diff --git a/Dockerfile b/Dockerfile
index 705fab6..4b96f54 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,7 @@
-FROM alpine:3.13
+FROM alpine:3.14
 
 RUN apk update
 RUN apk add certbot
+
+COPY entrypoint.sh /
+CMD ["/entrypoint.sh"]
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..f8c9369
--- /dev/null
+++ b/README.md
@@ -0,0 +1,29 @@
+## ungleich-certbot
+
+This container is made for getting **real world** certificates
+for your kubernetes cluster.
+
+The assumption is that you can point the DNS name to the container
+from outside. This is by default given for **IPv6 only kubernetes
+services**.
+
+
+## Usage
+
+* Set the environment variable DOMAIN to specify the domain for which
+  to get a certificate
+* Set the environment variable EMAIL (this is where letsencrypt sends
+  warnings to)
+* Set the environment variable STAGING to "no" if you want to have
+  proper certificates - this is to prevent you from asking the real
+  letsencrypt service accidently by default
+* ungleich-certbot gets your certificate
+
+## Volumes
+
+If you want to keep / use your certificates, you are advised to create
+a volume below /etc/letsencrypt.
+
+## Kubernetes
+
+Sample kubernetes usage: (TBD)
diff --git a/entrypoint.sh b/entrypoint.sh
new file mode 100755
index 0000000..1d48ad3
--- /dev/null
+++ b/entrypoint.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+if [ -z "$DOMAIN" -o -z "$EMAIL" ]; then
+    echo Missing DOMAIN or EMAIL parameter - aborting. >&2
+    exit 1
+fi
+
+if [ "$STAGING" = no ]; then
+    STAGING=""
+else
+    STAGING="--staging"
+fi
+
+certbot certonly --agree-tos --cert-name "${DOMAIN}" \
+        --email "$EMAIL" --expand --non-interactive \
+        --domain "$DOMAIN" --standalone $STAGING