docs(eotk): expand docs on how to deploy eotk

docs/user/bridges.rst

@@ -1,6 +1,12 @@
 Tor Bridges
 ===========
 
+A Tor bridge is a special type of node on the Tor network that is not listed in the public directory of nodes.
+This makes it harder for governments and other organizations to block access to the Tor network, because users can
+still connect to the network through these unlisted bridges. Bridges are often used in countries where access to the
+Tor network is heavily restricted, as they can provide a way for users to access the network and the anonymity and
+privacy it offers.
+
 As with other circumvention resources, the dashboard takes the approach of managing collections of resources that are
 uniformly configured and expendable. For this reason the only configuration that can be performed is at a high level
 with the management of individual resources taking place through the automation subsystem.

docs/user/eotk.rst

@@ -1,6 +1,21 @@
 Enterprise Onion Toolkit
 ========================
 
+Tor onion services, also known as hidden services, are websites that can be accessed through the Tor network.
+These services are useful for publishers because they allow them to host their content on the internet without
+revealing their physical location or IP address. This can provide a greater level of privacy and security for both the
+publisher and the users accessing the content.
+
+Because Tor onion services are accessed through the Tor network, they are much more difficult to block or censor than
+regular websites.
+This is because the connection between the user and the website is encrypted and routed through multiple nodes on the
+network, making it difficult for anyone to determine the source or destination of the traffic.
+This means that even if one node on the network is blocked, the traffic can still be routed through other nodes to
+reach the website.
+
+To deploy an Onion service, you first need to deploy EOTK instances for the related origin group, and then configure
+the individual Onion services that will be served by those EOTK instances.
+
 Once your administrator has provided you access to the portal, you can begin to configure your onion service
 deployments. To get started, select "Groups" under "Configuration" from the menu on the left hand side.
 If you are using a mobile device, you may need to click the hamburger icon at the top of the screen to open the menu.
@@ -53,8 +68,47 @@ Deploy EOTK instances
 
 Tick this checkbox to deploy EOTK instances for this group.
 
-Managing EOTK instances
+Managing Onion services
 -----------------------
 
-It is not currently possible to manage the EOTK instances via the portal. Rather, you must use the AWS Systems Manager
-to manage the EOTK instances via the command line. See the :doc:`Administration Guide <../admin/eotk>` for more details.
+To create a new Onion service, click "Create new onion service" at the top of the list page. This will present
+you with the new onion service form:
+
+.. image:: /_static/onion/new.png
+   :width: 800
+
+Domain Name
+"""""""""""
+
+The base origin domain name that the Onion service will be for. This should be the common domain name of all
+the subdomains you want to serve on the Onion service, not including any subdomain (e.g. example.com not
+www.example.com).
+
+Description
+"""""""""""
+
+A free-form text description to help identify the Onion service.
+
+Onion Private Key
+"""""""""""""""""
+
+The private key for the Onion service. This could be generated by ``tor`` or by a tool such as
+`mkp224o <https://github.com/cathugger/mkp224o>`_.
+
+Onion Public Key
+""""""""""""""""
+
+The corresponding public key. The Onion hostname will be derived from the public key, however no checks are made to
+ensure that the public key is the correct key to correspond to the private key.
+
+TLS Private Key (PEM format)
+""""""""""""""""""""""""""""
+
+The PEM formatted TLS private key. If not specified, the self-signed certificates generated by EOTK will be used.
+Beware that in that case, each EOTK instance will have different TLS keys and certificates.
+
+TLS Certificate (PEM format)
+""""""""""""""""""""""""""""
+
+The PEM formatted TLS certificate. Either a self-signed certificate, or a certificate issued by an authority that
+will validate .onion hostnames. This should be a wildcard cert for the domain name given above (e.g. \*.example.com).