diff --git a/template/README.md b/template/README.md
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..98ac25e6abfd1991ab01c1bb4d1c4fe4803b73ef 100644
--- a/template/README.md
+++ b/template/README.md
@@ -0,0 +1,17 @@
+## App
+
+In this README, you should explain, if applicable, the following :
+* What is this
+* Is it based on a base image, is it a custom Dockerfile based on another Dockerfile, or a brand new Dockerfile
+* How to configure (secrets, environment variables...)
+* How to start (usually just a `docker-compose up -d` and copying the secret files : this is the goal)
+* How to update the service itself (usually just changing a tag in the Docker Compose file and an argument in the Dockerfile)
+* How to update the customization of the service : add more environment variables, change configurtion, etc.
+* How to administrate the service (e.g. CLI tool)
+* Warnings about breaking changes (e.g. "you cannot update the database to a major version without doing this or that")
+
+And everything that you find useful.
+
+This README should act as a reference for all administration tasks.
+
+However it should not contain user documentation, nor general advices about how to resolve build errors and so on (this is the job of the CI documentation).
diff --git a/template/clair-whitelist.yml b/template/clair-whitelist.yml
index a9d6ed5bdae04856ade1de9572cbdfee041aa4b9..f03bd1a81d750ab8e56c7d145c370f9e46fc4194 100644
--- a/template/clair-whitelist.yml
+++ b/template/clair-whitelist.yml
@@ -1 +1,4 @@
+# Put all CVE as sub-keys
+# The format is :
+# CVE-XXX-XXX: <paquet name> -> <reason>
generalwhitelist:
diff --git a/template/docker-compose.yml b/template/docker-compose.yml
index 805860363203e5eac14ff35766f6357916c83876..9853bd9135ab1887158e89607fa455d1747a1415 100644
--- a/template/docker-compose.yml
+++ b/template/docker-compose.yml
@@ -2,16 +2,63 @@ version: "3.7"
volumes:
# Name of Docker volume
+ # Also use a name so that Docker Compose does not add
+ # the current folder name
myvolume:
- external: true
+ name: myvolume
networks:
# Best pratice : put all services that do not need
# to be exposed on the Internet in a separate network
- mynetwork:
+ app:
# This is the reverse-proxy default network : put all services
# that need to be served via Traefik in this network
docker_default:
external: true
services:
+ # Main application
+ app:
+ # This is the name of the image
+ # which will be built on the registry
+ # Never use latest as a tag
+ image: registry.picasoft.net/<image>:<tag>
+ # Use a comprehensive name for easy
+ # understanding of `docker ps` output
+ container_name: app
+ # If the container has to be reached from
+ # the Internet, put in docker_default
+ # Otherwise, just in its own network
+ networks:
+ - docker_default
+ - app
+ # Don't put the .example extension, the real
+ # file will be a copy with real values
+ env_file:
+ - ./secrets/myservices.secrets
+ # If the service needs to be reachable from the
+ # Internet via HTTPS, enable Traefik and tell
+ # it the base URL of all requests which will be
+ # redirected to this container.
+ # Change the port to the exposed port of the
+ # container.
+ labels:
+ traefik.enable: true
+ traefik.frontend.rule: "Host:app.picasoft.net"
+ traefik.port: 80
+ # This avoid restarting a container on
+ # startup when it has been explicitly stopped
+ restart: unless-stopped
+
+ # Some services have a database : here is an example
+ db:
+ image: registry.picasoft.net/<image>:<tag>
+ container_name: db
+ # Database secrets should be in a separate file
+ env_file:
+ - ./secrets/myservices_db.secrets
+ # The database should NOT be reachable
+ # from the outside : only from the main container
+ networks:
+ - app
+ restart: unless-stopped