diff --git a/hosts/fw.cloonar.com/configuration.nix b/hosts/fw.cloonar.com/configuration.nix
index bb21ff1..d1357ca 100644
--- a/hosts/fw.cloonar.com/configuration.nix
+++ b/hosts/fw.cloonar.com/configuration.nix
@@ -19,6 +19,7 @@
     ./modules/avahi.nix
     ./modules/openconnect.nix
     ./modules/wireguard.nix
+    ./modules/omada.nix
 
     # git
     ./modules/gitea.nix
diff --git a/hosts/fw.cloonar.com/modules/omada.nix b/hosts/fw.cloonar.com/modules/omada.nix
new file mode 100644
index 0000000..cdd105f
--- /dev/null
+++ b/hosts/fw.cloonar.com/modules/omada.nix
@@ -0,0 +1,39 @@
+{ config, pkgs, ... }:
+
+{
+  users.users.omada = {
+    isSystemUser = true;
+    group = "omada";
+    home = "/var/lib/omada";
+    createHome = true;
+  };
+  users.groups.omada = { };
+  users.groups.docker.members = [ "omada" ];
+
+  virtualisation.podman.defaultNetwork.settings = {
+    cniVersion = "0.4.0";
+    name = "newnet";
+    plugins = [
+      {
+        type = "macvlan";
+        master = "server";
+        pam = {
+          type = "dhcp";
+        };
+      }
+    ];
+  };
+
+  # TODO: check if we can run docker service as other user than root
+  virtualisation = {
+    oci-containers.containers = {
+      omada = {
+        image = "mbentley/omada-controller:5.9";
+        volumes = [
+          "/var/lib/omada/data:/opt/tplink/EAPController/data"
+          "/var/lib/omada/logs:/opt/tplink/EAPController/logs"
+        ];
+      };
+    };
+  };
+}