diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 225cfdcedea04eda8ccd9bf33e03973643d06c58..a6ae8c2c520b7c0bf8b33e806662de2a11dcb0ef 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -15,6 +15,7 @@ build_and_tag_image:
       --dockerfile "${CI_PROJECT_DIR}/Dockerfile"
       --build-arg "VERSION=${CI_COMMIT_TAG}"
       --destination "${CI_REGISTRY_IMAGE}:${CI_COMMIT_TAG}"
+    - cp /canary/gocanary $CI_PROJECT_DIR/
   rules:
     - if: $CI_COMMIT_TAG
   artifacts:
diff --git a/README.md b/README.md
index 9fb9694188da3384d742f7c41f5d7e93fcd85838..d0cfd2e5b6c932252708f17a1eb7f009c562c06b 100644
--- a/README.md
+++ b/README.md
@@ -30,7 +30,7 @@ The yaml is pretty simple and containts a sequence of canaries with the current
 
 `key` should be unique and will be part of the canary that will be exposed to the potential attackers.
 
-`tag` and `level` are metadata that are included in all the alerts. 
+`tag` and `level` are metadata that are included in all the alerts.
 
 `type` limits the interactions triggering alert for that token.
 
@@ -38,7 +38,7 @@ The alert specifies the different alert sinks. Gocanary implements three sinks:
 
 - slack: uses a webhook to send the alert using the slack/mattermost format
 - log: prints to stdout or logfile
-- syslog: send the alert to syslog 
+- syslog: send the alert to syslog
 
 The alert content depends on the interaction trigger and contains both information of the token and the triggering source and system. 
 
@@ -64,31 +64,52 @@ Gocanary is a single binary that accepts command line options. Gocanary also rea
 It is intended to be run as `root` (to be able to bind to default DNS and WEB ports) and will drop privileges to `nobody` and sandbox file access using landlock (https://docs.kernel.org/userspace-api/landlock.html)
 Alternatively can be run as nonroot and changing the different ports, and then using iptables/nftables to redirect traffic to it.
 
+All configuration options can be defined in config.yaml. Example:
+
+```bash
+$ cat config.yaml
+slack-hook: 'http://127.0.0.1/example'
+```
+
 For generating a self-signed certificate:
 ```bash
 openssl req -new -newkey rsa:4096 -days 3650 -nodes -keyout cert.key -out cert.pem  -x509 -subj "/C=CH/ST=GE/L=Geneva/O=CERN/CN=localhost.cern.ch"
 ```
 
-
+All options:
 
 ```
+gocanary is a honeytoken/canary collector daemon that listens for http/https/dns requests.
+Alerts will be generated when a predefined haystack is detected.
+
 Usage:
   gocanary [flags]
 
 Flags:
-  -b, --bind-address string      Ip address to bind servers to
-  -c, --canary-file string       File where canaries are defined (default "canary.yaml")
-      --dns-answer-with string   IP address to give as an answer to all DNS request, if empty NXDOMAIN
-      --dns-not-answer           Do not answer with any response
-      --domain stringArray       Only respond to this domain (can be specified multiple times)
-      --enable-dns               Enable DNS listeners (tcp and udp) (default true)
-      --enable-http              Enable HTTP listener (default true)
-      --enable-https             Enable HTTPS listener
-  -h, --help                     help for gocanary
-      --http-port uint16         Port for http server (default 80)
-      --https-cert string        File contained the certificate in PEM format (default "cert.pem")
-      --https-key string         File contained the certificate key in PEM format (default "cert.key")
-      --https-port uint16        Port for https server (default 443)
-  -s, --slack-hook string        Webhook for alerts
-      --slack-silence uint16     Wait this many seconds between each slack alert (default 1)
+      --autocert-domain stringArray   Enable let's encrypt autocertificate (can be specified multiple times), this will ignore https-cert and http-key options
+  -b, --bind-address string           Ip address to bind servers to
+      --cache-dir string              Writable directory for holding up autocertificates (default "./cache")
+  -c, --canary-file string            File where canaries are defined (default "canary.yaml")
+      --dns-answer-with string        IP address to give as an answer to all DNS request, if empty NXDOMAIN
+      --dns-not-answer                Do not answer with any response
+      --domain stringArray            Only respond to this domain (can be specified multiple times)
+      --enable-dns                    Enable DNS listeners (tcp and udp) (default true)
+      --enable-hardening              Enable hardening measures (default true)
+      --enable-http                   Enable HTTP listener (default true)
+      --enable-https                  Enable HTTPS listener
+      --enable-syslog                 Enable logging to syslog
+  -h, --help                          help for gocanary
+      --http-port uint16              Port for http server (default 80)
+      --https-cert string             File contained the certificate in PEM format (default "cert.pem")
+      --https-key string              File contained the certificate key in PEM format (default "cert.key")
+      --https-port uint16             Port for https server (default 443)
+  -s, --slack-hook string             Webhook for alerts
+      --slack-silence uint16          Wait this many seconds between each slack alert (default 1)
 ```
+
+The easiest way to run this is with docker compose.
+
+The leanest way is to download the gocanary artifact and then use the `docker-compose-inline.yml`
+The most compatible way to run is using the `docker-compose-with-build.yml`, which will compile and run the project.
+
+In all cases the compose file will need to be edited to at least bind only the public IPs and also to specify certificate options when using https support.