diff --git a/README.md b/README.md
new file mode 100644
index 0000000..4df45be
--- /dev/null
+++ b/README.md
@@ -0,0 +1,41 @@
+# Debian-focused flexible service management
+
+## Who is this for?
+
+* Anyone who needs to maintain network services...
+* ... that favors Debian as a basis ...
+* ... and does not want to trust random opaque containers from strangers.
+
+## What does this provide?
+
+* A set of packaged services, all made with simple Dockerfiles, all based on Debian.
+* A small set of tools to ensure services are up-to-date, see features
+* `run_and_output_only_on_error.sh` a simple script that runs anything, capturing its output. If the thing went fine (return status zero), the output is deleted, else the output is propagated. This is meant to be (and is) used in `crontab` entries, to ensure the admin receives e-mails when things go wrong, but are not over-notified daily by as many e-mails as there are tasks.
+
+## Features
+
+### No root needed
+
+None of this needs root permission.
+
+* For example, `podman` can build `Dockerfile`s and run containers from them purely as user.
+* Optionally, a dedicated user can be created.
+
+### Live check
+
+* Any directory prodiving a service provides a live check.
+* `monitoring_check_all_once.sh` checks at once each service and report status.
+* `monitoring__crontask_install.sh` sets up a user-level crontab entry to perform the live check once a day -- and alert root on failure
+
+### Always up-to-date w.r.t. Debian
+
+Whenever applicable Debian packages are updated, containers are rebuilt:
+
+* `containers_check_update_rebuild_switch.sh` walks all currently running containers, does `apt-get upgrade -y --dry-run` inside, and if apt reports that some package needs an update, rebuilds the container and replaces it
+* `containers_check_update_rebuild_switch__crontask_install.sh` sets up a user-level crontab entry to perform the check-update-and-rebuild-if-needed once a day -- and alert root when something happens (the only and common case when root has no mail is when container is confirmed up-to-date)
+
+### Run containers as relevant on current machine
+
+* `build_and_up_all_containers.sh` -> Currently runs all containers on local machine. TODO replace using some configuration, per host name.
+
+* `ensure_infra_user_exists.sh` ensures a `fsginfra` user exists on the machine, dedicated to infrastructure maintenance.