parameter `--template-driver` and specify `golang` as template engine.
```console
$ docker config create --template-driver golang homepage index.html.tmpl
```
3. Create a service that runs Nginx and has access to the environment variable
HELLO and to the config.
```console
$ docker service create \
--name hello-template \
--env HELLO="Docker" \
--config source=homepage,target=/usr/share/nginx/html/index.html \
--publish published=3000,target=80 \
nginx:alpine
```
4. Verify that the service is operational: you can reach the Nginx server, and
that the correct output is being served.
```console
$ curl http://0.0.0.0:3000
<html lang="en">
<head><title>Hello Docker</title></head>
<body>
<p>Hello Docker! I'm service hello-template.</p>
</body>
</html>
```
### Advanced example: Use configs with a Nginx service
This example is divided into two parts.
[The first part](#generate-the-site-certificate) is all about generating
the site certificate and does not directly involve Docker configs at all, but
it sets up [the second part](#configure-the-nginx-container), where you store
and use the site certificate as a series of secrets and the Nginx configuration
as a config. The example shows how to set options on the config, such as the
target location within the container and the file permissions (`mode`).
#### Generate the site certificate
Generate a root CA and TLS certificate and key for your site. For production
sites, you may want to use a service such as `Let’s Encrypt` to generate the
TLS certificate and key, but this example uses command-line tools. This step
is a little complicated, but is only a set-up step so that you have
something to store as a Docker secret. If you want to skip these sub-steps,
you can [use Let's Encrypt](https://letsencrypt.org/getting-started/) to
generate the site key and certificate, name the files `site.key` and
`site.crt`, and skip to
[Configure the Nginx container](#configure-the-nginx-container).
1. Generate a root key.
```console
$ openssl genrsa -out "root-ca.key" 4096
```
2. Generate a CSR using the root key.
```console
$ openssl req \
-new -key "root-ca.key" \
-out "root-ca.csr" -sha256 \
-subj '/C=US/ST=CA/L=San Francisco/O=Docker/CN=Swarm Secret Example CA'
```
3. Configure the root CA. Edit a new file called `root-ca.cnf` and paste
the following contents into it. This constrains the root CA to only sign
leaf certificates and not intermediate CAs.
```none
[root_ca]
basicConstraints = critical,CA:TRUE,pathlen:1
keyUsage = critical, nonRepudiation, cRLSign, keyCertSign
subjectKeyIdentifier=hash
```
4. Sign the certificate.
```console
$ openssl x509 -req -days 3650 -in "root-ca.csr" \
-signkey "root-ca.key" -sha256 -out "root-ca.crt" \
-extfile "root-ca.cnf" -extensions \
root_ca
```
5. Generate the site key.
```console
$ openssl genrsa -out "site.key" 4096
```
6. Generate the site certificate and sign it with the site key.
```console
$ openssl req -new -key "site.key" -out "site.csr" -sha256 \
-subj '/C=US/ST=CA/L=San Francisco/O=Docker/CN=localhost'
```
7. Configure the site certificate. Edit a new file called `site.cnf` and
paste the following contents into it. This constrains the site
certificate so that it can only be used to authenticate a server and
can't be used to sign certificates.
```none
[server]
authorityKeyIdentifier=keyid,issuer
basicConstraints = critical,CA:FALSE
extendedKeyUsage=serverAuth
keyUsage = critical, digitalSignature, keyEncipherment
subjectAltName = DNS:localhost, IP:127.0.0.1
subjectKeyIdentifier=hash
```
8. Sign the site certificate.
```console
$ openssl x509 -req -days 750 -in "site.csr" -sha256 \