling email with Postfix and serving it with
 Dovecot-IMAPd, and hosting a VPN with WireGuard™.
 </p>
 </div>
-<div id="outline-container-org5e36997" class="outline-3">
-<h3 id="org5e36997"><span class="section-number-3">3.1.</span> Install Emacs</h3>
+<div id="outline-container-orgbe9a4ee" class="outline-3">
+<h3 id="orgbe9a4ee"><span class="section-number-3">3.1.</span> Install Emacs</h3>
 <div class="outline-text-3" id="text-3-1">
 <p>
 The monks of the abbey are masters of the staff (bo) and Emacs.
@@ -160,8 +160,8 @@ The monks of the abbey are masters of the staff (bo) and Emacs.
 </div>
 </div>
 </div>
-<div id="outline-container-org787f6d0" class="outline-3">
-<h3 id="org787f6d0"><span class="section-number-3">3.2.</span> Configure Public Email Aliases</h3>
+<div id="outline-container-orgf02dfe3" class="outline-3">
+<h3 id="orgf02dfe3"><span class="section-number-3">3.2.</span> Configure Public Email Aliases</h3>
 <div class="outline-text-3" id="text-3-2">
 <p>
 The abbey uses several additional email aliases.  These are the public
@@ -201,8 +201,8 @@ from there, forwarding <code>sysadm</code> to a real person.
 </div>
 </div>
 </div>
-<div id="outline-container-org46a9670" class="outline-3">
-<h3 id="org46a9670"><span class="section-number-3">3.3.</span> Configure Git Daemon on Front</h3>
+<div id="outline-container-org227602e" class="outline-3">
+<h3 id="org227602e"><span class="section-number-3">3.3.</span> Configure Git Daemon on Front</h3>
 <div class="outline-text-3" id="text-3-3">
 <p>
 The abbey publishes member Git repositories with <code>git daemon</code>.  If
@@ -247,7 +247,7 @@ rsync -av --del small.institute.org:Public/foo/ ~/Public/foo/
 The <code>git daemon</code> is run by SystemD per the <q>git-daemon.service</q> file.
 The <code>git-daemon(1)</code> manual page explains the options in detail.  The
 <code>--base-path</code> option should agree with <code>$projectroot</code> in the
-<q>/etc/gitweb.conf</q> file installed <a href="#orgd2d288a">here</a>.
+<q>/etc/gitweb.conf</q> file installed <a href="#org3877377">here</a>.
 </p>
 
 <p>
@@ -280,7 +280,7 @@ like <code>gitd-tasks</code> and <code>gitd-handlers</code>.
 </div>
 
 <div class="org-src-container">
-<code>gitd-tasks</code><pre class="src src-conf" id="org9cf4de2"><code>- name: Install git.
+<code>gitd-tasks</code><pre class="src src-conf" id="org59a9cd2"><code>- name: Install git.
   become: yes
   <span class="org-variable-name">apt: pkg</span>=git
 
@@ -364,7 +364,7 @@ like <code>gitd-tasks</code> and <code>gitd-handlers</code>.
 </div>
 
 <div class="org-src-container">
-<code>gitd-handlers</code><pre class="src src-conf" id="org9d63187"><code>
+<code>gitd-handlers</code><pre class="src src-conf" id="org5fd849e"><code>
 - name: Reload systemd.
   become: yes
   systemd:
@@ -380,8 +380,8 @@ like <code>gitd-tasks</code> and <code>gitd-handlers</code>.
 </div>
 </div>
 </div>
-<div id="outline-container-org114683e" class="outline-3">
-<h3 id="org114683e"><span class="section-number-3">3.4.</span> Configure Gitweb on Front</h3>
+<div id="outline-container-org3972eff" class="outline-3">
+<h3 id="org3972eff"><span class="section-number-3">3.4.</span> Configure Gitweb on Front</h3>
 <div class="outline-text-3" id="text-3-4">
 <p>
 The abbey provides an HTML interface to members' public Git
@@ -408,7 +408,7 @@ lists the repositories found in <q>/var/www/git/</q>.
 </p>
 
 <div class="org-src-container">
-<code>apache-gitweb</code><pre class="src src-conf" id="org4f5b782"><code>Alias /gitweb-static/ /usr/share/gitweb/static/
+<code>apache-gitweb</code><pre class="src src-conf" id="org7a39b76"><code>Alias /gitweb-static/ /usr/share/gitweb/static/
 &lt;Directory <span class="org-string">"/usr/share/gitweb/static/"</span>&gt;
     Options MultiViews
 &lt;/Directory&gt;
@@ -471,7 +471,7 @@ web site <q>/favicon.ico</q>.
 </div>
 
 <div class="org-src-container">
-<code>gitweb-tasks</code><pre class="src src-conf" id="orgd2d288a"><code>- name: Enable Apache2 rewrite module.
+<code>gitweb-tasks</code><pre class="src src-conf" id="org3877377"><code>- name: Enable Apache2 rewrite module.
   become: yes
   <span class="org-variable-name">apache2_module: name</span>=rewrite
   notify: Restart Apache2.
@@ -514,7 +514,7 @@ web site <q>/favicon.ico</q>.
 </div>
 
 <div class="org-src-container">
-<code>gitweb-handlers</code><pre class="src src-conf" id="orgcbb20c2"><code>- name: Restart Apache2.
+<code>gitweb-handlers</code><pre class="src src-conf" id="orgbac5425"><code>- name: Restart Apache2.
   become: yes
   systemd:
     service: apache2
@@ -524,8 +524,8 @@ web site <q>/favicon.ico</q>.
 </div>
 </div>
 </div>
-<div id="outline-container-org5fc0a7d" class="outline-3">
-<h3 id="org5fc0a7d"><span class="section-number-3">3.5.</span> Configure Apache for Abbey Documentation</h3>
+<div id="outline-container-orga1ffc3d" class="outline-3">
+<h3 id="orga1ffc3d"><span class="section-number-3">3.5.</span> Configure Apache for Abbey Documentation</h3>
 <div class="outline-text-3" id="text-3-5">
 <p>
 Some of the directives added to the <q>-vhost.conf</q> file are needed by
@@ -543,7 +543,7 @@ filename suffixes.
 </p>
 
 <div class="org-src-container">
-<code>apache-abbey</code><pre class="src src-conf" id="orgaa48e62"><code>&lt;Directory {{ docroot }}/Abbey/&gt;
+<code>apache-abbey</code><pre class="src src-conf" id="org314ee41"><code>&lt;Directory {{ docroot }}/Abbey/&gt;
     AllowOverride Indexes FileInfo
     Options +Indexes +FollowSymLinks
 &lt;/Directory&gt;
@@ -566,8 +566,8 @@ AddType text/plain private pub public_vpn req rev sample txt yml
 </div>
 </div>
 </div>
-<div id="outline-container-orge4186e3" class="outline-3">
-<h3 id="orge4186e3"><span class="section-number-3">3.6.</span> Configure Photos URLs on Front</h3>
+<div id="outline-container-org32b1d54" class="outline-3">
+<h3 id="org32b1d54"><span class="section-number-3">3.6.</span> Configure Photos URLs on Front</h3>
 <div class="outline-text-3" id="text-3-6">
 <p>
 Some of the directives added to the <q>-vhost.conf</q> file map the abbey's
@@ -579,7 +579,7 @@ matching configurations for accurate previews and tests.
 </p>
 
 <div class="org-src-container">
-<code>apache-photos</code><pre class="src src-conf" id="org3d49a6f"><code>RedirectMatch /Photos$ /Photos/
+<code>apache-photos</code><pre class="src src-conf" id="org7474b2d"><code>RedirectMatch /Photos$ /Photos/
 RedirectMatch /Photos/(20[0-9][0-9])_([0-9][0-9])_([0-9][0-9])$ \
               /Photos/$1_$2_$3/
 AliasMatch /Photos/(20[0-9][0-9])_([0-9][0-9])_([0-9][0-9])/(.+)$ \
@@ -591,8 +591,8 @@ AliasMatch /Photos/$ {{ docroot }}/Photos/index.html
 </div>
 </div>
 </div>
-<div id="outline-container-org53472a4" class="outline-3">
-<h3 id="org53472a4"><span class="section-number-3">3.7.</span> Configure Tellurion Expiration on Front</h3>
+<div id="outline-container-org20a4ad0" class="outline-3">
+<h3 id="org20a4ad0"><span class="section-number-3">3.7.</span> Configure Tellurion Expiration on Front</h3>
 <div class="outline-text-3" id="text-3-7">
 <p>
 The abbey's <q>tellurion.png</q> is updated every 15 minutes on the quarter
@@ -602,7 +602,7 @@ hour, and should expire soon thereafter.  To accomplish this, Apache's
 </p>
 
 <div class="org-src-container">
-<code>apache-tellurion</code><pre class="src src-conf" id="org33bc52a"><code>&lt;Directory {{ docroot }}/Tellurion/&gt;
+<code>apache-tellurion</code><pre class="src src-conf" id="orgfc5fccc"><code>&lt;Directory {{ docroot }}/Tellurion/&gt;
     ExpiresActive On
     ExpiresByType image/png <span class="org-string">"modification plus 15 minutes"</span>
 &lt;/Directory&gt;
@@ -621,7 +621,7 @@ will be accepted.
 </div>
 
 <div class="org-src-container">
-<code>tellurion-tasks</code><pre class="src src-conf" id="org19378f5"><code>- name: Enable Apache2 expires module.
+<code>tellurion-tasks</code><pre class="src src-conf" id="org00cd0cb"><code>- name: Enable Apache2 expires module.
   become: yes
   <span class="org-variable-name">apache2_module: name</span>=expires
   notify: Restart Apache2.
@@ -629,8 +629,8 @@ will be accepted.
 </div>
 </div>
 </div>
-<div id="outline-container-org4dea054" class="outline-3">
-<h3 id="org4dea054"><span class="section-number-3">3.8.</span> Configure Apache on Front</h3>
+<div id="outline-container-org683a306" class="outline-3">
+<h3 id="org683a306"><span class="section-number-3">3.8.</span> Configure Apache on Front</h3>
 <div class="outline-text-3" id="text-3-8">
 <p>
 The abbey needs to add some Apache2 configuration directives to the
@@ -641,11 +641,11 @@ The abbey simply creates a <q>birchwood-abbey.net-vhost.conf</q> file in
 </p>
 
 <p>
-The following task adds the <a href="#org4f5b782"><code>apache-gitweb</code></a>, <a href="#orgaa48e62"><code>apache-abbey</code></a>,
-<a href="#org3d49a6f"><code>apache-photos</code></a>, and <a href="#org33bc52a"><code>apache-tellurion</code></a> directives described above to
+The following task adds the <a href="#org7a39b76"><code>apache-gitweb</code></a>, <a href="#org314ee41"><code>apache-abbey</code></a>,
+<a href="#org7474b2d"><code>apache-photos</code></a>, and <a href="#orgfc5fccc"><code>apache-tellurion</code></a> directives described above to
 the <q>-vhost.conf</q> file, and includes <q>options-ssl-apache.conf</q> from
 <q>/etc/letsencrypt/</q>.  The rest of the Let's Encrypt configuration is
-discussed in the following <a href="#org4e9b910">Install Let's Encrypt</a> section.
+discussed in the following <a href="#orgcddc4bf">Install Let's Encrypt</a> section.
 </p>
 
 <div class="org-src-container">
@@ -671,8 +671,8 @@ discussed in the following <a href="#org4e9b910">Install Let's Encrypt</a> secti
 </div>
 </div>
 </div>
-<div id="outline-container-orga909160" class="outline-3">
-<h3 id="orga909160"><span class="section-number-3">3.9.</span> Configure Apache Log Archival</h3>
+<div id="outline-container-orgcaa244b" class="outline-3">
+<h3 id="orgcaa244b"><span class="section-number-3">3.9.</span> Configure Apache Log Archival</h3>
 <div class="outline-text-3" id="text-3-9">
 <p>
 These tasks hack Apache's <code>logrotate(8)</code> configuration to rotate
@@ -808,8 +808,8 @@ encrypting and sending to <code>sendmail</code>.
 </div>
 </div>
 </div>
-<div id="outline-container-org4e9b910" class="outline-3">
-<h3 id="org4e9b910"><span class="section-number-3">3.10.</span> Install Let's Encrypt</h3>
+<div id="outline-container-orgcddc4bf" class="outline-3">
+<h3 id="orgcddc4bf"><span class="section-number-3">3.10.</span> Install Let's Encrypt</h3>
 <div class="outline-text-3" id="text-3-10">
 <p>
 The abbey uses a Let's Encrypt certificate to authenticate its public
@@ -818,7 +818,7 @@ certificate is a terminal session affair (with prompts and lines
 entered as shown below).
 </p>
 
-<pre class="example" id="org3af5c07">
+<pre class="example" id="org4b35bf2">
 $ sudo apt install python3-certbot-apache
 $ sudo certbot --apache -d birchwood-abbey.net
 ...
@@ -943,8 +943,8 @@ be restarted manually.
 </div>
 </div>
 </div>
-<div id="outline-container-orgf6835e2" class="outline-3">
-<h3 id="orgf6835e2"><span class="section-number-3">3.11.</span> Restart Servers Caching Let's Encrypt</h3>
+<div id="outline-container-org676689c" class="outline-3">
+<h3 id="org676689c"><span class="section-number-3">3.11.</span> Restart Servers Caching Let's Encrypt</h3>
 <div class="outline-text-3" id="text-3-11">
 <div class="org-src-container">
 <a href="roles_t/abbey-front/tasks/main.yml"><q>roles_t/abbey-front/tasks/main.yml</q></a><pre class="src src-conf"><code>
@@ -973,8 +973,8 @@ server certificate.
 </div>
 </div>
 </div>
-<div id="outline-container-org8dd6763" class="outline-3">
-<h3 id="org8dd6763"><span class="section-number-3">3.12.</span> Rotate Let's Encrypt Log</h3>
+<div id="outline-container-org2493da1" class="outline-3">
+<h3 id="org2493da1"><span class="section-number-3">3.12.</span> Rotate Let's Encrypt Log</h3>
 <div class="outline-text-3" id="text-3-12">
 <p>
 The following task arranges to rotate Certbot's logs files.
@@ -1002,8 +1002,8 @@ The following task arranges to rotate Certbot's logs files.
 </div>
 </div>
 </div>
-<div id="outline-container-orga61b058" class="outline-3">
-<h3 id="orga61b058"><span class="section-number-3">3.13.</span> Archive Let's Encrypt Data</h3>
+<div id="outline-container-orgcd5e4cb" class="outline-3">
+<h3 id="orgcd5e4cb"><span class="section-number-3">3.13.</span> Archive Let's Encrypt Data</h3>
 <div class="outline-text-3" id="text-3-13">
 <p>
 A backup copy of Let's Encrypt's data (<q>/etc/letsencrypt/</q>) is sent to
@@ -1082,8 +1082,8 @@ imported into <code>root@front</code>'s GnuPG key file.
 </div>
 </div>
 </div>
-<div id="outline-container-org4d1be8c" class="outline-2">
-<h2 id="org4d1be8c"><span class="section-number-2">4.</span> The Abbey Core Role</h2>
+<div id="outline-container-org080ed5f" class="outline-2">
+<h2 id="org080ed5f"><span class="section-number-2">4.</span> The Abbey Core Role</h2>
 <div class="outline-text-2" id="text-4">
 <p>
 Birchwood Abbey's core is a mini-PC (System76 Meerkat) configured as A
@@ -1093,8 +1093,8 @@ with Postfix and Dovecot, and providing essential localnet services:
 NTP, DNS and DHCP.
 </p>
 </div>
-<div id="outline-container-orga740a0d" class="outline-3">
-<h3 id="orga740a0d"><span class="section-number-3">4.1.</span> Include Abbey Variables</h3>
+<div id="outline-container-orgafb285f" class="outline-3">
+<h3 id="orgafb285f"><span class="section-number-3">4.1.</span> Include Abbey Variables</h3>
 <div class="outline-text-3" id="text-4-1">
 <p>
 In this abbey specific document, most abbey particulars are not
@@ -1113,8 +1113,8 @@ directory, <q>playbooks/</q>.
 </div>
 </div>
 </div>
-<div id="outline-container-orgb85b1aa" class="outline-3">
-<h3 id="orgb85b1aa"><span class="section-number-3">4.2.</span> Install Additional Packages</h3>
+<div id="outline-container-org52e3fe1" class="outline-3">
+<h3 id="org52e3fe1"><span class="section-number-3">4.2.</span> Install Additional Packages</h3>
 <div class="outline-text-3" id="text-4-2">
 <p>
 The scripts that maintain the abbey's web site use a number of
@@ -1134,8 +1134,8 @@ The house task list uses JQuery.
 </div>
 </div>
 </div>
-<div id="outline-container-orgea0c4c5" class="outline-3">
-<h3 id="orgea0c4c5"><span class="section-number-3">4.3.</span> Configure Private Email Aliases</h3>
+<div id="outline-container-orga6fd82f" class="outline-3">
+<h3 id="orga6fd82f"><span class="section-number-3">4.3.</span> Configure Private Email Aliases</h3>
 <div class="outline-text-3" id="text-4-3">
 <p>
 The abbey uses several additional email aliases.  These are the campus
@@ -1176,13 +1176,13 @@ e.g. <code>mythtv@mythtv.birchwood.private</code>, locally.)
 </div>
 </div>
 </div>
-<div id="outline-container-org934b822" class="outline-3">
-<h3 id="org934b822"><span class="section-number-3">4.4.</span> Configure Git Daemon on Core</h3>
+<div id="outline-container-org864a898" class="outline-3">
+<h3 id="org864a898"><span class="section-number-3">4.4.</span> Configure Git Daemon on Core</h3>
 <div class="outline-text-3" id="text-4-4">
 <p>
 These tasks are identical to those executed on Front, for similar Git
 services on Front and Core.  This allows changes to be tested on Core
-before they are pushed to Front.  See <a href="#org46a9670">3.3</a>
+before they are pushed to Front.  See <a href="#org227602e">3.3</a>
 for more information.
 </p>
 
@@ -1199,13 +1199,13 @@ for more information.
 </div>
 </div>
 </div>
-<div id="outline-container-orgb5cbec3" class="outline-3">
-<h3 id="orgb5cbec3"><span class="section-number-3">4.5.</span> Configure Gitweb on Core</h3>
+<div id="outline-container-org223edc0" class="outline-3">
+<h3 id="org223edc0"><span class="section-number-3">4.5.</span> Configure Gitweb on Core</h3>
 <div class="outline-text-3" id="text-4-5">
 <p>
 These tasks are identical to those executed on Front, for similar
 Gitweb services on Front and Core.  This allows changes to be tested
-on Core before they are pushed to Front.  See <a href="#org114683e">Configure Gitweb on
+on Core before they are pushed to Front.  See <a href="#org3972eff">Configure Gitweb on
 Front</a> for more information.
 </p>
 
@@ -1222,12 +1222,12 @@ Front</a> for more information.
 </div>
 </div>
 </div>
-<div id="outline-container-org9e169fa" class="outline-3">
-<h3 id="org9e169fa"><span class="section-number-3">4.6.</span> Configure Tellurion Expiration on Core</h3>
+<div id="outline-container-org0deece2" class="outline-3">
+<h3 id="org0deece2"><span class="section-number-3">4.6.</span> Configure Tellurion Expiration on Core</h3>
 <div class="outline-text-3" id="text-4-6">
 <p>
-The <code>apache-tellurion</code> directives are defined <a href="#org33bc52a">here</a> and included in the
-Apache configuration below.  The <code>tellurion-tasks</code> are defined <a href="#org19378f5">here</a>
+The <code>apache-tellurion</code> directives are defined <a href="#orgfc5fccc">here</a> and included in the
+Apache configuration below.  The <code>tellurion-tasks</code> are defined <a href="#org00cd0cb">here</a>
 and included by the following code block.
 </p>
 
@@ -1238,14 +1238,14 @@ and included by the following code block.
 </div>
 </div>
 </div>
-<div id="outline-container-orga961a88" class="outline-3">
-<h3 id="orga961a88"><span class="section-number-3">4.7.</span> Configure Apache on Core</h3>
+<div id="outline-container-orgfa7854e" class="outline-3">
+<h3 id="orgfa7854e"><span class="section-number-3">4.7.</span> Configure Apache on Core</h3>
 <div class="outline-text-3" id="text-4-7">
 <p>
 The Apache2 configuration on Core specifies three web sites (live,
 test, and campus).  The live and test sites must operate just like the
-site on Front.  Their configurations include the same <a href="#org4f5b782"><code>apache-gitweb</code></a>,
-<a href="#orgaa48e62"><code>apache-abbey</code></a>, <a href="#org3d49a6f"><code>apache-photos</code></a>, and <a href="#org33bc52a"><code>apache-tellurion</code></a> used on Front.
+site on Front.  Their configurations include the same <a href="#org7a39b76"><code>apache-gitweb</code></a>,
+<a href="#org314ee41"><code>apache-abbey</code></a>, <a href="#org7474b2d"><code>apache-photos</code></a>, and <a href="#orgfc5fccc"><code>apache-tellurion</code></a> used on Front.
 </p>
 
 <div class="org-src-container">
@@ -1287,15 +1287,15 @@ site on Front.  Their configurations include the same <a href="#org4f5b782"><cod
 </div>
 </div>
 </div>
-<div id="outline-container-org9581318" class="outline-3">
-<h3 id="org9581318"><span class="section-number-3">4.8.</span> Configure Documentation URLs</h3>
+<div id="outline-container-org0afaf42" class="outline-3">
+<h3 id="org0afaf42"><span class="section-number-3">4.8.</span> Configure Documentation URLs</h3>
 <div class="outline-text-3" id="text-4-8">
 <p>
 The institute serves its <q>/usr/share/doc/</q> on the house (campus) web
 site.  This is a debugging convenience, making some HTML documentation
 more accessible, especially the documentation of software installed on
 Core and not on typical desktop clients.  Also included: the Apache2
-directives that enable user Git publishing with Gitweb (defined <a href="#org4f5b782">here</a>).
+directives that enable user Git publishing with Gitweb (defined <a href="#org7a39b76">here</a>).
 </p>
 
