nginx.conf

     }
 
     map $request_uri $redirect_uri {
-        /res/images/sense/sense.jpg             /2016/04/10/sense-api/sense.jpg;
-        /res/images/wemo/switch.jpg             /2016/05/02/monitoring-power-with-wemo/switch.jpg;
-        /res/images/wemo/desk-1d.png            /2016/05/02/monitoring-power-with-wemo/desk-1d.png;
-        /res/images/wemo/desk-1w.png            /2016/05/02/monitoring-power-with-wemo/desk-1w.png;
+        /res/images/sense/sense.jpg                     /2016/04/10/sense-api/sense.jpg;
+        /res/images/wemo/switch.jpg                     /2016/05/02/monitoring-power-with-wemo/switch.jpg;
+        /res/images/wemo/desk-1d.png                    /2016/05/02/monitoring-power-with-wemo/desk-1d.png;
+        /res/images/wemo/desk-1w.png                    /2016/05/02/monitoring-power-with-wemo/desk-1w.png;
+        /res/images/docker/logo.png                     /2016/05/21/docker-automatic-nginx-proxy/logo.png;
+        /res/images/docker/reverse-proxy.png            /2016/05/21/docker-automatic-nginx-proxy/reverse-proxy.png;
+        /res/images/https/https-everywhere.jpg          /2016/06/17/why-you-should-be-using-https/https-everywhere.jpg;
+        /res/images/yubikey/keys.png                    /2016/08/11/offline-gnupg-master-yubikey-subkeys/keys.png;
+        /res/images/yubikey/wisdom_of_the_ancients.png  /2016/08/11/offline-gnupg-master-yubikey-subkeys/wisdom_of_the_ancients.png;
+        /res/images/ssh/openssh.png                     /2016/10/18/shoring-up-sshd/openssh.png;
+        /res/images/ssh/ssh-audit-github.png            /2016/10/18/shoring-up-sshd/ssh-audit-github.png;
     }
 
     server {

site/assets/style/modules/_articles.sass

   img
     max-width: 100%
 
-  p a
+  img + p
+    margin-top: 1.5em
+
+  p a, figcaption a
     color: $link-color
     text-decoration-color: $link-underline-color
     text-decoration-skip-ink: auto

site/content/post/2016-05-21-docker-automatic-nginx-proxy.md → site/content/post/2016-05-21-docker-automatic-nginx-proxy/index.md

 ---
 date: 2016-05-21
-strapline: It's containers all the way down...
-thumbnail: /res/images/docker/logo.thumb.png
 title: Automatic reverse proxying with Docker and nginx
-url: /2016/05/21/docker-automatic-nginx-proxy/
-aliases: ["/2016/05/21/docker-automatic-nginx-proxy.html"]
-image: /res/images/docker/reverse-proxy.png
 description: Automatically retrieve certificates from Let's Encrypt and configure an SSL-terminating reverse proxy based on running containers.
 area: Docker
+url: /2016/05/21/docker-automatic-nginx-proxy/
+aliases: ["/2016/05/21/docker-automatic-nginx-proxy.html"]
+
+resources:
+  - src: reverse-proxy.png
+    name: Diagram showing components of a reverse proxy implementation
+    params:
+      default: true
+  - src: logo.png
+    name: The Docker project logo
 ---
 
-<figure class="right">
-  <img src="/res/images/docker/logo.png" alt="Docker logo">
-  <figcaption>The Docker project logo</figcaption>
-</figure>
+{{< figure "right" "The Docker project logo" >}}
 
 Over the past few weeks I've gradually been migrating services from running in LXC containers to
 Docker containers. It takes a while to get into the right mindset for Docker - thinking of
 
 In the end I decided to roll my own solution. Here's a high-level overview of how it all works:
 
-<img src="/res/images/docker/reverse-proxy.png" alt="Diagram">
+{{< img "Diagram showing components of a reverse proxy implementation" >}}
 
 As you probably noticed, there are quite a few containers involved. Each one performs a small,
 well-defined task, and its output can easily be inspected in either a volume or a database. I
 automatically reruns when there are changes. It also runs once a day to renew any certs that are
 coming up for expiry.
 
