Rework secondary node reconfiguration

Improve documentation on how to promote the Geo secondary nodes to a Geo primary

---

Original, abandoned premise:

We may be able to make these machine reconfigure steps to happen after failover. The incentive here is that they can take a long time to run; we want the maintenance window to be as short as possible, and we're already pushing up against a one-hour budget.

I think this includes the previously-forgotten-about step of "update the external_url". However, it may not - having this set incorrectly should still allow requests to be served correctly, but we may write the wrong absolute URL into system notes, or other places. It may also interfere with the container registry, GitLab pages, etc. Needs investigation.

We can't update any of these things (including external_url) pre-failover because that will break the secondary's conception of itself as a secondary.