diff --git a/nfpm/zrok-share.env b/nfpm/zrok-share.env
index 7d439682..546fd26f 100644
--- a/nfpm/zrok-share.env
+++ b/nfpm/zrok-share.env
@@ -17,7 +17,7 @@ ZROK_ENABLE_TOKEN=""
 #
 ZROK_ENVIRONMENT_NAME=""
 
-# You MUST set this if not using the default zrok.io API endpoint
+# You MUST set this if not using the default API endpoint
 #ZROK_API_ENDPOINT="https://api.zrok.io"
 
 #
@@ -29,52 +29,45 @@ ZROK_ENVIRONMENT_NAME=""
 # WARNING. You may delete /var/lib/zrok-share/.zrok/reserved.json and restart the service to provision a new frontend URL.
 
 #
-## BACKEND MODES THAT WORK WITH PUBLIC OR PRIVATE SHARES (HTTP)
+## BACKEND MODES THAT WORK WITH PUBLIC AND PRIVATE HTTP SHARES
 #
 
 # backend-mode "proxy" (default): share a backend web server URL that's reachable by this host; must begin with 'http://' or
 # 'https://'; must accept the HOST header of the proxy frontend. Check out backend mode "caddy" if you need more control.
-ZROK_TARGET=""                  # e.g., http://127.0.0.1:3000
 ZROK_BACKEND_MODE="proxy"
+ZROK_TARGET=""                  # e.g., http://127.0.0.1:3000
 # if defined, an https share's backend server certificate will not be verified with backend-mode 'proxy'
 # NOTE: changing this value does not require provisioning a new frontend URL
 #ZROK_INSECURE="--insecure"
 
 # backend-mode "web": run a web server and share a static HTML directory that's present on this host. Must be an
 # absolute path to a directory that is readable by 'other'
-#ZROK_TARGET="/var/www/html"
 #ZROK_BACKEND_MODE="web"
+#ZROK_TARGET="/var/www/html"
 
 # backend-mode "drive": run a WebDAV file server sharing a directory that's present on this host. Must be an absolute
 # path to a directory that is readable by 'other'
-#ZROK_TARGET="/usr/share/doc"
 #ZROK_BACKEND_MODE="drive"
+#ZROK_TARGET="/usr/share/doc"
 
 # backend-mode "caddy": run an embedded Caddy server configured by the supplied Caddyfile. Must be an absolute path that
 # is readable by 'other'.
-#ZROK_TARGET="/opt/openziti/etc/zrok/multiple_upstream.Caddyfile"
 #ZROK_BACKEND_MODE="caddy"
-
-# DEBUG log level
-# NOTE: changing this value does not require provisioning a new frontend URL
-#ZROK_VERBOSE="--verbose"
-
-# you MAY set additional command-line options for the share; see "zrok reserve public --help" for hints
-# WARNING: changes take effect the next time the frontend URL is reserved
-# NOTE: basic auth and oauth are mutually exclusive
-ZROK_SHARE_OPTS=""
+#ZROK_TARGET="/opt/openziti/etc/zrok/multiple_upstream.Caddyfile"
 
 #
 ## BACKEND MODES THAT ONLY WORK WITH PRIVATE SHARES
 #
 
+# you MUST set ZROK_FRONTEND_MODE to 'reserved-private' or 'temp-private' to use private share backend modes
+
 #ZROK_BACKEND_MODE="tcpTunnel"
 #ZROK_TARGET="127.0.0.1:25565"
 
 #ZROK_BACKEND_MODE="udpTunnel"
 #ZROK_TARGET="127.0.0.1:53"
 
-# you must grant NET_ADMIN capability to the service to enable vpn mode, e.g., run these two commands:
+# you MUST grant NET_ADMIN capability to the service to enable vpn mode, e.g., run these two commands:
 # sed -Ei 's/.*AmbientCapabilities=CAP_NET_ADMIN/AmbientCapabilities=CAP_NET_ADMIN/' /etc/systemd/system/zrok-share.service.d/override.conf
 # systemctl daemon-reload
 #ZROK_BACKEND_MODE="vpn"
@@ -113,3 +106,14 @@ ZROK_SHARE_OPTS=""
 
 # you MAY set to change the frontend mode: reserved-public (default), reserved-private, temp-public, temp-private 
 #ZROK_FRONTEND_MODE="reserved-public"
+
+#
+## OPTIONS
+#
+
+# DEBUG log level
+# NOTE: changing this value does not require provisioning a new frontend URL
+#ZROK_VERBOSE="--verbose"
+
+# you MAY set additional command-line options for the share; see "zrok reserve public --help" for hints
+ZROK_SHARE_OPTS=""