diff --git a/system/nixos/arion.nix b/system/nixos/arion.nix
index 337e09d..5eb4936 100644
--- a/system/nixos/arion.nix
+++ b/system/nixos/arion.nix
@@ -10,23 +10,51 @@
 
     podman = {
       enable = true;
-      dockerSocket.enable = true;
+
       defaultNetwork.settings.dns_enabled = true;
+
+      dockerSocket.enable = true;
+      dockerCompat = true;
+
+      autoPrune = {
+        enable = true;
+        dates = "weekly";
+      };
     };
 
-    containers.containersConf.cniPlugins = with pkgs; [
-      cni-plugins
-      dnsname-cni
-    ];
+    # containers.containersConf.cniPlugins = with pkgs; [
+    #   cni-plugins
+    #   dnsname-cni
+    # ];
 
-    oci-containers.backend = "podman";
+    oci-containers = {
+      backend = "podman";
+
+      containers.watchtower = {
+        image = "ghcr.io/containrrr/watchtower:latest";
+        environment = {
+          WATCHTOWER_POLL_INTERVAL = "21600";
+          WATCHTOWER_LABEL_ENABLE = "true";
+          WATCHTOWER_NOTIFICATIONS = "shoutrrr";
+          WATCHTOWER_NOTIFICATIONS_HOSTNAME = config.networking.hostName;
+          WATCHTOWER_NOTIFICATION_URL = secret.watchtower.ntfyUrl;
+        };
+        volumes = [
+          "/var/run/docker.sock:/var/run/docker.sock"
+        ];
+        extraOptions = [
+          "--label=com.centurylinklabs.watchtower.enable=true"
+        ];
+      };
+    };
 
     arion = {
       backend = "podman-socket";
     };
   };
 
-  networking.firewall.interfaces."podman1".allowedUDPPorts = [ 53 ];
-  networking.firewall.interfaces."podman2".allowedUDPPorts = [ 53 ];
-  networking.firewall.interfaces."podman3".allowedUDPPorts = [ 53 ];
+  networking.firewall.interfaces."podman+" = {
+    allowedUDPPorts = [ 53 ];
+    allowedTCPPorts = [ 53 ];
+  };
 }