add docs

nix-cache/README.md

@@ -1,14 +1,27 @@
-# Nix cache proxy for R2
+# nix-cache
 
-# Heavily based on https://github.com/piperswe/nix-cache
+Serves a Nix binary cache from Cloudflare R2 with JWT-based authentication.
+Only users with a valid Keycloak token and membership in the `nix-cache-users`
+group can read from the cache.
 
-## Setting up on your domain
+Nix clients authenticate via netrc (Basic auth), while other clients can use
+Bearer tokens directly. JWTs are verified locally using cached JWKS public keys.
 
- 1. Create an A record on the subdomain you want this Worker to run on which points to `192.0.2.1` (see https://community.cloudflare.com/t/a-record-name-for-worker/98841/2 for why)
- 2. Edit `wrangler.toml`
-    - `account_id` should be your Cloudflare account's tag
-    - `route` should be the subdomain this Worker will run on followed by `/*`
-    - `bucket_name` and `preview_bucket_name` should be the name of the R2 bucket you'll use
- 3. Run `npm run login` to login to Wrangler
- 4. Run `npm run deploy`!
- 5. Upload an `index.html` to your bucket if you want a landing page
+## Development
+
+```bash
+npm install    # install dependencies
+npm test       # run vitest (uses miniflare locally)
+npm run dev    # start wrangler dev server on localhost:8787
+```
+
+## Cloudflare Setup
+
+1. Create an A record on the subdomain you want this Worker to run on which
+   points to `192.0.2.1`
+2. Edit `wrangler.jsonc`:
+   - `route` should be the subdomain followed by `/*`
+   - `bucket_name` should be the name of the R2 bucket you'll use
+3. Run `npx wrangler login` to login to Wrangler
+4. Run `npm run deploy`
+5. Upload an `index.html` to your bucket if you want a landing page