diff --git a/README.md b/README.md
index 850770a..5a49ef6 100644
--- a/README.md
+++ b/README.md
@@ -60,9 +60,12 @@ Example variables
     - gitlab
     - wireguard
 
+  watchtower_label_enable: true
+
   traefik_domain: 'example.com'
   traefik_letsencrypt_email: 'cert@example.com'
   traefik_ipwhitelist: '42.42.42.42/32, 192.168.1.0/24, 127.0.0.1/32'
+  traefik_watchtower_enable: true
 
   maildev_domain: 'maildev.example.com'
 
@@ -71,11 +74,13 @@ Example variables
     - 192.168.1.0/24
     - 31.15.24.XX
     - 37.58.179.XX
+  redisinsignt_watchtower_enable: true
 
   gitlab_version: 'latest'
   gitlab_root_password: 'vault-this-thingy'
   gitlab_domain: gitlab.example.com
   gitlab_registry_domain: registry.example.com
+  gitlab_watchtower_enable: false
 
   wireguard_version: 'latest'
   # wg-easy webui access:
diff --git a/templates/compose/cadvisor.yml.j2 b/templates/compose/cadvisor.yml.j2
index 6c6a4b7..8ef8489 100644
--- a/templates/compose/cadvisor.yml.j2
+++ b/templates/compose/cadvisor.yml.j2
@@ -11,6 +11,8 @@ services:
       - "--disable_metrics=percpu,sched,tcp,udp,disk,diskIO,accelerator,hugetlb,referenced_memory,cpu_topology,resctrl"
     ports:
       - {{ cadvisor_port | default("8080") }}:{{ cadvisor_port | default("8080") }}
+    labels:
+      com.centurylinklabs.watchtower.enable: {{ cadvisor_watchtower_enable | default('true') }}
     volumes:
       - /:/rootfs:ro
       - /var/run:/var/run:rw
diff --git a/templates/compose/gitlab-runner.yml.j2 b/templates/compose/gitlab-runner.yml.j2
index 944dbf5..b5f16e7 100644
--- a/templates/compose/gitlab-runner.yml.j2
+++ b/templates/compose/gitlab-runner.yml.j2
@@ -23,6 +23,8 @@ services:
       DOCKER_HOST: tcp://docker:2376/
       DOCKER_TLS_CERTDIR: "/certs"
       DOCKER_DRIVER: overlay2
+    labels:
+      com.centurylinklabs.watchtower.enable: {{ gitlab_runner_watchtower_enable | default('true') }}
     volumes:
       - gitlab-runner__etc_gitlab-runner:/etc/gitlab-runner
       - gitlab-runner__home_gitlab-runner:/home/gitlab-runner
diff --git a/templates/compose/gitlab.yml.j2 b/templates/compose/gitlab.yml.j2
index 362ace9..3bc0c96 100644
--- a/templates/compose/gitlab.yml.j2
+++ b/templates/compose/gitlab.yml.j2
@@ -50,6 +50,7 @@ services:
       traefik.http.routers.gitlab.middlewares: "clientips@docker"
 {% endif %}
       traefik.http.services.gitlab.loadbalancer.server.port: "80"
+      com.centurylinklabs.watchtower.enable: {{ gitlab_watchtower_enable | default('true') }}
     cap_add:
       - SYS_ADMIN
     environment:
diff --git a/templates/compose/grafana.yml.j2 b/templates/compose/grafana.yml.j2
index 42e33aa..921e9a6 100644
--- a/templates/compose/grafana.yml.j2
+++ b/templates/compose/grafana.yml.j2
@@ -33,6 +33,7 @@ services:
       traefik.http.routers.grafana.middlewares: "clientips@docker"
 {% endif %}
       traefik.http.services.grafana.loadbalancer.server.port: 3000
+      com.centurylinklabs.watchtower.enable: {{ grafana_watchtower_enable | default('true') }}
     environment:
       GF_AUTH_ANONYMOUS_ENABLED: "{{ grafana_auth_anonymous_enabled|string|lower }}"
       GF_AUTH_ANONYMOUS_ORG_ROLE: "{{ grafana_auth_anonymous_org_role }}"
diff --git a/templates/compose/maildev.yml.j2 b/templates/compose/maildev.yml.j2
index 24b5ef2..d4bba38 100644
--- a/templates/compose/maildev.yml.j2
+++ b/templates/compose/maildev.yml.j2
@@ -23,5 +23,6 @@ services:
       traefik.http.routers.maildev.middlewares: "clientips@docker"
 {% endif %}
       traefik.http.services.maildev.loadbalancer.server.port: 1080
+      com.centurylinklabs.watchtower.enable: {{ maildev_watchtower_enable | default('true') }}
     networks:
       - traefik
diff --git a/templates/compose/redisinsight.yml.j2 b/templates/compose/redisinsight.yml.j2
index 342350a..489c3a4 100644
--- a/templates/compose/redisinsight.yml.j2
+++ b/templates/compose/redisinsight.yml.j2
@@ -32,6 +32,7 @@ services:
       traefik.http.routers.redisinsight-auth.entrypoints: "websecure"
       traefik.http.routers.redisinsight-auth.tls.certresolver: "letsencrypt"
       traefik.http.routers.redisinsight-auth.middlewares: "basicauth@file"
+      com.centurylinklabs.watchtower.enable: {{ redisinsight_watchtower_enable | default('true') }}
 {% endif %}
     networks:
      - traefik
diff --git a/templates/compose/traefik.yml.j2 b/templates/compose/traefik.yml.j2
index 3710b71..fc56d4e 100644
--- a/templates/compose/traefik.yml.j2
+++ b/templates/compose/traefik.yml.j2
@@ -39,6 +39,7 @@ services:
 {% endif %}
       traefik.http.middlewares.auth.basicauth.users: "ludal:$$apr1$$N3vklVTY$$zrq2kwkaVdynGlakyb4J7."
       traefik.http.middlewares.auth.basicauth.realm: {{ traefik_domain }} - restricted access
+      com.centurylinklabs.watchtower.enable: {{ traefik_watchtower_enable | default('false') }}
     logging:
       driver: syslog
       options:
diff --git a/templates/compose/watchtower.yml.j2 b/templates/compose/watchtower.yml.j2
index 3d74fb8..be9e1a2 100644
--- a/templates/compose/watchtower.yml.j2
+++ b/templates/compose/watchtower.yml.j2
@@ -20,3 +20,4 @@ services:
       WATCHTOWER_HTTP_API_METRICS: "{{ watchtower_http_api_metrics }}"
       WATCHTOWER_HTTP_API_TOKEN: "{{ watchtower_http_api_token | default('changeme_') }}"
 {% endif %}
+      WATCHTOWER_LABEL_ENABLE: "{{ watchtower_label_enable | default('true') }}"
diff --git a/templates/compose/wireguard.yml.j2 b/templates/compose/wireguard.yml.j2
index 59f58c2..236f1f5 100644
--- a/templates/compose/wireguard.yml.j2
+++ b/templates/compose/wireguard.yml.j2
@@ -37,5 +37,6 @@ services:
       traefik.http.routers.wireguard.middlewares: "clientips@docker"
 {% endif %}
       traefik.http.services.wireguard.loadbalancer.server.port: 51821
+      com.centurylinklabs.watchtower.enable: {{ wireguard_watchtower_enable | default('true') }}
     networks:
       - traefik