diff --git a/.gitignore b/.gitignore
index 1232ddb..00cff3b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -23,3 +23,4 @@ arena/r*
 gonito-*.tar.gz
 stack.yaml.lock
 .env
+certs/
diff --git a/README.md b/README.md
index 2ba21e5..fddc762 100644
--- a/README.md
+++ b/README.md
@@ -17,6 +17,8 @@ See the home page (and an instance of Gonito) at https://gonito.net .
 Installation
 ------------
 
+## For development
+
 [Gonito](https://gonito.net) is written in [Haskell](https://www.haskell.org) and uses
 [Yesod Web Framework](http://www.yesodweb.com/), but all you need is
 just [the Stack tool](https://github.com/commercialhaskell/stack). See https://github.com/commercialhaskell/stack
@@ -39,6 +41,33 @@ After installing Stack:
 The last command will start the Web server with Gonito (go to
 http://127.0.0.1:3000 in your browser).
 
+## With docker-compose
+
+The easiest way to run Gonito is with docker-compose.
+
+    git clone https://gitlab.com/filipg/gonito
+    cd gonito
+    cp sample.env .env
+    # now you need to edit .env manually,
+    # in particular, you need to set up the administrator's
+    # password and paths to volumes for the volumes,
+    # cloned data ("arena"), certificates and SSH data;
+    # also you need to set up your certificate
+    # here is an easy way to do it just for local
+    # testing
+    mkdir certs
+    cd certs
+    # generating certificates for HTTPS, remember to
+    # set the `NGINX_CERTIFICATE_DIR` variable in `.env`
+    # so that it would point to `certs` here
+    openssl req -x509 -newkey rsa:4096 -keyout privkey.pem -out fullchain.pem -days 365 -nodes
+    cd ..
+    docker-compose up
+
+Gonito will be available at <https://127.0.0.1/>. Of course, your
+browser will complain about "Potential Security Risk" as these are
+local certificates.
+
 Gonito & git
 ------------
 
diff --git a/config/settings.yml b/config/settings.yml
index e967a79..1aacbfc 100644
--- a/config/settings.yml
+++ b/config/settings.yml
@@ -66,7 +66,7 @@ location: "_env:LOCATION:"
 #
 #    https://<HOST>/auth/realms/<REALM>/protocol/openid-connect/certs
 #
-# (key/0 element).
+# (key/0 element, not the whole JSON!).
 #
 # Note: at the moment, only RS256 is handled.
 json-web-key: "_env:JSON_WEB_KEY"
diff --git a/sample.env b/sample.env
index e6cf5c9..54f8ad7 100644
--- a/sample.env
+++ b/sample.env
@@ -11,4 +11,14 @@ NGINX_CERTIFICATE_DIR=/home/user/certs
 GONITO_IS_PUBLIC=true
 GONITO_SSH_DIRECTORY=/home/user/.ssh
 GONITO_VIEWING_PROGRESS_STYLE=with-web-sockets
+
+# JWK key
+#
+# If you use Keycloak, it can be retrived via:
+#
+#    https://<HOST>/auth/realms/<REALM>/protocol/openid-connect/certs
+#
+# (key/0 element, not the whole JSON!).
+#
+# Note: at the moment, only RS256 is handled.
 JSON_WEB_KEY={"kty":"RSA", "alg":"RS256", "use":"sig", "kid":"h01jmt_bD-1Di8i_GYbEV2a4NxhptzySHO-R8VuNHVA", "e":"AQAB", "n": "qG1elE6KPW3BYMxNpgK73MoksvbrUSfpRY4z9hU5iMsJREyD5Ar6XpjM1xAr6G7xglnOoumPC9o6FqhDHihm6QdJ5s5MA9ZyGkbi--kvy9Qc2d_VIGU-UR4vwyk3hAwXOFLhoknpQrJBJmMQvGFdas1Yr-m9EIWwT1zN7neHZkRUYZSVyQw_XghtMIWAUsLnhr6mM7nstHLafgxe5Qamzuc4K5EC_qipFXu4ugYkMDnaknlhkT43m7tcduVDnv5GV_4dBesF7FRII8tgUQWyw3Ty_FIoq43SInUPU_9cxA-qPGQz5C50th2aJl1z1snpLWS_1Zfsa8lnFsMj8_oh6w"}