Update docs to reflect TLS support.

docs/src/content/docs/_roadmap.md

@@ -8,6 +8,6 @@ For context, some larger features we have on our Roadmap:
 - Auth: more customizable settings, more customizable UI, and multi-factor.
   Also, service-accounts to auth other backends as opposed to end-users.
 - Many SQLite databases: imagine a separate database by tenant or user.
-- TLS termination and proxy capabilities.
 - We might want to address fan-out and the integration of external resources
   through GraphQL or similar.
+- A message queue system to deal with bursty workloads.

docs/src/content/docs/documentation/auth.mdx

@@ -14,11 +14,11 @@ authorize or deny access to your data, let users change their email address,
 reset their password, etc.
 
 <Aside type="danger" title="HTTPs">
-  The safety of any authentication flow hinges on TLS/HTTPS, both for your users
-  to trust that the server they're talking to is yours and for credentials to be
-  transferred encrypted. Otherwise, credentials will be transmitted in plain
-  text. In production, use a reverse proxy like nginx, caddy, or similar for TLS
-  termination, see [here](/documentation/production).
+  The safety of any authentication flow in hinges on TLS/HTTPS.
+  Always use TLS in [production](/documentation/production).
+  It allows your users to trust that the server they're talking to is actually
+  yours *and* ensures credentials are end-to-end encrypted on the wire as
+  opposed to plain text.
 </Aside>
 
 ## Implementation

docs/src/content/docs/documentation/production.mdx

@@ -20,26 +20,40 @@ could be:
 - introspection
 - disaster recovery
 
-## TLS termination
+## TLS Termination
 
-The most important thing alongside ensuring proper access protection is to set
-up TLS termination ensuring that all traffic from your users to your
-termination point is encrypted.
-In practice, this means putting TrailBase behind a reverse proxy such as NGinx,
-Caddy, ... . The main benefit of using an established reverse proxy is the
-availability of auto-renewal of self-signed certificates with SSL authorities
-Let's encrypt.
+The most important thing alongside ensuring least-priviledge access protection
+is to set up TLS termination establishing your server authority and ensuring
+that your users' traffic is end-to-end encrypted.
+
+TrailBase has built-in support for TLS and will automatically start in HTTPS
+mode, if it finds:
+
+ * a PEM key file under `<traildepot>/secrets/certs/key.pem`,
+ * and a PEM cert file under `<traildepot>/secrets/certs/cert.pem`.
+
+At this point TrailBase does not yet support automated certificate signing and
+renewal.
+We therefore recommend using tools like [certbot](https://certbot.eff.org/) in
+standalone mode to periodically refresh your certificates to avoid accidentally
+being left w/o a valid one.
+
+You could also consider using a reverse proxy with first-class certbot integration
+like [nginx](https://nginx.org) or built-in support for *Let's encrypt* like
+[caddy](https://caddyserver.com/).
+We would like to add support for auto-refresh with *Let's encrypt* in the
+future.
 
 ## Access
 
-### API access
+### API Access
 
 Make sure to use record API's authorization primitives to tighten access to
 data as much as possible. It's a good idea to check `_REQ_.<user_id> ==
 _USER_.id` on record creations and updates to avoid users can impersonate or
 touch on other users records.
 
-### Admin access
+### Admin Access
 
 You can expose TrailBase's admin APIs and UIs on a separate private port as an
 extra precaution and to simply expose a smaller surface.

docs/src/content/docs/getting-started/first-ui-app.mdx

@@ -243,7 +243,7 @@ Thanks!
     Unless explicitly disabled.
 
 [^4]:
-    To serve HTTPS you'll either need a reverse proxy in front to terminate TLS
-    or if you don't require end-to-end encryption (e.g. you're not using auth
-    or handling sensitive data) you can fall back to TLS termination via a CDN
-    like cloudflare.
+    For sensitive use-cases, e.g. auth, you'll also need certificates for
+    integrity and end end-to-end TLS encryption.
+    For less sensitive use cases, such as establishing an authority, you could
+    fall back to TLS termination via a CDN like cloudflare.