[Doc] Update template

bc158c24 · Quentin Duchemin · 305b132b · bc158c24 · bc158c24 · bc158c24
Verified Commit bc158c24 authored 4 years ago by Quentin Duchemin
--- a/template/README.md
+++ b/template/README.md
+## App
+
+In this README, you should explain, if applicable, the following :
+* What is this
+* Is it based on a base image, is it a custom Dockerfile based on another Dockerfile, or a brand new Dockerfile
+* How to configure (secrets, environment variables...)
+* How to start (usually just a `docker-compose up -d` and copying the secret files : this is the goal)
+* How to update the service itself (usually just changing a tag in the Docker Compose file and an argument in the Dockerfile)
+* How to update the customization of the service : add more environment variables, change configurtion, etc.
+* How to administrate the service (e.g. CLI tool)
+* Warnings about breaking changes (e.g. "you cannot update the database to a major version without doing this or that")
+
+And everything that you find useful.
+
+This README should act as a reference for all administration tasks.
+
+However it should not contain user documentation, nor general advices about how to resolve build errors and so on (this is the job of the CI documentation).
--- a/template/clair-whitelist.yml
+++ b/template/clair-whitelist.yml
+# Put all CVE as sub-keys
+# The format is :
+#  CVE-XXX-XXX: <paquet name> -> <reason>
 generalwhitelist:
--- a/template/docker-compose.yml
+++ b/template/docker-compose.yml
@@ -2,16 +2,63 @@ version: "3.7"

 volumes:
  # Name of Docker volume
+  # Also use a name so that Docker Compose does not add
+  # the current folder name
  myvolume:
-    external: true
+    name: myvolume

 networks:
  # Best pratice : put all services that do not need
  # to be exposed on the Internet in a separate network
-  mynetwork:
+  app:
  # This is the reverse-proxy default network : put all services
  # that need to be served via Traefik in this network
  docker_default:
    external: true

 services:
+  # Main application
+  app:
+    # This is the name of the image
+    # which will be built on the registry
+    # Never use latest as a tag
+    image: registry.picasoft.net/<image>:<tag>
+    # Use a comprehensive name for easy
+    # understanding of `docker ps` output
+    container_name: app
+    # If the container has to be reached from
+    # the Internet, put in docker_default
+    # Otherwise, just in its own network
+    networks:
+      - docker_default
+      - app
+    # Don't put the .example extension, the real
+    # file will be a copy with real values
+    env_file:
+      - ./secrets/myservices.secrets
+    # If the service needs to be reachable from the
+    # Internet via HTTPS, enable Traefik and tell
+    # it the base URL of all requests which will be
+    # redirected to this container.
+    # Change the port to the exposed port of the
+    # container.
+    labels:
+      traefik.enable: true
+      traefik.frontend.rule: "Host:app.picasoft.net"
+      traefik.port: 80
+    # This avoid restarting a container on
+    # startup when it has been explicitly stopped
+    restart: unless-stopped
+
+  # Some services have a database : here is an example
+  db:
+    image: registry.picasoft.net/<image>:<tag>
+    container_name: db
+    # Database secrets should be in a separate file
+    env_file:
+      - ./secrets/myservices_db.secrets
+    # The database should NOT be reachable
+    # from the outside : only from the main container
+    networks:
+      - app
+    restart: unless-stopped