diff --git a/README.md b/README.md
index 8f9500e829779b23e5bf1440fa0a8b2a2b3b63ad..75ed43c58f1d40b4a6b1264a1526657ab5544da6 100644
--- a/README.md
+++ b/README.md
@@ -41,6 +41,14 @@ cookiecutter https://git.astron.nl/templates/python-binary-wheel-package.git
 # Next follow a set of prompts (such as the name and description of the package)
 ```
 
+## Gitlab security, secrets and role configuration
+
+When using these templates for a repository on git.astron.nl please read the following
+pages to configure Gitlab appropriately:
+
+1. [Gitlab Repository Configuration](https://git.astron.nl/groups/templates/-/wikis/Gitlab-Repository-Configuration)
+2. [Continuous delivery guideline](https://git.astron.nl/groups/templates/-/wikis/Continuous%20Delivery%20Guideline)
+
 ## License
 
 This project is licensed under the Apache License Version 2.0
\ No newline at end of file
diff --git a/{{cookiecutter.project_slug}}/.gitlab-ci.yml b/{{cookiecutter.project_slug}}/.gitlab-ci.yml
index ba8a52e73feea3d0219981bbb304116a9882cb7a..37ce832504697454598b5f6033e3d6d10932bd7d 100644
--- a/{{cookiecutter.project_slug}}/.gitlab-ci.yml
+++ b/{{cookiecutter.project_slug}}/.gitlab-ci.yml
@@ -108,8 +108,7 @@ package_files:
     paths:
       - dist/*
   script:
-#    - curl -sSL https://get.docker.com/ | sh
-#    - python -m pip install cibuildwheel==2.13.1 cookiecutter
+    - source scripts/setup-docker-host.sh
     - cibuildwheel --platform linux --output-dir dist
 
 package_docs:
@@ -156,6 +155,7 @@ publish_on_test_pypi:
   when: manual
   rules:
     - if: $CI_COMMIT_TAG
+  allow_failure: true
   script:
     - echo "run twine for test pypi"
     # - |
@@ -164,6 +164,7 @@ publish_on_test_pypi:
     # TODO: replace URL with a pipy URL
     #   python -m twine upload \
     #   --repository-url ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/pypi dist/*
+    - exit 1
 
 publish_on_pypi:
   stage: publish
@@ -173,6 +174,7 @@ publish_on_pypi:
   when: manual
   rules:
     - if: $CI_COMMIT_TAG
+  allow_failure: true
   script:
     - echo "run twine for pypi"
     # - |
@@ -181,6 +183,7 @@ publish_on_pypi:
     # TODO: replace URL with a pipy URL
     #   python -m twine upload \
     #   --repository-url ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/pypi dist/*
+    - exit 1
 
 publish_to_readthedocs:
   stage: publish
@@ -194,3 +197,14 @@ publish_to_readthedocs:
   script:
     - echo "scp docs/* ???"
     - exit 1
+
+release_job:
+  stage: publish
+  image: registry.gitlab.com/gitlab-org/release-cli:latest
+  rules:
+    - if: '$CI_COMMIT_TAG && $CI_COMMIT_REF_PROTECTED == "true"'
+  script:
+    - echo "running release_job"
+  release:
+    tag_name: '$CI_COMMIT_TAG'
+    description: '$CI_COMMIT_TAG'
diff --git a/{{cookiecutter.project_slug}}/.prepare.gitlab-ci.yml b/{{cookiecutter.project_slug}}/.prepare.gitlab-ci.yml
index e531b6dfa16369347e85f91c5587fb8ed1607074..3e48a271564faec892e42aab9f947d946ecc4d7b 100644
--- a/{{cookiecutter.project_slug}}/.prepare.gitlab-ci.yml
+++ b/{{cookiecutter.project_slug}}/.prepare.gitlab-ci.yml
@@ -3,9 +3,9 @@ stages:
 
 build_ci_runner_image:
   stage: build
-  image: docker:stable
-  services:
-    - docker:dind
+  image: docker
+  tags:
+    - dind
   script:
     - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
     - |
diff --git a/{{cookiecutter.project_slug}}/docker/ci-runner/Dockerfile b/{{cookiecutter.project_slug}}/docker/ci-runner/Dockerfile
index 54b2c9c4fe345ccda7c44daee6c754f52358cfac..e9aa9c7f7d25b9847af3a2df5b708f084bd6bd5d 100644
--- a/{{cookiecutter.project_slug}}/docker/ci-runner/Dockerfile
+++ b/{{cookiecutter.project_slug}}/docker/ci-runner/Dockerfile
@@ -2,3 +2,4 @@ FROM python:3.11
 
 RUN python -m pip install --upgrade pip
 RUN pip install --upgrade tox twine cibuildwheel==2.13.1
+RUN curl -sSL https://get.docker.com/ | sh
diff --git a/{{cookiecutter.project_slug}}/scripts/setup-docker-host.sh b/{{cookiecutter.project_slug}}/scripts/setup-docker-host.sh
new file mode 100755
index 0000000000000000000000000000000000000000..c535da08985c97b358adec2ecaf0f1979a80e1db
--- /dev/null
+++ b/{{cookiecutter.project_slug}}/scripts/setup-docker-host.sh
@@ -0,0 +1,32 @@
+#!/bin/sh
+
+_should_tls() {
+	[ -n "${DOCKER_TLS_CERTDIR:-}" ] \
+	&& [ -s "$DOCKER_TLS_CERTDIR/client/ca.pem" ] \
+	&& [ -s "$DOCKER_TLS_CERTDIR/client/cert.pem" ] \
+	&& [ -s "$DOCKER_TLS_CERTDIR/client/key.pem" ]
+}
+
+# if we have no DOCKER_HOST but we do have the default Unix socket (standard or rootless), use it explicitly
+if [ -z "${DOCKER_HOST:-}" ] && [ -S /var/run/docker.sock ]; then
+	export DOCKER_HOST=unix:///var/run/docker.sock
+elif [ -z "${DOCKER_HOST:-}" ] && XDG_RUNTIME_DIR="${XDG_RUNTIME_DIR:-/run/user/$(id -u)}" && [ -S "$XDG_RUNTIME_DIR/docker.sock" ]; then
+	export DOCKER_HOST="unix://$XDG_RUNTIME_DIR/docker.sock"
+fi
+
+# if DOCKER_HOST isn't set (no custom setting, no default socket), let's set it to a sane remote value
+if [ -z "${DOCKER_HOST:-}" ]; then
+	if _should_tls || [ -n "${DOCKER_TLS_VERIFY:-}" ]; then
+		export DOCKER_HOST='tcp://docker:2376'
+	else
+		export DOCKER_HOST='tcp://docker:2375'
+	fi
+fi
+if [ "${DOCKER_HOST#tcp:}" != "$DOCKER_HOST" ] \
+	&& [ -z "${DOCKER_TLS_VERIFY:-}" ] \
+	&& [ -z "${DOCKER_CERT_PATH:-}" ] \
+	&& _should_tls \
+; then
+	export DOCKER_TLS_VERIFY=1
+	export DOCKER_CERT_PATH="$DOCKER_TLS_CERTDIR/client"
+fi