diff --git a/hosts b/hosts
index fd6b5fe..982b023 100644
--- a/hosts
+++ b/hosts
@@ -227,6 +227,11 @@ vps
 
 [unifi]
 
+[unifi-test]
+
+[unifi:children]
+unifi-test
+
 [vm-hosts]
 vmhost0.pyrocufflink.blue
 vmhost1.pyrocufflink.blue
diff --git a/roles/unifi/defaults/main.yml b/roles/unifi/defaults/main.yml
index 4336ec6..ecfc0a9 100644
--- a/roles/unifi/defaults/main.yml
+++ b/roles/unifi/defaults/main.yml
@@ -1,5 +1,5 @@
 unifi_version: latest
-unifi_container_image: lscr.io/linuxserver/unifi-controller
+unifi_container_image: git.pyrocufflink.net/containerimages/unifi
 unifi_storage_path: /var/lib/unifi
 
 unifi_exporter_container_image: docker.io/jessestuart/unifi_exporter
diff --git a/roles/unifi/tasks/deploy.yml b/roles/unifi/tasks/deploy.yml
index 64e7f7d..e93c8f1 100644
--- a/roles/unifi/tasks/deploy.yml
+++ b/roles/unifi/tasks/deploy.yml
@@ -1,48 +1,3 @@
-- name: ensure unifi group exists
-  group:
-    name: unifi
-    gid: 911
-    system: true
-    state: present
-  tags:
-  - user
-  - group
-- name: ensure unifi user exists
-  user:
-    name: unifi
-    uid: 911
-    group: unifi
-    home: /var/lib/unifi
-    createhome: false
-    system: true
-    state: present
-  tags:
-  - user
-
-- name: ensure containers subuid is configured
-  lineinfile:
-    path: /etc/subuid
-    create: true
-    line: containers:39290640:1048576
-  tags:
-  - user
-- name: ensure containers subgid is configured
-  lineinfile:
-    path: /etc/subgid
-    line: containers:39290640:1048576
-  tags:
-  - user
-
-- name: ensure unifi storage path exists
-  file:
-    path: '{{ unifi_storage_path }}'
-    owner: unifi
-    group: unifi
-    mode: u=rwx,go=
-    state: directory
-  tags:
-  - datadir
-
 - name: ensure unifi.container systemd unit exists
   template:
     src: unifi.container.j2
diff --git a/roles/unifi/templates/unifi.container.j2 b/roles/unifi/templates/unifi.container.j2
index ee51929..012d0b7 100644
--- a/roles/unifi/templates/unifi.container.j2
+++ b/roles/unifi/templates/unifi.container.j2
@@ -5,14 +5,17 @@ After=network.target
 
 [Container]
 Image={{ unifi_container_image }}:{{ unifi_version }}
-Volume={{ unifi_storage_path }}:/config:rw,Z
+Volume=%S/%N:/var/lib/unifi:rw,U,Z
+Volume=%L/%N:/var/log/unifi:rw,U,Z
 Network=host
 NoNewPrivileges=yes
-UserNS=auto:gidmapping=911:911:1,uidmapping=911:911:1
-VolatileTmp=yes
+ReadOnly=yes
+ReadOnlyTmpfs=true
 Notify=yes
 
 [Service]
+StateDirectory=%N
+LogsDirectory=%N
 TimeoutStartSec=5min
 Restart=always
 PrivateTmp=yes
@@ -23,7 +26,7 @@ ProtectProc=invisible
 ProtectSystem=strict
 ReadWritePaths=/run
 ReadWritePaths=/var/lib/containers/storage
-ReadWritePaths={{ unifi_storage_path }}
+ReadWritePaths=%S/%N
 RestrictRealtime=yes
 UMask=0077