Update documentation

3 files changed, 50 insertions, 22 deletions

diff --git a/readme.md b/readme.md
index 384c3d7..ae3a9e0 100644
--- a/readme.md
+++ b/readme.md
@@ -21,8 +21,8 @@ a simple stupid reverse proxy
 
 ## Installation
 
-On arch use `gnix` from the AUR; Otherwise install `rustup`, then run
-`cargo install --git https://codeberg.org/metamuffin/gnix --tag v2.x.x`.
+On Arch Linux use `gnix` from the AUR. Otherwise install `rustup`, then run
+`cargo install --git https://codeberg.org/metamuffin/gnix --tag v2.4.1`.
 
 ## Quick Start
 
@@ -54,6 +54,27 @@ handler: !hosts # !hosts routes requests for different hostnames.
       next: !proxy { backend: "otherserver:80" }
 ```
 
+## Command-line Option Reference
+
+```
+Usage: gnix [OPTIONS] <CONFIG>
+
+Arguments:
+  <CONFIG>  Path to main configuration file in YAML format
+
+Options:
+  -u, --user <USER>
+          Switch to specified user after loading configuration and certificates
+  -s, --control-socket <CONTROL_SOCKET>
+          Create/Use a control socket to reload configuration with
+  -w, --watch
+          Watch the configuration file and reload on changes. Can be used with --reload
+  -r, --reload
+          Reload configuration of another running instance. Requires --control-socket option
+  -h, --help
+          Print help
+```
+
 ## Configuration Reference
 
 The configuration uses YAML formatting. When the configuration file is changed,
@@ -76,21 +97,24 @@ reported in stderr and are only fatal at startup.
     is used when no other certificate seems appropriate. This is useful for
     testing locally with a self-signed subjectless certificate. (optional
     string)
-  - `disable_h1` Stops advertising HTTP/1.1 support but still continues to
+  - `disable_h1`: Stops advertising HTTP/1.1 support but still continues to
     support it. Default: false
-  - `disable_h2` Stops advertising HTTP/2 support. Default: false
-  - `disable_h3` Disables HTTP/3 support. Default: false
+  - `disable_h2`: Stops advertising HTTP/2 support. Default: false
+  - `disable_h3`: Disables HTTP/3 support. Default: false
 
 - **section `limits`**
   - Note: Make sure you do not exceed the maximum file descriptor limit on your
     platform.
-  - `max_incoming_connections` number of maximum incoming (downstream)
-    connections over TCP transport. excess connections are rejected. Default:
+  - `max_incoming_connections`: Maximum number of incoming (downstream)
+    connections over TCP transport. Excess connections are rejected. Default:
     512
-  - `max_incoming_connections_h3` same but for HTTP/3 where connections are
-    cheaper due to reuse of a single UDP socket. Default: 4096
-  - `max_outgoing_connections` number of maximum outgoing (upstream)
-    connections. excess connections are rejected. Default: 256
+  - `max_incoming_connections_h3`: Maximum number of connections via HTTP/3
+    where connections are cheaper due to reuse of a single UDP socket. Default:
+    4096
+  - `max_requests_per_connnection`: Maximum number of parallel streams/requests
+    per HTTP/3 connection. Default: 16
+  - `max_outgoing_connections`: Maximum number of maximum outgoing (upstream)
+    connections. Excess connections are rejected. Default: 256
 
 - **section `handler`**
   - A module to handle all requests. Usually an instance of `hosts` or `paths`.
@@ -98,10 +122,10 @@ reported in stderr and are only fatal at startup.
 - `source_ip_from_header`: Uses the X-Real-IP header for source ip address,
   requests without it will be rejected. Useful when gnix is behing another
   proxy.
-- `watch_config`: boolean if to watch the configuration file for changes and
-  apply them accordingly. Default: true (Note: This will watch the entire parent
-  directory of the config since most editors first move the file. Currently any
-  change will trigger a reload. TODO)
+- `private_key`: An array of 32 random 8-bit numbers used for cryptographic
+  purposes such as encrypting cookies. If not specified these are randomly
+  choosen at startup which results in all cookie auth session to be invalid
+  after a restart.
 
 ### Modules
 
@@ -269,6 +293,7 @@ themselves; in that case the request is passed on.
   - `{request,response}.size` Maximum total body size. The body is cut off
     before the frame that exceeds this limit. Therefore the body is up to one
     frame size smaller than allowed.
+  - `next`: Inner handler. (module)
 
 - **module `ratelimit`**
   - Limits the rate at which requests can be processed. For this every identity
@@ -306,7 +331,7 @@ themselves; in that case the request is passed on.
     present in the request. The redirect URI's authority will be the `Host`
     header of the request. **Do not use behind another proxy** because requests
     will always be HTTP and result in an endless redirect loop.
-  - Takes a single module (as a single-element array because of a parser limitation)
+  - `next`: Inner handler. (module)
 
 #### Credentials config format
 
diff --git a/src/control_socket.rs b/src/control_socket.rs
index 5d0a3e1..855ec2c 100644
--- a/src/control_socket.rs
+++ b/src/control_socket.rs
@@ -31,8 +31,8 @@ pub enum ControlSocketResponse {
 
 pub async fn serve_control_socket(state: Arc<State>, path: &Path) -> Result<()> {
     let meta = path.metadata()?;
+    // TODO proper check
     if !meta.is_dir() && !meta.is_file() && !meta.is_symlink() {
-        // TODO
         remove_file(path)
             .await
             .context("removing old control socket")?;
diff --git a/src/main.rs b/src/main.rs
index b59c325..8357cf6 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -76,15 +76,19 @@ pub struct State {
 
 #[derive(Parser)]
 struct Args {
-    #[arg(long)]
+    /// Switch to specified user after loading configuration and certificates.
+    #[arg(short, long)]
     user: Option<String>,
-    #[arg(long)]
+    /// Create/Use a control socket to reload configuration with.
+    #[arg(short = 's', long)]
     control_socket: Option<PathBuf>,
+    /// Watch the configuration file and reload on changes. Can be used with --reload.
     #[arg(short, long)]
     watch: bool,
+    /// Reload configuration of another running instance. Requires --control-socket option.
     #[arg(short, long)]
     reload: bool,
-    /// YAML config file
+    /// Path to main configuration file in YAML format
     config: PathBuf,
 }
 
@@ -360,9 +364,8 @@ async fn serve_h3_stream(
     state: Arc<State>,
     listen_addr: SocketAddr,
 ) {
-    let addr = conn.remote_address(); // TODO wait for validatation (or not?)
+    let addr = conn.remote_address();
     debug!("h3 connection attempt from {addr}");
-    // TODO move outside of spawn?
     let Ok(_sem) = state.l_incoming_h3.try_acquire() else {
         return conn.refuse();
     };