 <div class="org-src-container">
@@ -1317,8 +1317,8 @@ directives that enable user Git publishing with Gitweb (defined <a href="#org4f5
 </div>
 </div>
 </div>
-<div id="outline-container-org37d62fe" class="outline-3">
-<h3 id="org37d62fe"><span class="section-number-3">4.9.</span> Install Apt Cacher</h3>
+<div id="outline-container-org39ecdd8" class="outline-3">
+<h3 id="org39ecdd8"><span class="section-number-3">4.9.</span> Install Apt Cacher</h3>
 <div class="outline-text-3" id="text-4-9">
 <p>
 The abbey uses the Apt-Cacher:TNG package cache on Core.  The
@@ -1334,8 +1334,8 @@ The abbey uses the Apt-Cacher:TNG package cache on Core.  The
 </div>
 </div>
 </div>
-<div id="outline-container-org7ecca04" class="outline-3">
-<h3 id="org7ecca04"><span class="section-number-3">4.10.</span> Use Cloister Apt Cache</h3>
+<div id="outline-container-org6f7e389" class="outline-3">
+<h3 id="org6f7e389"><span class="section-number-3">4.10.</span> Use Cloister Apt Cache</h3>
 <div class="outline-text-3" id="text-4-10">
 <p>
 Core itself will benefit from using the package cache, but should
@@ -1357,8 +1357,8 @@ so caching their packages is not a priority.)
 </div>
 </div>
 </div>
-<div id="outline-container-orga520975" class="outline-3">
-<h3 id="orga520975"><span class="section-number-3">4.11.</span> Configure NAGIOS</h3>
+<div id="outline-container-org45e225e" class="outline-3">
+<h3 id="org45e225e"><span class="section-number-3">4.11.</span> Configure NAGIOS</h3>
 <div class="outline-text-3" id="text-4-11">
 <p>
 A small institute uses <code>nagios4</code> to monitor the health of its network,
@@ -1372,8 +1372,8 @@ another customized <code>check_sensors</code> plugin (<code>abbey_pisensors</cod
 Raspberry Pis.
 </p>
 </div>
-<div id="outline-container-org1d3fc27" class="outline-4">
-<h4 id="org1d3fc27"><span class="section-number-4">4.11.1.</span> Monitoring The Home Disk</h4>
+<div id="outline-container-org9b85f24" class="outline-4">
+<h4 id="org9b85f24"><span class="section-number-4">4.11.1.</span> Monitoring The Home Disk</h4>
 <div class="outline-text-4" id="text-4-11-1">
 <p>
 The abbey adds monitoring of the space remaining on the volume at
@@ -1428,8 +1428,8 @@ RAID-5 array under <q>/home/</q>.
 </div>
 </div>
 </div>
-<div id="outline-container-orge690b45" class="outline-4">
-<h4 id="orge690b45"><span class="section-number-4">4.11.2.</span> Custom NAGIOS Monitor <code>abbey_pisensors</code></h4>
+<div id="outline-container-orgf975d70" class="outline-4">
+<h4 id="orgf975d70"><span class="section-number-4">4.11.2.</span> Custom NAGIOS Monitor <code>abbey_pisensors</code></h4>
 <div class="outline-text-4" id="text-4-11-2">
 <p>
 The <code>check_sensors</code> plugin is included in the package
@@ -1524,8 +1524,8 @@ recognizable temperature in the <code>sensors</code> output.
 </div>
 </div>
 </div>
-<div id="outline-container-org37dbd7b" class="outline-4">
-<h4 id="org37dbd7b"><span class="section-number-4">4.11.3.</span> Stolen NAGIOS Monitor <code>check_mdstat</code></h4>
+<div id="outline-container-org439ea1c" class="outline-4">
+<h4 id="org439ea1c"><span class="section-number-4">4.11.3.</span> Stolen NAGIOS Monitor <code>check_mdstat</code></h4>
 <div class="outline-text-4" id="text-4-11-3">
 <p>
 This <code>check_mdstat</code> plugin was copied from the NAGIOS Exchange (<a href="https://exchange.nagios.org/directory/plugins/operating-systems/linux/check_mdstat/details/">here</a>).
@@ -1612,14 +1612,15 @@ EOE
 </div>
 </div>
 </div>
-<div id="outline-container-org619d465" class="outline-4">
-<h4 id="org619d465"><span class="section-number-4">4.11.4.</span> Configure NAGIOS Monitoring of The Cloister</h4>
+<div id="outline-container-orgfaece9a" class="outline-4">
+<h4 id="orgfaece9a"><span class="section-number-4">4.11.4.</span> Configure NAGIOS Monitoring of The Cloister</h4>
 <div class="outline-text-4" id="text-4-11-4">
 <p>
-The abbey adds monitoring for more servers: Dantooine and Kessel.
-They are <code>abbey-cloister</code> servers, so they are configured as small
-institute <code>campus</code> servers, like Gate, with an NRPE (a NAGIOS Remote
-Plugin Executor) server and an <code>inst_sensors</code> command.
+The abbey adds monitoring for more servers: Dantooine, Kessel and Ord
+Mantell.  They are <code>abbey-cloister</code> servers, so they are configured as
+small institute <code>campus</code> servers, like Gate, with an NRPE (a NAGIOS
+Remote Plugin Executor) server and an <code>inst_sensors</code> or
+<code>abbey_pisensors</code> command.
 </p>
 
 <p>
@@ -1627,8 +1628,8 @@ The configurations for these servers are very similar to Gate's, but
 are idiosyncratically in flux.
 </p>
 </div>
-<div id="outline-container-orgfb2c8c4" class="outline-5">
-<h5 id="orgfb2c8c4"><span class="section-number-5">4.11.4.1.</span> Cloister Network Addresses</h5>
+<div id="outline-container-orgc13c51b" class="outline-5">
+<h5 id="orgc13c51b"><span class="section-number-5">4.11.4.1.</span> Cloister Network Addresses</h5>
 <div class="outline-text-5" id="text-4-11-4-1">
 <p>
 The IP addresses of all three hosts are nice to use in the NAGIOS
@@ -1640,12 +1641,13 @@ included in <q>private/vars-abbey.yml</q>.
 <a href="private_ex/vars-abbey.yml"><q>private_ex/vars-abbey.yml</q></a><pre class="src src-conf"><code>---
 dantooine_addr:             10.84.138.8
 kessel_addr:                10.84.138.10
+ord_mantell_addr:           10.84.138.12
 </code></pre>
 </div>
 </div>
 </div>
-<div id="outline-container-orgb85f230" class="outline-5">
-<h5 id="orgb85f230"><span class="section-number-5">4.11.4.2.</span> Install NAGIOS Configurations</h5>
+<div id="outline-container-org34c60e8" class="outline-5">
+<h5 id="org34c60e8"><span class="section-number-5">4.11.4.2.</span> Install NAGIOS Configurations</h5>
 <div class="outline-text-5" id="text-4-11-4-2">
 <p>
 The following task installs each host's NAGIOS configuration.
@@ -1658,14 +1660,14 @@ The following task installs each host's NAGIOS configuration.
   template:
     src: nagios-{{ item }}.cfg
     dest: /etc/nagios4/conf.d/{{ item }}.cfg
-  loop: [ dantooine, kessel ]
+  loop: [ dantooine, kessel, ord-mantell ]
   notify: Reload NAGIOS4.
 </code></pre>
 </div>
 </div>
 </div>
-<div id="outline-container-orgc2d3b2d" class="outline-5">
-<h5 id="orgc2d3b2d"><span class="section-number-5">4.11.4.3.</span> NAGIOS Monitoring of Dantooine</h5>
+<div id="outline-container-org57a0d79" class="outline-5">
+<h5 id="org57a0d79"><span class="section-number-5">4.11.4.3.</span> NAGIOS Monitoring of Dantooine</h5>
 <div class="outline-text-5" id="text-4-11-4-3">
 <div class="org-src-container">
 <a href="roles_t/abbey-core/templates/nagios-dantooine.cfg"><q>roles_t/abbey-core/templates/nagios-dantooine.cfg</q></a><pre class="src src-conf"><code><span class="org-type">define host</span> {
@@ -1726,8 +1728,8 @@ The following task installs each host's NAGIOS configuration.
 </div>
 </div>
 </div>
-<div id="outline-container-org46f865c" class="outline-5">
-<h5 id="org46f865c"><span class="section-number-5">4.11.4.4.</span> NAGIOS Monitoring of Kessel</h5>
+<div id="outline-container-org2b3a9ba" class="outline-5">
+<h5 id="org2b3a9ba"><span class="section-number-5">4.11.4.4.</span> NAGIOS Monitoring of Kessel</h5>
 <div class="outline-text-5" id="text-4-11-4-4">
 <div class="org-src-container">
 <a href="roles_t/abbey-core/templates/nagios-kessel.cfg"><q>roles_t/abbey-core/templates/nagios-kessel.cfg</q></a><pre class="src src-conf"><code><span class="org-type">define host</span> {
@@ -1781,10 +1783,65 @@ The following task installs each host's NAGIOS configuration.
 </div>
 </div>
 </div>
+<div id="outline-container-orgb9f9d18" class="outline-5">
+<h5 id="orgb9f9d18"><span class="section-number-5">4.11.4.5.</span> NAGIOS Monitoring of Ord-Mantell</h5>
+<div class="outline-text-5" id="text-4-11-4-5">
+<div class="org-src-container">
+<a href="roles_t/abbey-core/templates/nagios-ord-mantell.cfg"><q>roles_t/abbey-core/templates/nagios-ord-mantell.cfg</q></a><pre class="src src-conf"><code><span class="org-type">define host</span> {
+    use                     linux-server
+    host_name               ord-mantell
+    address                 {{ ord_mantell_addr }}
+}
+
+<span class="org-type">define service</span> {
+    use                     generic-service
+    host_name               ord-mantell
+    service_description     Root Partition
+    check_command           check_nrpe!inst_root
+}
+
+<span class="org-comment-delimiter"># </span><span class="org-comment">define service {
+</span><span class="org-comment-delimiter">#     </span><span class="org-comment">use                     generic-service
+</span><span class="org-comment-delimiter">#     </span><span class="org-comment">host_name               ord-mantell
+</span><span class="org-comment-delimiter">#     </span><span class="org-comment">service_description     Current Load
+</span><span class="org-comment-delimiter">#     </span><span class="org-comment">check_command           check_nrpe!check_load
+</span><span class="org-comment-delimiter"># </span><span class="org-comment">}
+</span>
+<span class="org-type">define service</span> {
+    use                     generic-service
+    host_name               ord-mantell
+    service_description     Zombie Processes
+    check_command           check_nrpe!check_zombie_procs
+}
+
+<span class="org-comment-delimiter"># </span><span class="org-comment">define service {
+</span><span class="org-comment-delimiter">#     </span><span class="org-comment">use                     generic-service
+</span><span class="org-comment-delimiter">#     </span><span class="org-comment">host_name               ord-mantell
+</span><span class="org-comment-delimiter">#     </span><span class="org-comment">service_description     Total Processes
+</span><span class="org-comment-delimiter">#     </span><span class="org-comment">check_command           check_nrpe!check_total_procs
+</span><span class="org-comment-delimiter"># </span><span class="org-comment">}
+</span>
+<span class="org-type">define service</span> {
+    use                     generic-service
+    host_name               ord-mantell
+    service_description     Swap Usage
+    check_command           check_nrpe!inst_swap
+}
+
+<span class="org-type">define service</span> {
+    use                     generic-service
+    host_name               ord-mantell
+    service_description     Temperature Sensors
+    check_command           check_nrpe!abbey_pisensors
+}
+</code></pre>
 </div>
 </div>
-<div id="outline-container-org7d488a3" class="outline-3">
-<h3 id="org7d488a3"><span class="section-number-3">4.12.</span> Install Munin</h3>
+</div>
+</div>
+</div>
+<div id="outline-container-org5216bd9" class="outline-3">
+<h3 id="org5216bd9"><span class="section-number-3">4.12.</span> Install Munin</h3>
 <div class="outline-text-3" id="text-4-12">
 <p>
 The abbey is experimenting with Munin.  NAGIOS is all about notifying
@@ -1838,6 +1895,9 @@ trends in resource usage.
 
       [<span class="org-type">kessel.birchwood.private</span>]
           address {{ kessel_addr }}
+
+      [<span class="org-type">ord-mantell.birchwood.private</span>]
+          address {{ ord_mantell_addr }}
     dest: /etc/munin/munin-conf.d/zzz-site.cfg
   notify: Restart Munin.
 