-#### service-nginx and nginx.
+#### service-nginx and nginx
 
 The right fork of the diagram is concerned with nginx. My
 [service-nginx](https://github.com/csmith/docker-service-nginx) container again connects to etcd

site/content/post/2016-06-17-why-you-should-be-using-https.md → site/content/post/2016-06-17-why-you-should-be-using-https/index.md

 ---
 date: 2016-06-17
-strapline: It's time to stop with the excuses
-thumbnail: /res/images/https/https-everywhere.thumb.jpg
 title: Why you should be using HTTPS
-url: /2016/06/17/why-you-should-be-using-https/
-image: /res/images/https/https-everywhere.jpg
 description: There's no good reason for sites to avoid HTTPS any more, and lots of reasons they should be actively encouraging it.
 area: security
+url: /2016/06/17/why-you-should-be-using-https/
+
+resources:
+  - src: https-everywhere.jpg
+    name: The EFF's HTTPS Everywhere logo
+    params:
+      default: true
 ---
 
-<figure class="left">
-  <img src="/res/images/https/https-everywhere.jpg" alt="EFF HTTPS Everywhere logo">
-  <figcaption>The EFF's HTTPS Everywhere logo</figcaption>
-</figure>
+{{< figure "left" "The EFF's HTTPS Everywhere logo" >}}
 
 One of my favourite hobbyhorses recently has been the use of HTTPS, or lack thereof. HTTPS is the
 thing that makes the little padlock appear in your browser, and has existed for over 20 years.

site/content/post/2016-08-11-offline-gnupg-master-yubikey-subkeys.md → site/content/post/2016-08-11-offline-gnupg-master-yubikey-subkeys/index.md

 ---
 date: 2016-08-11
-strapline: With bonus completely over-the-top security
-thumbnail: /res/images/yubikey/keys.thumb.png
 title: Creating an offline GnuPG master key with Yubikey-stored subkeys
-url: /2016/08/11/offline-gnupg-master-yubikey-subkeys/
-image: /res/images/yubikey/keys.png
 description: How to use an aircapped computer, a large dose of paranoia, an ironkey, and some yubikeys to create a new GPG key and subkeys.
 area: security
+url: /2016/08/11/offline-gnupg-master-yubikey-subkeys/
+
+resources:
+  - src: keys.png
+    name: A pair of Yubikeys
+    params:
+      default: true
+  - src: wisdom_of_the_ancients.png
+    name: "XKCD: Wisdom of the Ancients"
 ---
 
-<figure class="right">
-  <img src="/res/images/yubikey/keys.png" alt="Two yubikeys">
-  <figcaption>A (key-)pair of Yubikeys. (Sorry.)</figcaption>
-</figure>
+{{< figure "right" "A pair of Yubikeys" >}}
 
 I recently noticed that I'd accidentally lost my previous GPG private key &mdash; whoops. It was on
 a drive that I'd since formatted and used for a fair amount of time, so there's no hope of
 was able to sign and encrypt e-mail in Thunderbird.
 
 <figure class="left">
-  <img src="/res/images/yubikey/wisdom_of_the_ancients.png" alt="XKCD: Wisdom of the ancients">
+  {{< img "XKCD: Wisdom of the Ancients" >}}
   <figcaption><a href="https://xkcd.com/979/">XKCD #979: Wisdom of the ancients</a></figcaption>
 </figure>
 

site/content/post/2016-10-18-shoring-up-sshd.md → site/content/post/2016-10-18-shoring-up-sshd/index.md

 ---
 date: 2016-10-18
-thumbnail: /res/images/ssh/openssh.thumb.png
 title: Shoring up SSHd configuration
-strapline: Down with weak algorithms!
-url: /2016/10/18/shoring-up-sshd/
-image: /res/images/ssh/openssh.png
 description: Tools and suggestions for improving the security of SSHd by disabling weak algorithms and modern config tweaks.
 area: security
+url: /2016/10/18/shoring-up-sshd/
+
+resources:
+  - src: openssh.png
+    name: The OpenSSH project logo
+    params:
+      default: true
+  - src: ssh-audit-github.png
+    name: Output of ssh-audit pointing at GitHub's SSH servers
 ---
 
-<figure class="left">
-  <img src="/res/images/ssh/openssh.png" alt="OpenSSH logo">
-  <figcaption>The OpenSSH project logo</figcaption>
-</figure>
+{{< figure "left" "The OpenSSH project logo" >}}
 
 I recently came across a useful tool on GitHub called
 [ssh-audit](https://github.com/arthepsy/ssh-audit). It's a small Python script
 example, I'm looking at GitHub's SSH server and have filtered the output to
 just warnings and failures:
 
-<img src="/res/images/ssh/ssh-audit-github.png" alt="ssh-audit output">
+{{< img "Output of ssh-audit pointing at GitHub's SSH servers" >}}
 
 GitHub's a bit of a special case, as they're trying to cope with scores of
 developers pushing code: they can't disable weaker algorithms without also
 using remotely modern clients to connect. Similarly the host-key DSA algorithm
 uses a 1024 bit key, so should be disabled.
 
-Many of the supported encryption algorithms use basically-broken algorithms
-(`3des-cbc`, `arcfour`, for example). Some of the remaining are block ciphers
+Many of the rejected encryption algorithms use basically-broken algorithms
+(`3des-cbc` and `arcfour` for example). Some of the remaining are block ciphers
 with small block sizes, which makes them weak (e.g. `blockfish-cbc` uses a
 block size of 64 bits).