diff --git a/howto/ganeti.md b/howto/ganeti.md
index ba20a0a35a1c0ed71f9a6cf802dbefc00785cbd0..040570b6f717c28c67d82af2c3e6665348dedb82 100644
--- a/howto/ganeti.md
+++ b/howto/ganeti.md
@@ -893,7 +893,7 @@ catastrophic data loss bug in Ganeti or [howto/drbd](howto/drbd).
 
 ## Installation
 
-### New node
+### New gnt-fsn node
 
  1. To create a new box, follow [howto/new-machine-hetzner-robot](howto/new-machine-hetzner-robot) but change
     the following settings:
@@ -932,9 +932,8 @@ catastrophic data loss bug in Ganeti or [howto/drbd](howto/drbd).
   
          reboot
 
- 8. Prepare all the nodes by configuring them in puppet.  They should
-    be in the class `roles::ganeti::fsn` if they are part of the fsn
-    cluster.
+ 8. Prepare all the nodes by configuring them in Puppet, by adding the
+    class `roles::ganeti::fsn` to the node
 
  9. Re-enable modules disabling:
 
@@ -989,6 +988,72 @@ catastrophic data loss bug in Ganeti or [howto/drbd](howto/drbd).
          ssh fsn-node-03.torproject.org "puppet agent -t; service ipsec reload"
          ssh fsn-node-06.torproject.org "puppet agent -t; service ipsec reload; ipsec up gnt-fsn-be::fsn-node-03"
 
+### New gnt-chi node
+
+ 1. to create a new box, follow the [cymru new-machine howto](howto/new-machine-cymru)
+
+ 2. follow the [howto/new-machine](howto/new-machine) post-install configuration
+
+ 3. Allocate a private IP address in the `30.172.in-addr.arpa` zone for
+    the node, in the `admin/dns/domains.git` repository
+
+ 4. add the private IP address to the eth1 interface, for example in
+    `/etc/network/interfaces.d/eth1`:
+
+        auto eth1
+        iface eth1 inet static
+            address 172.30.130.1
+
+ 5. enable the interface:
+ 
+        ifup eth1
+
+ 6. allow modules to be loaded and reboot:
+ 
+        touch /etc/no_modules_disabled
+        reboot
+
+ 7. configure the node in Puppet by adding it to the
+    `roles::ganeti::chi` class, and run Puppet on the new node:
+    
+        puppet agent -t
+
+ 8. re-disable module loading:
+ 
+         rm /etc/no_modules_disabled
+
+ 9. run puppet across the ganeti cluster to firewalls are correctly
+    configured:
+
+         cumin -p 0 'C:roles::ganeti::chi' 'puppet agent -t'
+
+ 10. Then the node is ready to be added to the cluster, by running
+     this on the master node:
+
+         gnt-node add \
+          --secondary-ip 172.30.130.2 \
+          --no-ssh-key-check \
+          --no-node-setup \
+          chi-node-02.torproject.org
+
+    If this is an entirely new cluster, you need a different procedure:
+
+         gnt-cluster init \
+          --master-netdev eth1 \
+          --vg-name vg_ganeti \
+          --secondary-ip 172.30.130.1 \
+          --enabled-hypervisors kvm \
+          --mac-prefix 00:66:38 \
+          --no-ssh-init \
+          --no-etc-hosts \
+          chignt.torproject.org
+    
+    The above assumes that `chignt` is already in DNS.
+
+ 11. make sure everything is great in the cluster:
+
+         gnt-cluster verify
+
 ### cluster config
 
 These could probably be merged into the cluster init, but just to document what has been done: