diff --git a/roles/container/defaults/main.yaml b/roles/container/defaults/main.yaml
index 552b0f7..3cd899f 100644
--- a/roles/container/defaults/main.yaml
+++ b/roles/container/defaults/main.yaml
@@ -10,3 +10,6 @@ container_auto_start: true
 container_auto_update: true
 container_requires: []
 container_wants: []
+container_image_creds:
+  username: ""
+  password: ""
diff --git a/roles/container/meta/argument_specs.yaml b/roles/container/meta/argument_specs.yaml
index fc8fe7a..3c983af 100644
--- a/roles/container/meta/argument_specs.yaml
+++ b/roles/container/meta/argument_specs.yaml
@@ -7,10 +7,6 @@ argument_specs:
         description: Name of the container. Must be unique within a host.
         type: str
         required: true
-      container_image:
-        description: "The image to run in the container, in FQIN format (registry/imagename:tag)"
-        type: str
-        required: true
       container_command:
         description: Command to start the container with.
         type: list
@@ -23,6 +19,27 @@ argument_specs:
         required: false
         default: ""
 
+      container_image:
+        description: "The image to run in the container, in FQIN format (registry/imagename:tag)"
+        type: str
+        required: true
+      container_image_creds:
+        description: Credentials used to authenticate with the registry
+        type: dict
+        required: false
+        default:
+          username: ""
+          password: ""
+        options:
+          username:
+            description: Username
+            type: str
+            required: true
+          password:
+            description: Password
+            type: str
+            required: true
+
       container_mounts:
         description: List of bind mounts or volumes to be mounted inside the container.
         type: list
diff --git a/roles/container/tasks/main.yaml b/roles/container/tasks/main.yaml
index 6d80cb5..8e98cc9 100644
--- a/roles/container/tasks/main.yaml
+++ b/roles/container/tasks/main.yaml
@@ -2,6 +2,14 @@
 - name: Validate inputs
   ansible.builtin.import_tasks: validation.yaml
 
+- name: Create image for container {{ container_name }}
+  ansible.builtin.include_role:
+    name: image
+  vars:
+    image_name: "{{ container_image }}"
+    image_creds: "{{ container_image_creds }}"
+  when: image_created_images is not defined or container_image not in image_created_images
+
 - name: Create networks for container {{ container_name }}
   ansible.builtin.include_role:
     name: network
@@ -29,7 +37,7 @@
 
 - name: Create container service {{ container_name }}
   containers.podman.podman_container:
-    image: "{{ container_image }}"
+    image: "{{ _container_image }}"
     name: "{{ container_name }}"
     command: "{{ container_command or omit }}"
     user: "{{ container_user or omit }}"
diff --git a/roles/container/vars/main.yaml b/roles/container/vars/main.yaml
index 5f2dce2..6612be4 100644
--- a/roles/container/vars/main.yaml
+++ b/roles/container/vars/main.yaml
@@ -1,4 +1,6 @@
 ---
+_container_image: "{{ container_image | replace('/', '_') ~ '.image' }}"
+
 _container_volumes: "{{ container_mounts | selectattr('type', '==', 'volume') }}"
 
 _container_mount_sources: "{{ container_mounts | map(attribute='source') }}"
diff --git a/roles/image/defaults/main.yaml b/roles/image/defaults/main.yaml
new file mode 100644
index 0000000..7e2105b
--- /dev/null
+++ b/roles/image/defaults/main.yaml
@@ -0,0 +1,4 @@
+---
+image_creds:
+  username: ""
+  password: ""
diff --git a/roles/image/meta/argument_specs.yaml b/roles/image/meta/argument_specs.yaml
new file mode 100644
index 0000000..d11e382
--- /dev/null
+++ b/roles/image/meta/argument_specs.yaml
@@ -0,0 +1,27 @@
+---
+argument_specs:
+  main:
+    description:
+      - Sets up podman image with systemd unit (quadlet)
+      - The image unit filename is `image_name` with / replaced by _
+    options:
+      image_name:
+        description: "The image FQIN (format registry/imagename:tag)"
+        type: str
+        required: true
+      image_creds:
+        description: Credentials used to authenticate with the registry
+        type: dict
+        required: false
+        default:
+          username: ""
+          password: ""
+        options:
+          username:
+            description: Username
+            type: str
+            required: true
+          password:
+            description: Password
+            type: str
+            required: true
diff --git a/roles/image/meta/main.yaml b/roles/image/meta/main.yaml
new file mode 100644
index 0000000..d80fa53
--- /dev/null
+++ b/roles/image/meta/main.yaml
@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: podman
diff --git a/roles/image/tasks/main.yaml b/roles/image/tasks/main.yaml
new file mode 100644
index 0000000..37c371f
--- /dev/null
+++ b/roles/image/tasks/main.yaml
@@ -0,0 +1,14 @@
+---
+- name: Set variables for use by other roles
+  ansible.builtin.set_fact:
+    image_created_images: "{{ image_created_images | default([]) + [image_name] }}"
+
+- name: Create container image service {{ image_name }}
+  containers.podman.podman_image:
+    name: "{{ image_name }}"
+    username: "{{ image_creds.username if image_creds.username | length > 0 else omit }}"
+    password: "{{ image_creds.password if image_creds.password | length > 0 else omit }}"
+    state: quadlet
+    quadlet_filename: "{{ image_name | replace('/', '_') }}"
+    quadlet_file_mode: "0600"
+  notify: Reload systemd daemon
diff --git a/roles/service/defaults/main.yaml b/roles/service/defaults/main.yaml
index 040c3a2..9a12150 100644
--- a/roles/service/defaults/main.yaml
+++ b/roles/service/defaults/main.yaml
@@ -17,3 +17,7 @@ service_additional_containers: []
 service_requires: []
 service_wants: []
 service_auto_update: true
+
+service_container_image_creds:
+  username: ""
+  password: ""
diff --git a/roles/service/meta/argument_specs.yaml b/roles/service/meta/argument_specs.yaml
index 124f661..f926a16 100644
--- a/roles/service/meta/argument_specs.yaml
+++ b/roles/service/meta/argument_specs.yaml
@@ -35,6 +35,23 @@ argument_specs:
         description: "The image to run in the service container(s), in FQIN format (registry/imagename:tag)."
         type: str
         required: true
+      service_container_image_creds:
+        description: Credentials used to authenticate with the registry
+        type: dict
+        required: false
+        default:
+          username: ""
+          password: ""
+        options:
+          username:
+            description: Username
+            type: str
+            required: true
+          password:
+            description: Password
+            type: str
+            required: true
+
       service_container_user:
         description: The UID to run as inside the container
         type: str
diff --git a/roles/service/tasks/main.yaml b/roles/service/tasks/main.yaml
index eca9bc2..5aa269d 100644
--- a/roles/service/tasks/main.yaml
+++ b/roles/service/tasks/main.yaml
@@ -24,6 +24,7 @@
   vars:
     container_name: "{{ service_name }}"
     container_image: "{{ service_container_image }}"
+    container_image_creds: "{{ service_container_image_creds }}"
     container_user: "{{ service_container_user }}"
     container_mounts: "{{ _service_container_mounts }}"
     container_publish_ports: "{{ service_container_publish_ports }}"