- Remove the mention to a separate cumin config, since we don't have a
  separate PuppetDB host for Tails anymore.

- Update the retirement procedure to only mention the parts that are
  really different from TPA.

- Update VM installation script to use TPA Puppet Server instead.

- Delete mentions to the Tails Puppet Server service.

- Update the hostname of the "SSH Keymaster", which is now
  puppet.torproject.org.

howto/cumin.md

@@ -133,15 +133,6 @@ The tunnel will be shutdown as soon as it's done, and fired up as
 needed. You *will* need to tap your YubiKey, as normal, to get it to
 work of course.
 
-Note that the same automatic tunnel can be setup for the Tails infra by creating
-a second pair of systemd user units, say `tails-puppetdb-tunnel.socket` and
-`tails-puppetdb-tunnel@.service`. In those unit files you'll want to change the
-port number that the socket is listening to and change the destination host for
-the ssh connection in the `.service` file to `puppet.lizard` instead. Then you
-can either ssh manually to your localhost socket-bound port or create an
-alternative cumin configuration file that points to this port instead and use
-this with e.g. `cumin -c ~/.config/cumin/tails-config.yaml`.
-
 This is different from a `-N` "daemon" configuration where the daemon
 stays around for a long-lived connection. This is the only way we've
 found to make it work with socket activation. The alternative to that