diff --git a/registry/sharkymark/.images/flask-app.png b/registry/sharkymark/.images/flask-app.png
new file mode 100644
index 000000000..3ba241870
Binary files /dev/null and b/registry/sharkymark/.images/flask-app.png differ
diff --git a/registry/sharkymark/templates/docker-devcontainer/README.md b/registry/sharkymark/templates/docker-devcontainer/README.md
new file mode 100644
index 000000000..e0948c5fc
--- /dev/null
+++ b/registry/sharkymark/templates/docker-devcontainer/README.md
@@ -0,0 +1,75 @@
+---
+display_name: Dev Containers in a Docker workspace
+description: Provision Docker containers as Coder workspaces running Dev Containers via Docker-in-Docker and the devcontainer CLI.
+icon: "../../../../.icons/docker.svg"
+maintainer_github: sharkymark
+verified: false
+tags: [docker, container, devcontainer, code-server]
+---
+
+# Remote Development on Dev Containers
+
+Provision Docker containers as [Coder workspaces](https://coder.com/docs/workspaces) running [Dev Containers](https://code.visualstudio.com/docs/devcontainers/containers) via Docker-in-Docker and the Dev Container CLI.
+
+![Flask App Screenshot](../../.images/flask-app.png)
+
+## Example devcontainer
+
+The default example devcontainer is one of Sharkymark's sales commissions calculators. It is a Python Flask app and will auto-start so should be accessible on port 5000 when the workspace is running. See the repo on GitHub [here](https://github.com/sharkymark/flask-commissions).
+
+The example repo `devcontainer.json` includes a feature to Coder' code-server web IDE which will be available in the Web Editors button in the workspace. It defaults to open in the `/workspaces` folder which is where the repo is cloned.
+
+Happy selling! 🦈
+
+## Prerequisites
+
+### Infrastructure
+
+The VM you run Coder on must have a running Docker socket and the `coder` user must be added to the Docker group:
+
+```sh
+# Add coder user to Docker group
+sudo adduser coder docker
+
+# Restart Coder server
+sudo systemctl restart coder
+
+# Test Docker
+sudo -u coder docker ps
+```
+
+## Things to know
+
+### docker prune
+
+The template's `shutdown_script` runs `docker system prune -f` to clean up unused Docker resources when the workspace is stopped. This helps manage disk space on the host machine. Consider adjusting to make the workspace load faster if needed.
+
+### devcontainers-cli Coder module
+
+The template uses Coder's [devcontainers-cli module](https://registry.coder.com/modules/coder/devcontainers-cli) to install the `@devcontainers/cli` tool in the workspace. This is used to run Dev Containers inside the Docker-in-Docker container.
+
+### Docker-in-Docker script
+
+The template runs a custom script in the template called `docker-in-docker.sh` to do the following:
+
+- Detects if Coder workspace is accessed via host.docker.internal and applies networking fixes if needed.
+- Enables IP forwarding and sets up NAT rules to allow proper traffic flow between devcontainers and host.
+- Forwards relevant ports (from the agent URL, or 80/443 by default) to the host gateway.
+- Starts Docker service and determines workspace bridge IP for DNS resolution.
+- Installs and configures dnsmasq so devcontainers can resolve host.docker.internal to the workspace’s IP.
+- Configures Docker to use the custom DNS server, ensuring hostname resolution works inside all containers.
+
+## Architecture
+
+This example uses the `codercom/enterprise-node:ubuntu` Docker image as a base image for the workspace. See image on [DockerHub](https://hub.docker.com/r/codercom/enterprise-node) and Dockerfile on [GitHub](https://github.com/coder/images/tree/main/images/node) It includes necessary tools like Docker and Node.js, which are required for running Dev Containers via the `@devcontainers/cli` tool.
+
+This template provisions the following resources:
+
+- Docker image (built by Docker socket and kept locally)
+- Docker container (ephemeral)
+- Docker volume (persistent on `/home/coder`)
+- Docker volume (persistent on `/var/lib/docker`)
+
+This means, when the workspace restarts, any tools or files outside of the home directory or docker library are not persisted.
+
+For devcontainers running inside the workspace, data persistence is dependent on each projects `devcontainer.json` configuration.
diff --git a/registry/sharkymark/templates/docker-devcontainer/main.tf b/registry/sharkymark/templates/docker-devcontainer/main.tf
new file mode 100644
index 000000000..e684dc772
--- /dev/null
+++ b/registry/sharkymark/templates/docker-devcontainer/main.tf
@@ -0,0 +1,309 @@
+terraform {
+  required_providers {
+    coder = {
+      source = "coder/coder"
+    }
+    docker = {
+      source = "kreuzwerker/docker"
+    }
+  }
+}
+
+locals {
+  username = data.coder_workspace_owner.me.name
+
+  # Use a workspace image that supports rootless Docker
+  # (Docker-in-Docker) and Node.js.
