docs: documentation.

1 files changed, 31 insertions, 12 deletions

diff --git a/README.md b/README.md
index 7a96fd0..13b921a 100644
--- a/README.md
+++ b/README.md
@@ -18,9 +18,9 @@ To configure acit, use environment variables. Here's an overview of them, includ
 # IMAP login
 # ----------
  # set this to the IMAP login values of your email server
- ACIT_IMAP_USER="bugs@example.com"
- ACIT_IMAP_PASS="SuperSecurePassword"
- ACIT_IMAP_SERVER="mail.example.com"
+ ACIT_IMAP_USER=bugs@example.com
+ ACIT_IMAP_PASS=SuperSecurePassword
+ ACIT_IMAP_SERVER=mail.example.com
  ACIT_IMAP_PORT=993
  # note we only support IMAP with Implicit TLS.
  # usage of IMAP using STARTTLS and unencrypted imap aren't implemented.
@@ -31,9 +31,9 @@ To configure acit, use environment variables. Here's an overview of them, includ
 # SMTP login
 # ----------
  # set this to the SMTP login values of your email server
- ACIT_SMTP_USER="bugs@example.com"
- ACIT_SMTP_PASS="SuperSecurePassword"
- ACIT_SMTP_SERVER="mail.example.com"
+ ACIT_SMTP_USER=bugs@example.com
+ ACIT_SMTP_PASS=SuperSecurePassword
+ ACIT_SMTP_SERVER=mail.example.com
  ACIT_SMTP_PORT=0 # SMTP port to connect to. If set to 0, uses port 465
  # note only SMTP using Implicit TLS is supported.
  # STARTTLS and unencrypted SMTP are, just like with IMAP, not implemented.
@@ -50,8 +50,8 @@ MYSQL_HOST=localhost # the hostname/ip of the server. to define a port, use host
 # Email matching/formatting
 # -------------------------
 
- ACIT_MAIL_NAME="bugs" # the user part of user@example.com
- ACIT_MAIL_DOMAIN="example.com" # the domain of the emailaddress
+ ACIT_MAIL_NAME=bugs # the user part of user@example.com
+ ACIT_MAIL_DOMAIN=example.com # the domain of the emailaddress
  ACIT_MAIL_USES_ALIASES= # if set to any value, enables the usage of aliases.
  :<<-DOC
  Normally, acit looks for an emailaddress that matches email addresses in this style:
@@ -77,6 +77,11 @@ MYSQL_HOST=localhost # the hostname/ip of the server. to define a port, use host
 ACIT_HOME_REDIRECT=about:blank # where to redirect to when someone queries the webroot
 ACIT_BEHIND_PROXY= # when set, acit displays the 'real ip' when behind a proxy
 
+# the following option is the path used for the bug editor. note it's your own responsibility
+# to provide a username/password or other authentication system on this path, 
+# ACIT DOES NOT CHECK WHETHER A USER IS ALLOWED TO EDIT AN ISSUE. See section `securing issue editing`
+ACIT_SECURE_PATH=/secure/
+
 # the following option should be the full path to an executable.
 # said executable should return a table of trackers and urls.
 # see #acit-list-trackers below in this README.md # TODO: write mentioned section
@@ -84,11 +89,25 @@ ACIT_LIST_TRACKERS=/usr/lib/acit-list-trackers
 
 ```
 
-# crawling
-Acit makes use of the fact that crawlers will probably often crawl the index page for running certain tasks once in a while. If you are planning on blocking crawlers or want to ensure these tasks run regularly regardless of trackers, curl the webroot (`https://bugs.example.com/` if `bugs.example.com` is your domain) once in a while (every 5 minutes would be nice). Note some of these tasks will also happen when needing relevant resources.
+# securing issue editing
+By default, the path set using ACIT_SECURE_PATH (defaults to `/secure/`) does not have any authentication or authorisation. It's your responsibility to secure it. You can do this by putting a reverse-proxy of some kind between acit and the internet that checks for that path, and then checks whether the password and username is correct.
+
+Because I use caddy, here is an example adjusted from the [examples in caddy's documentation](https://caddyserver.com/docs/caddyfile/directives/basic_auth#examples):
+
+```Caddyfile
+example.com {
+	root * /srv
 
-Currently these tasks include:
+	basic_auth /secure/* {
+		# Username "Bob", password "hiccup"
+		Bob $2a$14$Zkx19XLiW6VYouLHR5NmfOFU0z2GTNmpkT/5qqR7hx4IjWJPDhjvG
+	}
+
+	reverse_proxy :8080
+}
+```
 
-- Updating the projectlist
+This reverse-proxies all traffic to localhost:8080 without authentication. However, when someone tries to access anything matching the glob `/secure/*`, it'll ask for authentication before proxying. For more information, see caddy's documentation page I linked above.
 
+Note: If you would like acit to do this itself, feel free to send me a patch. I'm not interested in writing it myself due to the amount of code it would add, and I can use caddy to do authentication already, which works for my scale.