Move two more posts to bundles

nginx.conf

     }
 
     map $request_uri $redirect_uri {
-        /res/images/sense/sense.jpg             /2016/04/10/sense-api/sense.jpg;
-        /res/images/wemo/switch.jpg             /2016/05/02/monitoring-power-with-wemo/switch.jpg;
-        /res/images/wemo/desk-1d.png            /2016/05/02/monitoring-power-with-wemo/desk-1d.png;
-        /res/images/wemo/desk-1w.png            /2016/05/02/monitoring-power-with-wemo/desk-1w.png;
-        /res/images/docker/logo.png             /2016/05/21/docker-automatic-nginx-proxy/logo.png;
-        /res/images/docker/reverse-proxy.png    /2016/05/21/docker-automatic-nginx-proxy/reverse-proxy.png;
-        /res/images/https/https-everywhere.jpg  /2016/06/17/why-you-should-be-using-https/https-everywhere.jpg;
+        /res/images/sense/sense.jpg                     /2016/04/10/sense-api/sense.jpg;
+        /res/images/wemo/switch.jpg                     /2016/05/02/monitoring-power-with-wemo/switch.jpg;
+        /res/images/wemo/desk-1d.png                    /2016/05/02/monitoring-power-with-wemo/desk-1d.png;
+        /res/images/wemo/desk-1w.png                    /2016/05/02/monitoring-power-with-wemo/desk-1w.png;
+        /res/images/docker/logo.png                     /2016/05/21/docker-automatic-nginx-proxy/logo.png;
+        /res/images/docker/reverse-proxy.png            /2016/05/21/docker-automatic-nginx-proxy/reverse-proxy.png;
+        /res/images/https/https-everywhere.jpg          /2016/06/17/why-you-should-be-using-https/https-everywhere.jpg;
+        /res/images/yubikey/keys.png                    /2016/08/11/offline-gnupg-master-yubikey-subkeys/keys.png;
+        /res/images/yubikey/wisdom_of_the_ancients.png  /2016/08/11/offline-gnupg-master-yubikey-subkeys/wisdom_of_the_ancients.png;
+        /res/images/ssh/openssh.png                     /2016/10/18/shoring-up-sshd/openssh.png;
+        /res/images/ssh/ssh-audit-github.png            /2016/10/18/shoring-up-sshd/ssh-audit-github.png;
     }
 
     server {

site/assets/style/modules/_articles.sass

   img + p
     margin-top: 1.5em
 
-  p a
+  p a, figcaption a
     color: $link-color
     text-decoration-color: $link-underline-color
     text-decoration-skip-ink: auto

site/content/post/2016-08-11-offline-gnupg-master-yubikey-subkeys.md → site/content/post/2016-08-11-offline-gnupg-master-yubikey-subkeys/index.md

 ---
 date: 2016-08-11
-strapline: With bonus completely over-the-top security
-thumbnail: /res/images/yubikey/keys.thumb.png
 title: Creating an offline GnuPG master key with Yubikey-stored subkeys
-url: /2016/08/11/offline-gnupg-master-yubikey-subkeys/
-image: /res/images/yubikey/keys.png
 description: How to use an aircapped computer, a large dose of paranoia, an ironkey, and some yubikeys to create a new GPG key and subkeys.
 area: security
+url: /2016/08/11/offline-gnupg-master-yubikey-subkeys/
+
+resources:
+  - src: keys.png
+    name: A pair of Yubikeys
+    params:
+      default: true
+  - src: wisdom_of_the_ancients.png
+    name: "XKCD: Wisdom of the Ancients"
 ---
 
-<figure class="right">
-  <img src="/res/images/yubikey/keys.png" alt="Two yubikeys">
-  <figcaption>A (key-)pair of Yubikeys. (Sorry.)</figcaption>
-</figure>
+{{< figure "right" "A pair of Yubikeys" >}}
 
 I recently noticed that I'd accidentally lost my previous GPG private key &mdash; whoops. It was on
 a drive that I'd since formatted and used for a fair amount of time, so there's no hope of
 was able to sign and encrypt e-mail in Thunderbird.
 
 <figure class="left">
-  <img src="/res/images/yubikey/wisdom_of_the_ancients.png" alt="XKCD: Wisdom of the ancients">
+  {{< img "XKCD: Wisdom of the Ancients" >}}
   <figcaption><a href="https://xkcd.com/979/">XKCD #979: Wisdom of the ancients</a></figcaption>
 </figure>
 

site/content/post/2016-10-18-shoring-up-sshd.md → site/content/post/2016-10-18-shoring-up-sshd/index.md

 ---
 date: 2016-10-18
-thumbnail: /res/images/ssh/openssh.thumb.png
 title: Shoring up SSHd configuration
-strapline: Down with weak algorithms!
-url: /2016/10/18/shoring-up-sshd/
-image: /res/images/ssh/openssh.png
 description: Tools and suggestions for improving the security of SSHd by disabling weak algorithms and modern config tweaks.
 area: security
+url: /2016/10/18/shoring-up-sshd/
+
+resources:
+  - src: openssh.png
+    name: The OpenSSH project logo
+    params:
+      default: true
+  - src: ssh-audit-github.png
+    name: Output of ssh-audit pointing at GitHub's SSH servers
 ---
 
-<figure class="left">
-  <img src="/res/images/ssh/openssh.png" alt="OpenSSH logo">
-  <figcaption>The OpenSSH project logo</figcaption>
-</figure>
+{{< figure "left" "The OpenSSH project logo" >}}
 
 I recently came across a useful tool on GitHub called
 [ssh-audit](https://github.com/arthepsy/ssh-audit). It's a small Python script
 example, I'm looking at GitHub's SSH server and have filtered the output to
 just warnings and failures:
 
-<img src="/res/images/ssh/ssh-audit-github.png" alt="ssh-audit output">
+{{< img "Output of ssh-audit pointing at GitHub's SSH servers" >}}
 
 GitHub's a bit of a special case, as they're trying to cope with scores of
 developers pushing code: they can't disable weaker algorithms without also
 using remotely modern clients to connect. Similarly the host-key DSA algorithm
 uses a 1024 bit key, so should be disabled.
 
-Many of the supported encryption algorithms use basically-broken algorithms
-(`3des-cbc`, `arcfour`, for example). Some of the remaining are block ciphers
+Many of the rejected encryption algorithms use basically-broken algorithms
+(`3des-cbc` and `arcfour` for example). Some of the remaining are block ciphers
 with small block sizes, which makes them weak (e.g. `blockfish-cbc` uses a
 block size of 64 bits).