diff --git a/charts/sftd/README.md b/charts/sftd/README.md
index c785f58009..2d0fa74a07 100644
--- a/charts/sftd/README.md
+++ b/charts/sftd/README.md
@@ -111,6 +111,32 @@ able to reach the restund servers on their public IPs.
 More exotic setups _are_ possible but are currently *not* officially supported. Please
 contact us if you have different constraints.
 
+### No public IP on default interface
+
+Often on-prem or at certain cloud providers your nodes will not have directly routable public IP addresses
+but are deployed in 1:1 NAT.   This chart is able to auto-detect this scenario if your cloud providers adds
+an `ExternalIP` field to your kubernetes node objects.
+
+On on-prem you should set an `wire.com/external-ip` annotation on your kubernetes nodes so that sftd is aware
+of its external IP when it gets scheduled on a node.
+
+If you use our kubespray playbooks to bootstrap kubernetes, you simply have to
+set the `external_ip` field in your `group_vars`
+```yaml
+# inventory/group_vars/k8s-cluster
+node_annotations:
+  wire.com/external-ip: {{ external_ip }}
+```
+And the `external_ip` is set in the inventory per node:
+```
+node0 ansible_host=.... ip=...  external_ip=aaa.xxx.yyy.zzz
+```
+
+If you are hosting Kubernetes through other means you can annotate your nodes manually:
+```
+$ kubectl annotate node $HOSTNAME wire.com/external-ip=$EXTERNAL_IP
+```
+
 ## Rollout
 
 Kubernetes will shut down pods and start new ones when rolling out a release. Any calls
@@ -193,31 +219,6 @@ helm install wire-prod charts/wire-server --set 'nodeSelector.wire\.com/role=sft
 helm install wire-staging charts/wire-server --set 'nodeSelector.wire\.com/role=sftd-staging' ...other-flags
 ```
 
-## No public IP on default interface
-
-Often on-prem or at certain cloud providers your nodes will not have directly routable public IP addresses
-but are deployed in 1:1 NAT.   This chart is able to auto-detect this scenario if your cloud providers adds
-an `ExternalIP` field to your kubernetes node objects.
-
-On on-prem you should set an `wire.com/external-ip` annotation on your kubernetes nodes so that sftd is aware
-of its external IP when it gets scheduled on a node.
-
-If you use our kubespray playbooks to bootstrap kubernetes, you simply have to
-set the `external_ip` field in your `group_vars`
-```yaml
-# inventory/group_vars/k8s-cluster
-node_annotations:
-  wire.com/external-ip: {{ external_ip }}
-```
-And the `external_ip` is set in the inventory per node:
-```
-node0 ansible_host=.... ip=...  external_ip=aaa.xxx.yyy.zzz
-```
-
-If you are hosting Kubernetes through other means you can annotate your nodes manually:
-```
-$ kubectl annotate node $HOSTNAME wire.com/external-ip=$EXTERNAL_IP
-```
 
 ## Port conflicts and `hostNetwork`