@@ -1888,8 +1948,8 @@ next task configures <code>libsensors</code> to ignore them.
 </div>
 </div>
 </div>
-<div id="outline-container-org79b60a4" class="outline-3">
-<h3 id="org79b60a4"><span class="section-number-3">4.13.</span> Install Analog</h3>
+<div id="outline-container-org633aafd" class="outline-3">
+<h3 id="org633aafd"><span class="section-number-3">4.13.</span> Install Analog</h3>
 <div class="outline-text-3" id="text-4-13">
 <p>
 The abbey's public web site's access and error logs are emailed
@@ -1965,8 +2025,8 @@ at <code>http://www/doc/analog/</code>.
 </div>
 </div>
 </div>
-<div id="outline-container-orgf2c55a2" class="outline-3">
-<h3 id="orgf2c55a2"><span class="section-number-3">4.14.</span> Add Monkey to Web Server Group</h3>
+<div id="outline-container-org4f1f439" class="outline-3">
+<h3 id="org4f1f439"><span class="section-number-3">4.14.</span> Add Monkey to Web Server Group</h3>
 <div class="outline-text-3" id="text-4-14">
 <p>
 Monkey needs to be in <code>www-data</code> so that it can run
@@ -1988,8 +2048,8 @@ user cloud accounts, found in files owned by <code>www-data</code>, files like
 </div>
 </div>
 </div>
-<div id="outline-container-orgb94a27b" class="outline-3">
-<h3 id="orgb94a27b"><span class="section-number-3">4.15.</span> Install netpbm For Photo Processing</h3>
+<div id="outline-container-org0f4e52f" class="outline-3">
+<h3 id="org0f4e52f"><span class="section-number-3">4.15.</span> Install netpbm For Photo Processing</h3>
 <div class="outline-text-3" id="text-4-15">
 <p>
 Monkey's photo processing scripts use <code>netpbm</code> commands like
@@ -2006,8 +2066,8 @@ Monkey's photo processing scripts use <code>netpbm</code> commands like
 </div>
 </div>
 </div>
-<div id="outline-container-org2903dbc" class="outline-2">
-<h2 id="org2903dbc"><span class="section-number-2">5.</span> The Abbey Gate Role</h2>
+<div id="outline-container-org8b6dff1" class="outline-2">
+<h2 id="org8b6dff1"><span class="section-number-2">5.</span> The Abbey Gate Role</h2>
 <div class="outline-text-2" id="text-5">
 <p>
 Birchwood Abbey's gate is a $110 µPC configured as A Small Institute
@@ -2019,8 +2079,8 @@ allows access to the Abbey's IoT appliances: a HomeAssistant and an
 Ecowitt hub.
 </p>
 </div>
-<div id="outline-container-org5d5a5fc" class="outline-3">
-<h3 id="org5d5a5fc"><span class="section-number-3">5.1.</span> The Abbey Gate's Network Interfaces</h3>
+<div id="outline-container-org92e98ee" class="outline-3">
+<h3 id="org92e98ee"><span class="section-number-3">5.1.</span> The Abbey Gate's Network Interfaces</h3>
 <div class="outline-text-3" id="text-5-1">
 <p>
 The abbey gate's <code>lan</code> interface is the PC's built-in Ethernet
@@ -2041,28 +2101,28 @@ The MAC address of each interface is set in <q>private/vars.yml</q> (see
 </p>
 </div>
 </div>
-<div id="outline-container-org6b6f914" class="outline-3">
-<h3 id="org6b6f914"><span class="section-number-3">5.2.</span> The Abbey's IoT Network</h3>
+<div id="outline-container-org6886cb3" class="outline-3">
+<h3 id="org6886cb3"><span class="section-number-3">5.2.</span> The Abbey's IoT Network</h3>
 <div class="outline-text-3" id="text-5-2">
 <p>
 To allow masquerading between the private subnets and <code>wild</code>, the
 following <code>iptables(8)</code> rules are added.  They are very similar to the
 <code>nat</code> and <code>filter</code> table rules used by a small institute to masquerade
-its <code>lan</code> to its <code>isp</code> (see the <a href="Institute/README.html#org2d280de">UFW Rules</a> of a Small Institute).
+its <code>lan</code> to its <code>isp</code> (see the <a href="Institute/README.html#org1c59284">UFW Rules</a> of a Small Institute).
 The campus WireGuard™ subnet is not included because the campus Wi-Fi
 hosts should be routing to the wild subnet directly and are assumed to
 be masquerading as their access point(s).
 </p>
 
 <div class="org-src-container">
-<code>iot-nat</code><pre class="src src-conf" id="org4188a22"><code>-A POSTROUTING -s {{   private_net_cidr }} -o wild -j MASQUERADE
+<code>iot-nat</code><pre class="src src-conf" id="orgb5d849e"><code>-A POSTROUTING -s {{   private_net_cidr }} -o wild -j MASQUERADE
 -A POSTROUTING -s {{ public_wg_net_cidr }} -o wild -j MASQUERADE
 </code></pre>
 </div>
 
 <div class="org-src-container">
-<code>iot-forward</code><pre class="src src-conf" id="org6d04a90"><code>-A ufw-user-forward -i lan -o wild -j ACCEPT
--A ufw-user-forward -i wg0 -o wild -j ACCEPT
+<code>iot-forward</code><pre class="src src-conf" id="org8d7cf4c"><code>-A ufw-before-forward -i lan -o wild -j ACCEPT
+-A ufw-before-forward -i wg0 -o wild -j ACCEPT
 </code></pre>
 </div>
 
@@ -2072,36 +2132,27 @@ The second rule includes the campus VPN.
 </p>
 </div>
 </div>
-<div id="outline-container-org933da6e" class="outline-3">
-<h3 id="org933da6e"><span class="section-number-3">5.3.</span> Configure UFW for IoT</h3>
+<div id="outline-container-org68384d2" class="outline-3">
+<h3 id="org68384d2"><span class="section-number-3">5.3.</span> Configure UFW for IoT</h3>
 <div class="outline-text-3" id="text-5-3">
 <p>
-The following tasks install the additional rules in <q>before.rules</q>
-and <q>user.rules</q> (as in <a href="Institute/README.html#orge61dbae">Configure UFW</a>).
+The following task installs the additional rules in <q>before.rules</q> (as
+in <a href="Institute/README.html#orgf03d906">Configure UFW</a>).
 </p>
 
 <div class="org-src-container">
 <a href="roles_t/abbey-gate/tasks/main.yml"><q>roles_t/abbey-gate/tasks/main.yml</q></a><pre class="src src-conf"><code>---
-- name: Configure UFW NAT rules for IoT.
+- name: Configure UFW rules for IoT.
   become: yes
   blockinfile:
     block: |
       *nat
       &lt;&lt;iot-nat&gt;&gt;
       COMMIT
-    dest: /etc/ufw/before.rules
-    marker: <span class="org-string">"# {mark} ABBEY MANAGED BLOCK"</span>
-    insertafter: EOF
-    prepend_newline: yes
-
-- name: Configure UFW FORWARD rules for IoT.
-  become: yes
-  blockinfile:
-    block: |
       *filter
       &lt;&lt;iot-forward&gt;&gt;
       COMMIT
-    dest: /etc/ufw/user.rules
+    dest: /etc/ufw/before.rules
     marker: <span class="org-string">"# {mark} ABBEY MANAGED BLOCK"</span>
     insertafter: EOF
     prepend_newline: yes
@@ -2109,8 +2160,8 @@ and <q>user.rules</q> (as in <a href="Institute/README.html#orge61dbae">Configur
 </div>
 </div>
 </div>
-<div id="outline-container-org001ade3" class="outline-3">
-<h3 id="org001ade3"><span class="section-number-3">5.4.</span> The Abbey's Starlink Configuration</h3>
+<div id="outline-container-org1bca27d" class="outline-3">
+<h3 id="org1bca27d"><span class="section-number-3">5.4.</span> The Abbey's Starlink Configuration</h3>
 <div class="outline-text-3" id="text-5-4">
 <p>
 The abbey connects to Starlink via Ethernet, and disables Starlink's
@@ -2158,8 +2209,8 @@ at least our local network traffic out of view of our ISPs.
 </p>
 </div>
 </div>
-<div id="outline-container-orgb4153cc" class="outline-3">
-<h3 id="orgb4153cc"><span class="section-number-3">5.5.</span> Alternate ISPs</h3>
+<div id="outline-container-org00efde1" class="outline-3">
+<h3 id="org00efde1"><span class="section-number-3">5.5.</span> Alternate ISPs</h3>
 <div class="outline-text-3" id="text-5-5">
 <p>
 The abbey used to use a cell phone on a USB tether to get Internet
@@ -2204,8 +2255,8 @@ service, using a <q>60-isp.yaml</q> file similar to the lines below.
 </div>
 </div>
 </div>
-<div id="outline-container-org78d10e4" class="outline-2">
-<h2 id="org78d10e4"><span class="section-number-2">6.</span> The Abbey Cloister Role</h2>
+<div id="outline-container-orgd5620ea" class="outline-2">
+<h2 id="orgd5620ea"><span class="section-number-2">6.</span> The Abbey Cloister Role</h2>
 <div class="outline-text-2" id="text-6">
 <p>
 Birchwood Abbey's cloister is a small institute campus.  The <code>campus</code>
@@ -2220,7 +2271,7 @@ tasks, namely configuration required on Raspberry Pi OS machines.
 <p>
 Wireless clients are issued keys for the cloister VPN by the <code>./abbey
 client</code> command which is currently identical to the <code>./inst client</code>
-command (described in <a href="Institute/README.html#orgc49707e">The Client Command</a>).  The wireless, cloistered
+command (described in <a href="Institute/README.html#org7efeef2">The Client Command</a>).  The wireless, cloistered
 hosts never roam, are not associated with a member, and so are
 "campus" clients, issued keys with commands like this:
 </p>
@@ -2230,8 +2281,8 @@ hosts never roam, are not associated with a member, and so are
                S+6HaTnOwwhWgUGXjSBcPAvifKw+j8BDTRfq534gNW4=
 </pre>
 </div>
-<div id="outline-container-orgd6ddf5b" class="outline-3">
-<h3 id="orgd6ddf5b"><span class="section-number-3">6.1.</span> Use Cloister Apt Cache</h3>
+<div id="outline-container-org71ac6c2" class="outline-3">
+<h3 id="org71ac6c2"><span class="section-number-3">6.1.</span> Use Cloister Apt Cache</h3>
 <div class="outline-text-3" id="text-6-1">
 <p>
 The Apt-Cacher:TNG program does not work well on the frontier, so is
@@ -2263,13 +2314,13 @@ local host.
 </div>
 </div>
 </div>
-<div id="outline-container-org8ccde64" class="outline-3">
-<h3 id="org8ccde64"><span class="section-number-3">6.2.</span> Configure Cloister NRPE</h3>
+<div id="outline-container-orga560782" class="outline-3">
+<h3 id="orga560782"><span class="section-number-3">6.2.</span> Configure Cloister NRPE</h3>
 <div class="outline-text-3" id="text-6-2">
 <p>
 Each cloistered host is a small institute campus host and thus is
 already running an NRPE server (a NAGIOS Remote Plugin Executor
-server) with a custom <code>inst_sensors</code> monitor (described in <a href="Institute/README.html#orgd1cea9c">Configure
+server) with a custom <code>inst_sensors</code> monitor (described in <a href="Institute/README.html#orgadce02c">Configure
 NRPE</a> of <a href="Institute/README.html">A Small Institute</a>).  The abbey adds one complication: yet
 another <code>check_sensors</code> variant, <code>abbey_pisensors</code>, installed on
 Raspberry Pis (architecture <code>aarch64</code>) only.
@@ -2308,8 +2359,8 @@ Raspberry Pis (architecture <code>aarch64</code>) only.
 </div>
 </div>
 </div>
-<div id="outline-container-orgf7dbc13" class="outline-3">
-<h3 id="orgf7dbc13"><span class="section-number-3">6.3.</span> Install Munin Node</h3>
+<div id="outline-container-orgb638f2c" class="outline-3">
+<h3 id="orgb638f2c"><span class="section-number-3">6.3.</span> Install Munin Node</h3>
 <div class="outline-text-3" id="text-6-3">
 <p>
 Each cloistered host is a Munin node.
@@ -2384,8 +2435,8 @@ them.
 </div>
 </div>
 </div>
-<div id="outline-container-orgf5d9b5f" class="outline-3">
-<h3 id="orgf5d9b5f"><span class="section-number-3">6.4.</span> Install Emacs</h3>
+<div id="outline-container-org430cada" class="outline-3">
+<h3 id="org430cada"><span class="section-number-3">6.4.</span> Install Emacs</h3>
 <div class="outline-text-3" id="text-6-4">
 <p>
 The monks of the abbey are masters of the staff and Emacs.
@@ -2401,8 +2452,8 @@ The monks of the abbey are masters of the staff and Emacs.
 </div>
 </div>
 </div>
-<div id="outline-container-org648f580" class="outline-2">
-<h2 id="org648f580"><span class="section-number-2">7.</span> The Abbey Weather Role</h2>
+<div id="outline-container-org1ccf88d" class="outline-2">
+<h2 id="org1ccf88d"><span class="section-number-2">7.</span> The Abbey Weather Role</h2>
 <div class="outline-text-2" id="text-7">
 <p>
 Birchwood Abbey now uses Home Assistant to record and display weather
@@ -2429,8 +2480,8 @@ entities.  These were labeled and organized on an "Abbey" dashboard.
 </p>
 </div>
 </div>
-<div id="outline-container-org3d231aa" class="outline-2">
-<h2 id="org3d231aa"><span class="section-number-2">8.</span> The Abbey DVR Role</h2>
+<div id="outline-container-org8d22d49" class="outline-2">
+<h2 id="org8d22d49"><span class="section-number-2">8.</span> The Abbey DVR Role</h2>
 <div class="outline-text-2" id="text-8">
 <p>
 The abbey uses AgentDVR to record video from PoE IP HD security
@@ -2438,8 +2489,8 @@ cameras.  It runs as user <code>agentdvr</code> and keeps all of its
 configuration and recordings in <q>/home/agentdvr/</q>.
 </p>
 </div>
-<div id="outline-container-orgd3f1edc" class="outline-3">
-<h3 id="orgd3f1edc"><span class="section-number-3">8.1.</span> Install AgentDVR</h3>
+<div id="outline-container-orgcc3a9aa" class="outline-3">
+<h3 id="orgcc3a9aa"><span class="section-number-3">8.1.</span> Install AgentDVR</h3>
 <div class="outline-text-3" id="text-8-1">
 <p>
 AgentDVR is installed according to the iSpy web site's latest
@@ -2463,8 +2514,8 @@ executes several <code>sudo</code> commands.  These commands can be run by the
 <code>agentdvr</code> account if it has (temporary) authorization.
 </p>
 </div>
-<div id="outline-container-orgd0860ea" class="outline-4">
-<h4 id="orgd0860ea"><span class="section-number-4">8.1.1.</span> Prepare for AgentDVR Installation</h4>
+<div id="outline-container-orgd5b359f" class="outline-4">
+<h4 id="orgd5b359f"><span class="section-number-4">8.1.1.</span> Prepare for AgentDVR Installation</h4>
 <div class="outline-text-4" id="text-8-1-1">
 <p>
 The following commands are manually executed to create the <code>agentdvr</code>
@@ -2492,8 +2543,8 @@ sudo mv ~/01agentdvr /etc/sudoers.d/
 </div>
 </div>
 </div>
-<div id="outline-container-org4ca8c0d" class="outline-4">
-<h4 id="org4ca8c0d"><span class="section-number-4">8.1.2.</span> Execute AgentDVR Installation</h4>
+<div id="outline-container-org452133d" class="outline-4">
+<h4 id="org452133d"><span class="section-number-4">8.1.2.</span> Execute AgentDVR Installation</h4>
 <div class="outline-text-4" id="text-8-1-2">
 <p>
 With the above preparations, the system administrator can get a shell
@@ -2514,8 +2565,8 @@ Ansible is run again.
 </p>
 </div>
 </div>
-<div id="outline-container-org2148eee" class="outline-4">
-<h4 id="org2148eee"><span class="section-number-4">8.1.3.</span> Complete AgentDVR Installation</h4>
+<div id="outline-container-org3d46dbb" class="outline-4">
+<h4 id="org3d46dbb"><span class="section-number-4">8.1.3.</span> Complete AgentDVR Installation</h4>
 <div class="outline-text-4" id="text-8-1-3">
 <p>
 When Ansible is run a second time, after the installation script, it
@@ -2538,8 +2589,8 @@ sudo rm /etc/sudoers.d/01agentdvr
 </div>
 </div>
 </div>
-<div id="outline-container-org6622cd5" class="outline-3">
-<h3 id="org6622cd5"><span class="section-number-3">8.2.</span> Configure User <code>agentdvr</code></h3>
+<div id="outline-container-org775faed" class="outline-3">
+<h3 id="org775faed"><span class="section-number-3">8.2.</span> Configure User <code>agentdvr</code></h3>
 <div class="outline-text-3" id="text-8-2">
 <p>
 AgentDVR runs as the system user <code>agentdvr</code>, which is configured here.
@@ -2578,8 +2629,8 @@ restoration of AgentDVR.)
 </div>
 </div>
 </div>
-<div id="outline-container-org807dc0a" class="outline-3">
-<h3 id="org807dc0a"><span class="section-number-3">8.3.</span> Test For <q>AgentDVR/</q></h3>
+<div id="outline-container-orgd6c6dbb" class="outline-3">
+<h3 id="orgd6c6dbb"><span class="section-number-3">8.3.</span> Test For <q>AgentDVR/</q></h3>
 <div class="outline-text-3" id="text-8-3">
 <p>
 The following task probes for the <q>/home/agentdvr/AgentDVR/</q>
@@ -2602,8 +2653,8 @@ remaining installation steps are skipped unless
 </div>
 </div>
 </div>
-<div id="outline-container-org934136d" class="outline-3">
-<h3 id="org934136d"><span class="section-number-3">8.4.</span> Create AgentDVR Service</h3>
+<div id="outline-container-orgf37a978" class="outline-3">
+<h3 id="orgf37a978"><span class="section-number-3">8.4.</span> Create AgentDVR Service</h3>
 <div class="outline-text-3" id="text-8-4">
 <p>
 This service definition came from the template downloaded (from <a href="https://raw.githubusercontent.com/ispysoftware/agent-install-scripts/main/v2/AgentDVR.service">here</a>)
@@ -2666,8 +2717,8 @@ by <q>install.sh</q>.
 </div>
 </div>
 </div>
-<div id="outline-container-org99d8528" class="outline-3">
-<h3 id="org99d8528"><span class="section-number-3">8.5.</span> Create AgentDVR Storage</h3>
+<div id="outline-container-org514f090" class="outline-3">
+<h3 id="org514f090"><span class="section-number-3">8.5.</span> Create AgentDVR Storage</h3>
 <div class="outline-text-3" id="text-8-5">
 <p>
 The abbey uses a separate volume to store surveillance recordings,
@@ -2701,8 +2752,8 @@ location do not fail.
 </div>
 </div>
 </div>
-<div id="outline-container-org9f60265" class="outline-3">
-<h3 id="org9f60265"><span class="section-number-3">8.6.</span> Install Custom NAGIOS Monitor <code>abbey_dvr</code></h3>
+<div id="outline-container-org08ba9e6" class="outline-3">
+<h3 id="org08ba9e6"><span class="section-number-3">8.6.</span> Install Custom NAGIOS Monitor <code>abbey_dvr</code></h3>
 <div class="outline-text-3" id="text-8-6">
 <p>
 DVR hosts install a custom NRPE plugin named <code>abbey_dvr</code> to monitor
@@ -2735,11 +2786,11 @@ the storage available on <q>/DVR/</q>.
 </div>
 </div>
 </div>
-<div id="outline-container-org9511ee2" class="outline-3">
-<h3 id="org9511ee2"><span class="section-number-3">8.7.</span> Configure IP Cameras</h3>
+<div id="outline-container-orge82a2fb" class="outline-3">
+<h3 id="orge82a2fb"><span class="section-number-3">8.7.</span> Configure IP Cameras</h3>
 <div class="outline-text-3" id="text-8-7">
 <p>
-A new security camera is setup as described in <a href="#orga5c6c9e">Cloistering</a>, after
+A new security camera is setup as described in <a href="#orgb57e970">Cloistering</a>, after
 which the camera should be accessible by name on the abbey networks.
 Assuming <code>ping -c1 new</code> works, the camera's web interface will be
 accessible at <code>http://new/</code>.
@@ -2762,8 +2813,8 @@ protocol) is nice but optional.</li>
 </ul>
 </div>
 </div>
-<div id="outline-container-org0e3f057" class="outline-3">
-<h3 id="org0e3f057"><span class="section-number-3">8.8.</span> Configure AgentDVR's Cameras</h3>
+<div id="outline-container-org2f0ff57" class="outline-3">
+<h3 id="org2f0ff57"><span class="section-number-3">8.8.</span> Configure AgentDVR's Cameras</h3>
 <div class="outline-text-3" id="text-8-8">
 <p>
 After Ansible has configured and started the AgentDVR service, its web
@@ -2802,8 +2853,8 @@ AgentDVR's Live View.
 </p>
 </div>
 </div>
-<div id="outline-container-org392341e" class="outline-3">
-<h3 id="org392341e"><span class="section-number-3">8.9.</span> Configure AgentDVR's Default Storage</h3>
+<div id="outline-container-org75e828d" class="outline-3">
+<h3 id="org75e828d"><span class="section-number-3">8.9.</span> Configure AgentDVR's Default Storage</h3>
 <div class="outline-text-3" id="text-8-9">
 <p>
 AgentDVR's web interface is also used to configure a default storage
@@ -2815,8 +2866,8 @@ pressed before the task is complete.
 </p>
 </div>
 </div>
-<div id="outline-container-orgb1b1b13" class="outline-3">
-<h3 id="orgb1b1b13"><span class="section-number-3">8.10.</span> Configure AgentDVR's Recordings</h3>
+<div id="outline-container-org5593023" class="outline-3">
+<h3 id="org5593023"><span class="section-number-3">8.10.</span> Configure AgentDVR's Recordings</h3>
 <div class="outline-text-3" id="text-8-10">
 <p>
 After a default storage location has been configured, AgentDVR's
@@ -2847,8 +2898,8 @@ parameters are set (in the Recording and Storage tabs).
 </ul>
 </div>
 </div>
-<div id="outline-container-org9254d1c" class="outline-3">
-<h3 id="org9254d1c"><span class="section-number-3">8.11.</span> Restore AgentDVR</h3>
+<div id="outline-container-org2acb7a7" class="outline-3">
+<h3 id="org2acb7a7"><span class="section-number-3">8.11.</span> Restore AgentDVR</h3>
 <div class="outline-text-3" id="text-8-11">
 <p>
 When restoring <q>/home/</q> from a backup copy, the user accounts are
@@ -2864,8 +2915,8 @@ installs the system service configuration file and starts the service.
 </div>
 </div>
 </div>
-<div id="outline-container-orgea7c429" class="outline-2">
-<h2 id="orgea7c429"><span class="section-number-2">9.</span> The Abbey TVR Role</h2>
+<div id="outline-container-orgb2e6139" class="outline-2">
+<h2 id="orgb2e6139"><span class="section-number-2">9.</span> The Abbey TVR Role</h2>
 <div class="outline-text-2" id="text-9">
 <p>
 The abbey has a few TV tuners and a subscription to <a href="https://schedulesdirect.org/">Schedules Direct</a>
@@ -2880,14 +2931,14 @@ configured to serve MythTV pages at e.g. <code>http://new/mythweb/</code>.
 </p>
 
 <p>
-A new TVR machine needs only <a href="#orga5c6c9e">Cloistering</a> to prepare it for
+A new TVR machine needs only <a href="#orgb57e970">Cloistering</a> to prepare it for
 Ansible.  As part of that process, it should be added to the <code>tvrs</code>
 group in the <q>hosts</q> file.  An existing server can become a TVR
 machine by adding it to the <code>tvrs</code> group.
 </p>
 </div>
-<div id="outline-container-orgddab1de" class="outline-3">
-<h3 id="orgddab1de"><span class="section-number-3">9.1.</span> Include Abbey Variables</h3>
+<div id="outline-container-org0bd571a" class="outline-3">
+<h3 id="org0bd571a"><span class="section-number-3">9.1.</span> Include Abbey Variables</h3>
 <div class="outline-text-3" id="text-9-1">
 <p>
 Private variables in <q>private/vars-abbey.yml</q> are needed, as in the
@@ -2903,8 +2954,8 @@ directory, <q>playbooks/</q>.
 </div>
 </div>
 </div>
-<div id="outline-container-orgfffc15b" class="outline-3">
-<h3 id="orgfffc15b"><span class="section-number-3">9.2.</span> Manually Build and Install MythTV</h3>
+<div id="outline-container-org99fc858" class="outline-3">
+<h3 id="org99fc858"><span class="section-number-3">9.2.</span> Manually Build and Install MythTV</h3>
 <div class="outline-text-3" id="text-9-2">
 <p>
 Neither Debian nor the MythTV project provide binary packages of
@@ -2933,8 +2984,8 @@ sudo apt install mythtv-backend
 </div>
 </div>
 </div>
-<div id="outline-container-org9c71ac1" class="outline-3">
-<h3 id="org9c71ac1"><span class="section-number-3">9.3.</span> Restore MythTV</h3>
+<div id="outline-container-org9f2867d" class="outline-3">
+<h3 id="org9f2867d"><span class="section-number-3">9.3.</span> Restore MythTV</h3>
 <div class="outline-text-3" id="text-9-3">
 <p>
 Restoring MythTV from a backup copy to a fresh TVR host:
@@ -2962,8 +3013,8 @@ The <q>.mythtv/config.xml</q> file should provide the DB particulars
 </ul>
 </div>
 </div>
-<div id="outline-container-orgba1d00e" class="outline-3">
-<h3 id="orgba1d00e"><span class="section-number-3">9.4.</span> Manually Load DB Timezone Info</h3>
+<div id="outline-container-orgf981860" class="outline-3">
+<h3 id="orgf981860"><span class="section-number-3">9.4.</span> Manually Load DB Timezone Info</h3>
 <div class="outline-text-3" id="text-9-4">
 <p>
 Starting with MythTV version 0.26, the time zone tables must be loaded
@@ -2987,8 +3038,8 @@ e.g. <code>2022-09-13 20:15:41</code>.
 </div>
 </div>
 </div>
-<div id="outline-container-orgb073bc0" class="outline-3">
-<h3 id="orgb073bc0"><span class="section-number-3">9.5.</span> Create MythTV Storage Area</h3>
+<div id="outline-container-org4e44682" class="outline-3">
+<h3 id="org4e44682"><span class="section-number-3">9.5.</span> Create MythTV Storage Area</h3>
 <div class="outline-text-3" id="text-9-5">
 <p>
 The backend does not have a default storage area for its recordings.
@@ -3012,8 +3063,8 @@ creates that directory and ensures it has appropriate permissions.
 </div>
 </div>
 </div>
-<div id="outline-container-orgcb31109" class="outline-3">
-<h3 id="orgcb31109"><span class="section-number-3">9.6.</span> Configure MythTV Backend</h3>
+<div id="outline-container-org4f2c780" class="outline-3">
+<h3 id="org4f2c780"><span class="section-number-3">9.6.</span> Configure MythTV Backend</h3>
 <div class="outline-text-3" id="text-9-6">
 <p>
 With MythTV built and installed, the post-installation tasks
@@ -3029,12 +3080,12 @@ at <code>http://new:6544</code> and make the following selections.
 </ul>
 </div>
 </div>
-<div id="outline-container-org9e095d1" class="outline-3">
-<h3 id="org9e095d1"><span class="section-number-3">9.7.</span> Configure Tuner</h3>
+<div id="outline-container-orgd3eb8f9" class="outline-3">
+<h3 id="orgd3eb8f9"><span class="section-number-3">9.7.</span> Configure Tuner</h3>
 <div class="outline-text-3" id="text-9-7">
 <p>
 The abbey has a Silicon Dust Homerun HDTV Duo (with two tuners).  It
-is setup as described in <a href="#orga5c6c9e">Cloistering</a>, after which the tuner is
+is setup as described in <a href="#orgb57e970">Cloistering</a>, after which the tuner is
 accessible by name (e.g. <code>new</code>) on the cloister network.  Assuming
 <code>ping -c1 new</code> works, the tuner should be accessible via the
 <code>hdhomerun_config_gui</code> command, a graphical interface contributed to
@@ -3045,8 +3096,8 @@ tuner's domain name or IP address can also be entered.
 </p>
 </div>
 </div>
-<div id="outline-container-org6fe4c61" class="outline-3">
-<h3 id="org6fe4c61"><span class="section-number-3">9.8.</span> Add HDHomerun and Mr.Antenna</h3>
+<div id="outline-container-org29af529" class="outline-3">
+<h3 id="org29af529"><span class="section-number-3">9.8.</span> Add HDHomerun and Mr.Antenna</h3>
 <div class="outline-text-3" id="text-9-8">
 <p>
 In MythTV Setup:
@@ -3089,8 +3140,8 @@ any case, do <i>not</i> run <code>mythfilldatabase</code>.</li>
 </ul>
 </div>
 </div>
-<div id="outline-container-orgbc38761" class="outline-3">
-<h3 id="orgbc38761"><span class="section-number-3">9.9.</span> Scan for New Channels</h3>
+<div id="outline-container-org7d7753e" class="outline-3">
+<h3 id="org7d7753e"><span class="section-number-3">9.9.</span> Scan for New Channels</h3>
 <div class="outline-text-3" id="text-9-9">
 <p>
 In MythTV Backend, the website on Core's port 6544, e.g.
@@ -3111,8 +3162,8 @@ In MythTV Backend, the website on Core's port 6544, e.g.
 </ul>
 </div>
 </div>
-<div id="outline-container-org5f1b0fd" class="outline-3">
-<h3 id="org5f1b0fd"><span class="section-number-3">9.10.</span> Configure XMLTV</h3>
+<div id="outline-container-org216ca3b" class="outline-3">
+<h3 id="org216ca3b"><span class="section-number-3">9.10.</span> Configure XMLTV</h3>
 <div class="outline-text-3" id="text-9-10">
 <p>
 The <code>xmltv</code> package, specifically its <code>tv_grab_zz_sdjson</code> program, is
@@ -3147,7 +3198,7 @@ the list of "inputs" available in a postal code typically ends with
 the OTA (over the air) broadcasts.
 </p>
 
-<pre class="example" id="org308be13">
+<pre class="example" id="orga54a74f">
 $ tv_grab_zz_sdjson --configure --config-file .mythtv/Mr.Antenna.xml
 Cache file for lineups, schedules and programs.
 Cache file: [/home/mythtv/.xmltv/tv_grab_zz_sdjson.cache]
@@ -3197,8 +3248,8 @@ backend is running, so it is not run until then.
 </p>
 </div>
 </div>
-<div id="outline-container-org1bf3b56" class="outline-3">
-<h3 id="org1bf3b56"><span class="section-number-3">9.11.</span> Debug XMLTV</h3>
+<div id="outline-container-org7d7443b" class="outline-3">
+<h3 id="org7d7443b"><span class="section-number-3">9.11.</span> Debug XMLTV</h3>
 <div class="outline-text-3" id="text-9-11">
 <p>
 If the <code>mythfilldatabase</code> command fails or expected listings do not
@@ -3237,14 +3288,14 @@ Running a similar command (without <code>--quiet</code>) might be more revealing
 </div>
 </div>
 </div>
-<div id="outline-container-org81e1c33" class="outline-3">
-<h3 id="org81e1c33"><span class="section-number-3">9.12.</span> Change Broadcast Area</h3>
+<div id="outline-container-orgc9cb7f0" class="outline-3">
+<h3 id="orgc9cb7f0"><span class="section-number-3">9.12.</span> Change Broadcast Area</h3>
 <div class="outline-text-3" id="text-9-12">
 <p>
 The abbey changes location almost weekly, so its HDTV broadcast area
 changes frequently.  At the start of a long stay the administrator
 uses the MythTV Setup program to scan for the new area's channels, as
-described in <a href="#orgbc38761">Scan for New Channels</a>.
+described in <a href="#org7d7753e">Scan for New Channels</a>.
 </p>
 
 <p>
@@ -3262,7 +3313,7 @@ program as user <code>mythtv</code>.
 
 <p>
 The program will prompt for the zip code and offer a list of "inputs"
-available in that area, as described in <a href="#org5f1b0fd">Configure XMLTV</a>.
+available in that area, as described in <a href="#org216ca3b">Configure XMLTV</a>.
 </p>
 
 <p>
@@ -3276,14 +3327,14 @@ Lastly, the administrator runs an immediate update (again as the
 </div>
 
 <p>
-If the command fails, consult <a href="#org1bf3b56">Debug XMLTV</a>.  Else, the listings appear
+If the command fails, consult <a href="#org7d7443b">Debug XMLTV</a>.  Else, the listings appear
 in MythTV Backend's "Program Guide" page.
 </p>
 </div>
 </div>
 </div>
-<div id="outline-container-orgd659aad" class="outline-2">
-<h2 id="orgd659aad"><span class="section-number-2">10.</span> The Ansible Configuration</h2>
+<div id="outline-container-orgdde9bfe" class="outline-2">
+<h2 id="orgdde9bfe"><span class="section-number-2">10.</span> The Ansible Configuration</h2>
 <div class="outline-text-2" id="text-10">
 <p>
 The abbey's Ansible configuration, like that of <a href="Institute/README.html">A Small Institute</a>, is
@@ -3310,7 +3361,7 @@ specific versions.
 </p>
 
 <p>
-NOTE: if you have not read at least the <a href="Institute/README.html#org9fda08f">Overview</a> of <a href="Institute/README.html">A Small Institute</a>
+NOTE: if you have not read at least the <a href="Institute/README.html#orgefb6095">Overview</a> of <a href="Institute/README.html">A Small Institute</a>
 you are lost.
 </p>
 
@@ -3340,8 +3391,8 @@ rest are built up piecemeal by (tangled from) this document,
 <q>README.org</q>, and <a href="Institute/README.html"><q>Institute/README.org</q></a>.
 </p>
 </div>
-<div id="outline-container-org1260a9f" class="outline-3">
-<h3 id="org1260a9f"><span class="section-number-3">10.1.</span> <q>ansible.cfg</q></h3>
+<div id="outline-container-org8173efc" class="outline-3">
+<h3 id="org8173efc"><span class="section-number-3">10.1.</span> <q>ansible.cfg</q></h3>
 <div class="outline-text-3" id="text-10-1">
 <p>
 This is much like the example (test) institutional configuration file,
@@ -3358,11 +3409,11 @@ except the roles are found in <q>Institute/roles/</q> as well as <q>roles/</q>.
 </div>
 </div>
 </div>
-<div id="outline-container-org0528e79" class="outline-3">
-<h3 id="org0528e79"><span class="section-number-3">10.2.</span> <q>hosts</q></h3>
+<div id="outline-container-org12a438b" class="outline-3">
+<h3 id="org12a438b"><span class="section-number-3">10.2.</span> <q>hosts</q></h3>
 <div class="outline-text-3" id="text-10-2">
 <div class="org-src-container">
-<a href="hosts"><q>hosts</q></a><pre class="src src-conf" id="org877f296"><code>all:
+<a href="hosts"><q>hosts</q></a><pre class="src src-conf" id="orgf05c25e"><code>all:
   vars:
     ansible_user: sysadm
     ansible_ssh_extra_args: -i Secret/ssh_admin/id_rsa
@@ -3442,8 +3493,8 @@ except the roles are found in <q>Institute/roles/</q> as well as <q>roles/</q>.
 </div>
 </div>
 </div>
-<div id="outline-container-orgb8e14fa" class="outline-3">
-<h3 id="orgb8e14fa"><span class="section-number-3">10.3.</span> <q>playbooks/site.yml</q></h3>
+<div id="outline-container-org2811731" class="outline-3">
+<h3 id="org2811731"><span class="section-number-3">10.3.</span> <q>playbooks/site.yml</q></h3>
 <div class="outline-text-3" id="text-10-3">
 <p>
 This playbook provisions the entire network by applying first the
@@ -3484,17 +3535,17 @@ institutional roles, then the liturgical roles.
 </div>
 </div>
 </div>
-<div id="outline-container-org188bc8f" class="outline-2">
-<h2 id="org188bc8f"><span class="section-number-2">11.</span> The Abbey Commands</h2>
+<div id="outline-container-orga94a492" class="outline-2">
+<h2 id="orga94a492"><span class="section-number-2">11.</span> The Abbey Commands</h2>
 <div class="outline-text-2" id="text-11">
 <p>
 The <code>./abbey</code> script encodes the abbey's canonical procedures.  It
-includes <a href="Institute/README.html#org3b4ccaf">The Institute Commands</a> and adds a few abbey-specific
+includes <a href="Institute/README.html#org43f8955">The Institute Commands</a> and adds a few abbey-specific
 sub-commands.
 </p>
 </div>
-<div id="outline-container-org986544f" class="outline-3">
-<h3 id="org986544f"><span class="section-number-3">11.1.</span> Abbey Command Overview</h3>
+<div id="outline-container-org151420e" class="outline-3">
+<h3 id="org151420e"><span class="section-number-3">11.1.</span> Abbey Command Overview</h3>
 <div class="outline-text-3" id="text-11-1">
 <p>
 Institutional sub-commands:
@@ -3523,8 +3574,8 @@ and <code>_architecture</code> for all hosts.</dd>
 </dl>
 </div>
 </div>
-<div id="outline-container-orgf3b561c" class="outline-3">
-<h3 id="orgf3b561c"><span class="section-number-3">11.2.</span> Abbey Command Script</h3>
+<div id="outline-container-orge616d74" class="outline-3">
+<h3 id="orge616d74"><span class="section-number-3">11.2.</span> Abbey Command Script</h3>
 <div class="outline-text-3" id="text-11-2">
 <p>
 The script begins with the following prefix and trampolines.
@@ -3548,7 +3599,7 @@ The script begins with the following prefix and trampolines.
 The small institute's <code>./inst</code> command expects to be running in
 <q>Institute/</q>, not <q>./</q>, but it only references <q>public/</q>, <q>private/</q>,
 <q>Secret/</q> and <q>playbooks/check-inst-vars.yml</q>, and will find the abbey
-specific versions of these.  The <code>roles_path</code> setting in <a href="#org1260a9f"><q>ansible.cfg</q></a>
+specific versions of these.  The <code>roles_path</code> setting in <a href="#org8173efc"><q>ansible.cfg</q></a>
 effectively merges the institutional roles into the distinctly named
 abbey specific roles.  The roles likewise reference files with
 relative names, and will find the abbey specific <q>private/</q>
@@ -3571,8 +3622,8 @@ code block "duplicates" the action of the institute's
 </div>
 </div>
 </div>
-<div id="outline-container-org8410663" class="outline-3">
-<h3 id="org8410663"><span class="section-number-3">11.3.</span> The Upgrade Command</h3>
+<div id="outline-container-org2d29e39" class="outline-3">
+<h3 id="org2d29e39"><span class="section-number-3">11.3.</span> The Upgrade Command</h3>
 <div class="outline-text-3" id="text-11-3">
 <p>
 The script implements an <code>upgrade</code> sub-command that runs <code>apt update</code>
@@ -3637,8 +3688,8 @@ a limit pattern.  For example:
 </div>
 </div>
 </div>
-<div id="outline-container-orgd35c9d9" class="outline-3">
-<h3 id="orgd35c9d9"><span class="section-number-3">11.4.</span> The Reboots Command</h3>
+<div id="outline-container-orgdd0d22a" class="outline-3">
+<h3 id="orgdd0d22a"><span class="section-number-3">11.4.</span> The Reboots Command</h3>
 <div class="outline-text-3" id="text-11-4">
 <p>
 The script implements a <code>reboots</code> sub-command that looks for
@@ -3669,8 +3720,8 @@ The script implements a <code>reboots</code> sub-command that looks for
 </div>
 </div>
 </div>
-<div id="outline-container-orge0dea55" class="outline-3">
-<h3 id="orge0dea55"><span class="section-number-3">11.5.</span> The Versions Command</h3>
+<div id="outline-container-orge4ce523" class="outline-3">
+<h3 id="orge4ce523"><span class="section-number-3">11.5.</span> The Versions Command</h3>
 <div class="outline-text-3" id="text-11-5">
 <p>
 The script implements a <code>versions</code> sub-command that reports the
@@ -3697,8 +3748,8 @@ operating system version of all abbey managed machines.
 </div>
 </div>
 </div>
-<div id="outline-container-org538cdca" class="outline-3">
-<h3 id="org538cdca"><span class="section-number-3">11.6.</span> The Facts Command</h3>
+<div id="outline-container-orga466b57" class="outline-3">
+<h3 id="orga466b57"><span class="section-number-3">11.6.</span> The Facts Command</h3>
 <div class="outline-text-3" id="text-11-6">
 <p>
 The script implements a <code>facts</code> sub-command to collect the Ansible
@@ -3718,8 +3769,8 @@ The script implements a <code>facts</code> sub-command to collect the Ansible
 </div>
 </div>
 </div>
-<div id="outline-container-org347f78c" class="outline-3">
-<h3 id="org347f78c"><span class="section-number-3">11.7.</span> The TZ Command</h3>
+<div id="outline-container-orgb4cc7c8" class="outline-3">
+<h3 id="orgb4cc7c8"><span class="section-number-3">11.7.</span> The TZ Command</h3>
 <div class="outline-text-3" id="text-11-7">
 <p>
 The abbey changes location almost weekly, so its timezone changes
@@ -3798,8 +3849,8 @@ last host in the previous play.
 </div>
 </div>
 </div>
-<div id="outline-container-org95177a5" class="outline-3">
-<h3 id="org95177a5"><span class="section-number-3">11.8.</span> Abbey Command Help</h3>
+<div id="outline-container-orgc69e418" class="outline-3">
+<h3 id="orgc69e418"><span class="section-number-3">11.8.</span> Abbey Command Help</h3>
 <div class="outline-text-3" id="text-11-8">
 <div class="org-src-container">
 <a href="abbey"><q>abbey</q></a><pre class="src src-perl"><code><span class="org-keyword">my</span> $<span class="org-variable-name">ops</span> = (<span class="org-string">"config,new,old,pass,client,"</span>
@@ -3810,8 +3861,8 @@ last host in the previous play.
 </div>
 </div>
 </div>
-<div id="outline-container-orga5c6c9e" class="outline-2">
-<h2 id="orga5c6c9e"><span class="section-number-2">12.</span> Cloistering</h2>
+<div id="outline-container-orgb57e970" class="outline-2">
+<h2 id="orgb57e970"><span class="section-number-2">12.</span> Cloistering</h2>
 <div class="outline-text-2" id="text-12">
 <p>
 This is how a new machine is brought into the cloister.  The process
@@ -3820,8 +3871,8 @@ narrows down to the common preparation of all machines administered by
 Ansible.
 </p>
 </div>
-<div id="outline-container-orgd6de306" class="outline-3">
-<h3 id="orgd6de306"><span class="section-number-3">12.1.</span> IoT Devices</h3>
+<div id="outline-container-org9b9f5e9" class="outline-3">
+<h3 id="org9b9f5e9"><span class="section-number-3">12.1.</span> IoT Devices</h3>
 <div class="outline-text-3" id="text-12-1">
 <p>
 A wireless IoT device (smart TV, Blu-ray deck, etc.) cannot install
@@ -3837,8 +3888,8 @@ given a private domain name as described in the following steps.
 </p>
 
 <ul class="org-ul">
-<li><a href="#orgb8c7bd4">Add to Core DHCP</a></li>
-<li><a href="#org620b171">Create Wired Domain Name</a></li>
+<li><a href="#org64bbfaa">Add to Core DHCP</a></li>
+<li><a href="#org488e689">Create Wired Domain Name</a></li>
 </ul>
 
 <p>
@@ -3848,12 +3899,12 @@ last step:
 </p>
 
 <ul class="org-ul">
-<li><a href="#orgbc67dff">Create Wireless Domain Name</a></li>
+<li><a href="#org39c2bc6">Create Wireless Domain Name</a></li>
 </ul>
 </div>
 </div>
-<div id="outline-container-org686d7d5" class="outline-3">
-<h3 id="org686d7d5"><span class="section-number-3">12.2.</span> Raspberry Pis</h3>
+<div id="outline-container-org47e58c8" class="outline-3">
+<h3 id="org47e58c8"><span class="section-number-3">12.2.</span> Raspberry Pis</h3>
 <div class="outline-text-3" id="text-12-2">
 <p>
 The abbey's Raspberry Pi runs the Raspberry Pi OS desktop off an NVMe
@@ -3874,8 +3925,8 @@ Ethernet, and power up.</li>
 <li>new username: sysadm</li>
 <li>new password: &lt;password&gt;</li>
 </ul></li>
-<li><a href="#orgb8c7bd4">Add to Core DHCP</a></li>
-<li><a href="#org620b171">Create Wired Domain Name</a></li>
+<li><a href="#org64bbfaa">Add to Core DHCP</a></li>
+<li><a href="#org488e689">Create Wired Domain Name</a></li>
 <li>Launch the desktop.</li>
 <li>If the desktop is running on a USB HD (thumb drive) or μSD card, use
 the Raspberry Pi Imager app in Accessories in the main menu.  Choose
@@ -3885,9 +3936,9 @@ installation questions again.</li>
 <li>Right click on the desktop (background) and choose Preferences.  In
 the Control Centre choose Interfaces in the left side bar and toggle
 SSH on.</li>
-<li><a href="#orgad6748e">Update From Cloister Apt Cache</a></li>
-<li><a href="#orgfd9f52f">Authorize Remote Administration</a></li>
-<li><a href="#org08890f8">Configure with Ansible</a></li>
+<li><a href="#org9623e8b">Update From Cloister Apt Cache</a></li>
+<li><a href="#orgb84bcd7">Authorize Remote Administration</a></li>
+<li><a href="#orgef7f507">Configure with Ansible</a></li>
 </ul>
 
