{
  containers.portainer = {
    autoStart = true;
    privateNetwork = true;

    config = { pkgs, ... }: {
      services.docker.enable = true;

      systemd.services.portainer = {
        description = "Portainer Container Manager";
        after = [ "docker.service" ];
        wantedBy = [ "multi-user.target" ];
        serviceConfig = {
          ExecStart = ''
            ${pkgs.docker}/bin/docker run \
              -d \
              --name portainer \
              -p 9000:9000 \
              -p 9443:9443 \
              -v /var/run/docker.sock:/var/run/docker.sock \
              -v portainer_data:/data \
              portainer/portainer-ce:latest
          '';
          ExecStop = "${pkgs.docker}/bin/docker stop portainer";
          Restart = "unless-stopped";
        };
      };

      networking.firewall.allowedTCPPorts = [ 9000 9443 ];
    };
  };
}