diff --git a/howto/puppet.md b/howto/puppet.md
index 96a2a14905e18461cd2ee6256c130b50417d1d73..9be60e7620730c692cb458477259f5d3b4391110 100644
--- a/howto/puppet.md
+++ b/howto/puppet.md
@@ -366,10 +366,17 @@ in Puppet source code, for various reasons: it is hard to erase
 because code is stored in git, but also, ultimately, we want to
 publish that source code publicly.
 
-We use Trocla for this purpose, which generates
+We use [Trocla][] for this purpose, which generates
 random passwords and stores the hash or, if necessary, the clear-text
 in a YAML file.
 
+[Trocla]: https://github.com/duritong/trocla
+
+Trocla's man page is not very useful, but you can see a list of subcommands in
+the [project's README file][].
+
+[project's README file]: https://github.com/duritong/trocla
+
 With Trocla, each password is generated on the fly from a secure
 entropy source ([Ruby's SecureRandom module][]) and stored inside a
 state file (in `/var/lib/trocla/trocla_data.yml`, configured
@@ -382,7 +389,6 @@ it's been transmitted to the user or another password manager. This
 makes it possible to have Trocla not keep any secret at all.
 
 [Ruby's SecureRandom module]: https://ruby-doc.org/stdlib-1.9.3/libdoc/securerandom/rdoc/SecureRandom.html
-[Trocla]: https://github.com/duritong/trocla
 
 This piece of code will generate a [bcrypt][]-hashed password for the
 Grafana admin, for example: