Expand public installation and API documentation

config.example.yaml

@@ -1,4 +1,6 @@
 server:
+  # The built-in UI/API has no authentication. Keep this on loopback unless
+  # another trusted layer protects access.
   listen_address: 127.0.0.1:9080
   read_timeout: 5s
   write_timeout: 10s
@@ -9,6 +11,8 @@ storage:
 
 investigation:
   enabled: true
+  # Reserved for future automatic revalidation logic. Current releases keep
+  # cached investigations until you explicitly refresh them.
   refresh_after: 24h
   timeout: 8s
   user_agent: caddy-opnsense-blocker/0.2
@@ -19,6 +23,7 @@ investigation:
   background_batch_size: 256
 
 opnsense:
+  # Set to false for review-only mode.
   enabled: true
   base_url: https://router.example.test
   api_key_file: /run/secrets/opnsense-api-key
@@ -70,6 +75,8 @@ profiles:
       - /.git
 
 sources:
+  # One log path equals one selected profile. Different sources can still share
+  # the same global OPNsense backend defined above.
   - name: public-web
     path: /var/log/caddy/public-web-access.json
     profile: public-web