docs: Add tls eab subdirective

src/docs/markdown/caddyfile/directives/tls.md

@@ -23,6 +23,7 @@ tls [internal|<email>] | [<cert_file> <key_file>] {
 	ca        <ca_dir_url>
 	ca_root   <pem_file>
 	dns       <provider_name> [<params...>]
+	eab       <key_id> <mac_key>
 	on_demand
 	client_auth {
 		mode                   [request|require|verify_if_given|require_and_verify]
@@ -68,6 +69,7 @@ tls [internal|<email>] | [<cert_file> <key_file>] {
 - **ca** changes the ACME CA endpoint. This is most often used to use [Let's Encrypt's staging endpoint](https://letsencrypt.org/docs/staging-environment/) or an internal ACME server. (To change this value for the whole Caddyfile, use the `acme_ca` [global option](/docs/caddyfile/options) instead.)
 - **ca_root** specifies a PEM file that contains a trusted root certificate for the ACME CA endpoint, if not in the system trust store.
 - **dns** enables the [DNS challenge](/docs/automatic-https#dns-challenge) using the specified provider plugin, which must be plugged in from one of the [caddy-dns](https://github.com/caddy-dns) repositories. Each provider plugin may have their own syntax following their name; refer to their docs for details. Maintaining support for each DNS provider is a community effort. [Learn how to enable the DNS challenge for your provider at our wiki.](https://caddy.community/t/how-to-use-dns-provider-modules-in-caddy-2/8148)
+- **eab** configures ACME external account binding (EAB) for this site, using the key ID and MAC key provided by your CA.
 - **on_demand** enables [on-demand TLS](/docs/automatic-https#on-demand-tls) for the hostnames given in the site block's address(es).
 - **client_auth** enables and configures TLS client authentication:
 	- **mode** is the mode for authenticating the client. Allowed values are: