diff --git a/roles/vmagent/defaults/main.yml b/roles/vmagent/defaults/main.yml
index f31a20b..630d01e 100644
--- a/roles/vmagent/defaults/main.yml
+++ b/roles/vmagent/defaults/main.yml
@@ -1,3 +1,8 @@
+vmagent_container_image_name: docker.io/victoriametrics/vmagent
+vmagent_container_image_tag: latest
+
+vmagent_ca_certs: {}
+
 vmagent_remotewrite_url: http://[::1]:8428/api/v1/write
 
 vmagent_scrape_interval: 1m
diff --git a/roles/vmagent/files/ca-certs/kube-root-ca.crt b/roles/vmagent/files/ca-certs/kube-root-ca.crt
deleted file mode 120000
index 70b6c8f..0000000
--- a/roles/vmagent/files/ca-certs/kube-root-ca.crt
+++ /dev/null
@@ -1 +0,0 @@
-../../../../kube-root-ca.crt
\ No newline at end of file
diff --git a/roles/vmagent/files/vmagent.service b/roles/vmagent/files/vmagent.service
deleted file mode 100644
index 39013b2..0000000
--- a/roles/vmagent/files/vmagent.service
+++ /dev/null
@@ -1,13 +0,0 @@
-[Unit]
-Description=Victoria Metrics vmagent
-
-[Service]
-Type=exec
-Environment=httpListenAddr=[::1]:8429
-Environment=loggerDisableTimestamps=true
-EnvironmentFile=-/etc/sysconfig/vmagent
-ExecStart=/usr/bin/vmagent -enableTCP6 -envflag.enable
-User=victoriametrics
-
-[Install]
-WantedBy=multi-user.target
diff --git a/roles/vmagent/handlers/main.yml b/roles/vmagent/handlers/main.yml
index bbbe825..330dd08 100644
--- a/roles/vmagent/handlers/main.yml
+++ b/roles/vmagent/handlers/main.yml
@@ -8,6 +8,7 @@
     state: restarted
 
 - name: reload vmagent
-  uri:
-    url: http://[::1]:8429/-/reload
+  service:
+    name: vmagent
+    state: reloaded
   changed_when: true
diff --git a/roles/vmagent/tasks/deploy.yml b/roles/vmagent/tasks/deploy.yml
index f9c8aa9..9698c7f 100644
--- a/roles/vmagent/tasks/deploy.yml
+++ b/roles/vmagent/tasks/deploy.yml
@@ -1,13 +1,27 @@
-- name: ensure victoria metrics user exists
-  user:
-    name: victoriametrics
-    system: true
-    home: /var/lib/victoria-metrics
-    createhome: false
-    shell: /sbin/nologin
+- name: ensure vmagent container image is present
+  podman_image:
+    name: '{{ vmagent_container_image_name }}'
+    tag: '{{ vmagent_container_image_tag }}'
     state: present
+    pull: '{{ vmagent_pull_image|d(false)|bool }}'
+  notify:
+  - restart vmagent
   tags:
-  - user
+  - container-image
+
+- name: ensure vmagent system container is configured
+  template:
+    src: vmagent.container.j2
+    dest: /etc/containers/systemd/vmagent.container
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload systemd
+  - restart vmagent
+  tags:
+  - container
+  - systemd
 
 - name: ensure /etc/sysconfig directory exists
   file:
@@ -48,20 +62,21 @@
 
 - name: ensure additional ca certificates are installed
   copy:
-    src: '{{ item }}'
-    dest: /etc/victoria-metrics/{{ item | basename }}
+    content: '{{ item.1 }}'
+    dest: /etc/victoria-metrics/{{ item.0 }}.crt
     mode: u=rw,go=r
     owner: root
     group: root
-  with_fileglob:
-  - ca-certs/{{ inventory_hostname }}/*.crt
-  - ca-certs/*.crt
+  loop: '{{ vmagent_ca_certs|dictsort }}'
   notify:
   - reload vmagent
   tags:
   - cert
   - scrape-config
 
+- name: flush handlers
+  meta: flush_handlers
+
 - name: ensure vmagent starts at boot
   service:
     name: vmagent
diff --git a/roles/vmagent/tasks/install.yml b/roles/vmagent/tasks/install.yml
index d97e530..e1350c1 100644
--- a/roles/vmagent/tasks/install.yml
+++ b/roles/vmagent/tasks/install.yml
@@ -1,11 +1,4 @@
-- name: ensure vmagent systemd unit is installed
-  copy:
-    src: vmagent.service
-    dest: /etc/systemd/system/vmagent.service
-    mode: '0644'
-  notify:
-  - reload systemd
-  - restart vmagent
-  tags:
-  - service
-  - systemd
+- name: ensure podman is installed
+  package:
+    name: podman
+    state: present
diff --git a/roles/vmagent/templates/vmagent.container.j2 b/roles/vmagent/templates/vmagent.container.j2
new file mode 100644
index 0000000..89c0943
--- /dev/null
+++ b/roles/vmagent/templates/vmagent.container.j2
@@ -0,0 +1,26 @@
+[Unit]
+Description=Victoria Metrics vmagent
+After=network.target
+Wants=network.target
+
+[Container]
+Image={{ vmagent_container_image_name }}:{{ vmagent_container_image_tag }}
+Pull=never
+Exec=-enableTCP6 -envflag.enable
+Environment=loggerDisableTimestamps=true
+EnvironmentFile=/etc/sysconfig/vmagent
+Mount=type=bind,source=/etc/victoria-metrics,target=/etc/victoria-metrics,readonly=true
+Mount=type=bind,source=/var/lib/victoria-metrics,target=/var/lib/victoria-metrics,chown=true,relabel=shared
+WorkingDir=/var/lib/victoria-metrics/vmagent
+ReadOnly=yes
+ReadOnlyTmpfs=yes
+NoNewPrivileges=yes
+User=212
+Group=212
+Network=host
+
+[Service]
+Restart=always
+RestartSec=1s
+ExecReload=/usr/bin/podman kill --cidfile=%t/%N.cid -s HUP
+StateDirectory=victoria-metrics victoria-metrics/vmagent