 <p>
@@ -3896,14 +3947,14 @@ steps are taken.
 </p>
 
 <ul class="org-ul">
-<li><a href="#org758ca5b">Connect to Cloister Wi-Fi</a></li>
-<li><a href="#orgcf83588">Connect to Cloister VPN</a></li>
-<li><a href="#orgbc67dff">Create Wireless Domain Name</a></li>
+<li><a href="#org1520010">Connect to Cloister Wi-Fi</a></li>
+<li><a href="#org9bae096">Connect to Cloister VPN</a></li>
+<li><a href="#org39c2bc6">Create Wireless Domain Name</a></li>
 </ul>
 </div>
 </div>
-<div id="outline-container-org9e11c83" class="outline-3">
-<h3 id="org9e11c83"><span class="section-number-3">12.3.</span> PCs</h3>
+<div id="outline-container-orgfd73a60" class="outline-3">
+<h3 id="orgfd73a60"><span class="section-number-3">12.3.</span> PCs</h3>
 <div class="outline-text-3" id="text-12-3">
 <p>
 Most of the abbey's machines, like Core and Gate, are general-purpose
@@ -3916,12 +3967,12 @@ follows.
 to a USB drive and connect it to the PC.</li>
 <li>Connect an HDMI monitor, a USB keyboard/mouse, and the cloister
 Ethernet, and power up.  Choose to boot from the USB drive.</li>
-<li><a href="#orgb8c7bd4">Add to Core DHCP</a></li>
-<li><a href="#org620b171">Create Wired Domain Name</a></li>
+<li><a href="#org64bbfaa">Add to Core DHCP</a></li>
+<li><a href="#org488e689">Create Wired Domain Name</a></li>
 <li>Answer first-boot installation questions as detailed in the
 preparation of <a href="Institute/README.org*A Test Machine">A Test Machine</a> for a Small Institute.</li>
 <li>Log in as <code>sysadm</code> on the console.</li>
-<li><a href="#orgad6748e">Update From Cloister Apt Cache</a></li>
+<li><a href="#org9623e8b">Update From Cloister Apt Cache</a></li>
 <li><p>
 Install <code>openssh-server</code>, unless it was included in the
 distribution.  Run the following if unsure.
@@ -3929,8 +3980,8 @@ distribution.  Run the following if unsure.
 <pre class="example">
 sudo apt install openssh-server
 </pre></li>
-<li><a href="#orgfd9f52f">Authorize Remote Administration</a></li>
-<li><a href="#org08890f8">Configure with Ansible</a></li>
+<li><a href="#orgb84bcd7">Authorize Remote Administration</a></li>
+<li><a href="#orgef7f507">Configure with Ansible</a></li>
 </ul>
 
 <p>
@@ -3939,14 +3990,14 @@ steps are taken.
 </p>
 
 <ul class="org-ul">
-<li><a href="#org758ca5b">Connect to Cloister Wi-Fi</a></li>
-<li><a href="#orgcf83588">Connect to Cloister VPN</a></li>
-<li><a href="#orgbc67dff">Create Wireless Domain Name</a></li>
+<li><a href="#org1520010">Connect to Cloister Wi-Fi</a></li>
+<li><a href="#org9bae096">Connect to Cloister VPN</a></li>
+<li><a href="#org39c2bc6">Create Wireless Domain Name</a></li>
 </ul>
 </div>
 </div>
-<div id="outline-container-orgb8c7bd4" class="outline-3">
-<h3 id="orgb8c7bd4"><span class="section-number-3">12.4.</span> Add to Core DHCP</h3>
+<div id="outline-container-org64bbfaa" class="outline-3">
+<h3 id="org64bbfaa"><span class="section-number-3">12.4.</span> Add to Core DHCP</h3>
 <div class="outline-text-3" id="text-12-4">
 <p>
 When a new machine is connected to the cloister Ethernet, its MAC
@@ -4006,12 +4057,12 @@ reporting <code>1 packets transmitted, 1 received, 0% packet loss...</code>.
 </div>
 </div>
 </div>
-<div id="outline-container-org620b171" class="outline-3">
-<h3 id="org620b171"><span class="section-number-3">12.5.</span> Create Wired Domain Name</h3>
+<div id="outline-container-org488e689" class="outline-3">
+<h3 id="org488e689"><span class="section-number-3">12.5.</span> Create Wired Domain Name</h3>
 <div class="outline-text-3" id="text-12-5">
 <p>
 A wired device is assigned an IP address when it is added to Core's
-DHCP configuration (as in <a href="#orgb8c7bd4">Add to Core DHCP</a>).  A private domain name is
+DHCP configuration (as in <a href="#org64bbfaa">Add to Core DHCP</a>).  A private domain name is
 then associated with this address.  If the device is intended to
 operate wirelessly, the name for its address is modified with a <code>-w</code>
 suffix.  Thus <code>new-w.small.private</code> would be the name of the new
@@ -4054,8 +4105,8 @@ resolvectl query 192.168.56.4
 </div>
 </div>
 </div>
-<div id="outline-container-orgad6748e" class="outline-3">
-<h3 id="orgad6748e"><span class="section-number-3">12.6.</span> Update From Cloister Apt Cache</h3>
+<div id="outline-container-org9623e8b" class="outline-3">
+<h3 id="org9623e8b"><span class="section-number-3">12.6.</span> Update From Cloister Apt Cache</h3>
 <div class="outline-text-3" id="text-12-6">
 <ul class="org-ul">
 <li>Log in as <code>sysadm</code> on the console.</li>
@@ -4077,8 +4128,8 @@ sudo reboot
 </ul>
 </div>
 </div>
-<div id="outline-container-orgfd9f52f" class="outline-3">
-<h3 id="orgfd9f52f"><span class="section-number-3">12.7.</span> Authorize Remote Administration</h3>
+<div id="outline-container-orgb84bcd7" class="outline-3">
+<h3 id="orgb84bcd7"><span class="section-number-3">12.7.</span> Authorize Remote Administration</h3>
 <div class="outline-text-3" id="text-12-7">
 <p>
 To remotely administer <code>new-w</code>, Ansible must be authorized to login as
@@ -4112,11 +4163,11 @@ key.
 </div>
 </div>
 </div>
-<div id="outline-container-org08890f8" class="outline-3">
-<h3 id="org08890f8"><span class="section-number-3">12.8.</span> Configure with Ansible</h3>
+<div id="outline-container-orgef7f507" class="outline-3">
+<h3 id="orgef7f507"><span class="section-number-3">12.8.</span> Configure with Ansible</h3>
 <div class="outline-text-3" id="text-12-8">
 <p>
-With remote administration authorized and tested (as in <a href="#orgfd9f52f">Authorize
+With remote administration authorized and tested (as in <a href="#orgb84bcd7">Authorize
 Remote Administration</a>), and the machine connected to the cloister
 Ethernet, the configuration of <code>new-w</code> can be completed by Ansible.
 Note that if the machine is staying on the cloister Ethernet, its
@@ -4124,7 +4175,7 @@ domain name will be <code>new</code> (having had no <code>-w</code> suffix added
 </p>
 
 <p>
-First <code>new-w</code> is added to Ansible's inventory in <a href="#org0528e79"><q>hosts</q></a>.  A <code>new-w</code>
+First <code>new-w</code> is added to Ansible's inventory in <a href="#org12a438b"><q>hosts</q></a>.  A <code>new-w</code>
 section is added to the list of all hosts, and an empty section of the
 same name is added to the list of <code>campus</code> hosts.  If the machine uses
 the usual privileged account name, <code>sysadm</code>, the <code>ansible_user</code> key is
@@ -4172,8 +4223,8 @@ configuration files.
 </div>
 </div>
 </div>
-<div id="outline-container-org758ca5b" class="outline-3">
-<h3 id="org758ca5b"><span class="section-number-3">12.9.</span> Connect to Cloister Wi-Fi</h3>
+<div id="outline-container-org1520010" class="outline-3">
+<h3 id="org1520010"><span class="section-number-3">12.9.</span> Connect to Cloister Wi-Fi</h3>
 <div class="outline-text-3" id="text-12-9">
 <p>
 On an IoT device, or a Debian or Android "desktop", the cloister Wi-Fi
@@ -4214,8 +4265,8 @@ desktop connected to the Wi-Fi using the following <code>ping</code> command.
 </div>
 </div>
 </div>
-<div id="outline-container-orgcf83588" class="outline-3">
-<h3 id="orgcf83588"><span class="section-number-3">12.10.</span> Connect to Cloister VPN</h3>
+<div id="outline-container-org9bae096" class="outline-3">
+<h3 id="org9bae096"><span class="section-number-3">12.10.</span> Connect to Cloister VPN</h3>
 <div class="outline-text-3" id="text-12-10">
 <p>
 Wireless devices (with the cloister Wi-Fi password) can get an IP
@@ -4228,14 +4279,14 @@ however, are <i>not</i> accessible except via the cloister VPN.
 
 <p>
 Connections to the cloister VPN are authorized by the <code>./abbey
-client...</code> command (aka <a href="Institute/README.html#orgc49707e">The Client Command</a>), which registers a new
+client...</code> command (aka <a href="Institute/README.html#org7efeef2">The Client Command</a>), which registers a new
 client's public key and installs new WireGuard™ configurations on the
 servers.  Private keys are kept on the clients (e.g. in
 <q>/etc/wireguard/private-key</q>).
 </p>
 </div>
-<div id="outline-container-org8ed2eb2" class="outline-4">
-<h4 id="org8ed2eb2"><span class="section-number-4">12.10.1.</span> Campus Desktops and Servers</h4>
+<div id="outline-container-orgeb7948c" class="outline-4">
+<h4 id="orgeb7948c"><span class="section-number-4">12.10.1.</span> Campus Desktops and Servers</h4>
 <div class="outline-text-4" id="text-12-10-1">
 <p>
 Wireless Debian desktops (with NetworkManager) as well as servers
@@ -4321,8 +4372,8 @@ sudo systemctl enable wg-quick@wg0
 </ul>
 </div>
 </div>
-<div id="outline-container-org40a749b" class="outline-4">
-<h4 id="org40a749b"><span class="section-number-4">12.10.2.</span> Private Desktops</h4>
+<div id="outline-container-orgdd2ffc7" class="outline-4">
+<h4 id="orgdd2ffc7"><span class="section-number-4">12.10.2.</span> Private Desktops</h4>
 <div class="outline-text-4" id="text-12-10-2">
 <p>
 Member notebooks are private machines not remotely administered by the
@@ -4434,8 +4485,8 @@ password is included in <q>Secret/become.yml</q>.
 </p>
 </div>
 </div>
-<div id="outline-container-org45a9f7f" class="outline-4">
-<h4 id="org45a9f7f"><span class="section-number-4">12.10.3.</span> Android</h4>
+<div id="outline-container-orgd3c62d2" class="outline-4">
+<h4 id="orgd3c62d2"><span class="section-number-4">12.10.3.</span> Android</h4>
 <div class="outline-text-4" id="text-12-10-3">
 <p>
 Android phones and tablets are authorized to connect to the cloister
@@ -4472,8 +4523,8 @@ public VPN.</li>
 </div>
 </div>
 </div>
-<div id="outline-container-orgbc67dff" class="outline-3">
-<h3 id="orgbc67dff"><span class="section-number-3">12.11.</span> Create Wireless Domain Name</h3>
+<div id="outline-container-org39c2bc6" class="outline-3">
+<h3 id="org39c2bc6"><span class="section-number-3">12.11.</span> Create Wireless Domain Name</h3>
 <div class="outline-text-3" id="text-12-11">
 <p>
 A wireless machine is assigned a Wi-Fi address when it connects to the
@@ -4528,7 +4579,7 @@ be added to <q>private/db.campus_vpn</q>.)
 </div>
 <div id="postamble" class="status">
 <p class="author">Author: Matt Birkholz</p>
-<p class="date">Created: 2026-01-12 Mon 12:12</p>
+<p class="date">Created: 2026-01-18 Sun 16:36</p>
 <p class="validation"><a href="https://validator.w3.org/check?uri=referer">Validate</a></p>
 </div>
 </body>