+  workspace_image = "codercom/enterprise-node:ubuntu"
+}
+
+variable "docker_socket" {
+  default     = ""
+  description = "(Optional) Docker socket URI"
+  type        = string
+}
+
+data "coder_parameter" "repo_url" {
+  type         = "string"
+  name         = "repo_url"
+  display_name = "Git Repository"
+  description  = "Enter the URL of the Git repository to clone into your workspace. This repository should contain a devcontainer.json file to configure your development environment. This default is a sample Flask web app to calculate sales commissions. 🦈"
+  default      = "https://github.com/sharkymark/flask-commissions.git"
+  mutable      = true
+}
+
+provider "docker" {
+  # Defaulting to null if the variable is an empty string lets us have an optional variable without having to set our own default
+  host = var.docker_socket != "" ? var.docker_socket : null
+}
+
+data "coder_provisioner" "me" {}
+data "coder_workspace" "me" {}
+data "coder_workspace_owner" "me" {}
+
+resource "coder_agent" "main" {
+  arch            = data.coder_provisioner.me.arch
+  os              = "linux"
+  startup_script  = <<-EOT
+    set -e
+
+    # Prepare user home with default files on first start.
+    if [ ! -f ~/.init_done ]; then
+      cp -rT /etc/skel ~
+      touch ~/.init_done
+    fi
+
+    # Add any commands that should be executed at workspace startup
+    # (e.g. install requirements, start a program, etc) here.
+  EOT
+  shutdown_script = <<-EOT
+    set -e
+
+    # Clean up the docker volume from unused resources to keep storage
+    # usage low.
+    #
+    # WARNING! This will remove:
+    #   - all stopped containers
+    #   - all networks not used by at least one container
+    #   - all images without at least one container associated to them
+    #   - all build cache
+    docker system prune -a -f
+
+    # Stop the Docker service.
+    sudo service docker stop
+  EOT
+
+  # These environment variables allow you to make Git commits right away after creating a
+  # workspace. Note that they take precedence over configuration defined in ~/.gitconfig!
+  # You can remove this block if you'd prefer to configure Git manually or using
+  # dotfiles. (see docs/dotfiles.md)
+  env = {
+    GIT_AUTHOR_NAME     = coalesce(data.coder_workspace_owner.me.full_name, data.coder_workspace_owner.me.name)
+    GIT_AUTHOR_EMAIL    = "${data.coder_workspace_owner.me.email}"
+    GIT_COMMITTER_NAME  = coalesce(data.coder_workspace_owner.me.full_name, data.coder_workspace_owner.me.name)
+    GIT_COMMITTER_EMAIL = "${data.coder_workspace_owner.me.email}"
+  }
+
+  # The following metadata blocks are optional. They are used to display
+  # information about your workspace in the dashboard. You can remove them
+  # if you don't want to display any information.
+  # For basic resources, you can use the `coder stat` command.
+  # If you need more control, you can write your own script.
+  metadata {
+    display_name = "CPU Usage"
+    key          = "0_cpu_usage"
+    script       = "coder stat cpu"
+    interval     = 10
+    timeout      = 1
+  }
+
+  metadata {
+    display_name = "RAM Usage"
+    key          = "1_ram_usage"
+    script       = "coder stat mem"
+    interval     = 10
+    timeout      = 1
+  }
+
+  metadata {
+    display_name = "Home Disk"
+    key          = "3_home_disk"
+    script       = "coder stat disk --path $${HOME}"
+    interval     = 60
+    timeout      = 1
+  }
+
+  metadata {
+    display_name = "CPU Usage (Host)"
+    key          = "4_cpu_usage_host"
+    script       = "coder stat cpu --host"
+    interval     = 10
+    timeout      = 1
+  }
+
+  metadata {
+    display_name = "Memory Usage (Host)"
+    key          = "5_mem_usage_host"
+    script       = "coder stat mem --host"
+    interval     = 10
+    timeout      = 1
+  }
+
+  metadata {
+    display_name = "Load Average (Host)"
+    key          = "6_load_host"
+    # get load avg scaled by number of cores
+    script   = <<EOT
+      echo "`cat /proc/loadavg | awk '{ print $1 }'` `nproc`" | awk '{ printf "%0.2f", $1/$2 }'
+    EOT
+    interval = 60
+    timeout  = 1
+  }
+
+  metadata {
+    display_name = "Swap Usage (Host)"
+    key          = "7_swap_host"
+    script       = <<EOT
+      free -b | awk '/^Swap/ { printf("%.1f/%.1f", $3/1024.0/1024.0/1024.0, $2/1024.0/1024.0/1024.0) }'
+    EOT
+    interval     = 10
+    timeout      = 1
+  }
+}
+
+resource "coder_script" "init_docker_in_docker" {
+  count        = data.coder_workspace.me.start_count
+  agent_id     = coder_agent.main.id
+  display_name = "Initialize Docker-in-Docker"
+  run_on_start = true
+  icon         = "/icon/docker.svg"
+  script       = file("${path.module}/scripts/init-docker-in-docker.sh")
+}
+
+# See https://registry.coder.com/modules/coder/devcontainers-cli
+module "devcontainers-cli" {
+  count    = data.coder_workspace.me.start_count
+  source   = "registry.coder.com/coder/devcontainers-cli/coder"
+  agent_id = coder_agent.main.id
+
+  # This ensures that the latest non-breaking version of the module gets
+  # downloaded, you can also pin the module version to prevent breaking
+  # changes in production.
+  version = "~> 1.0"
+}
+
+# See https://registry.coder.com/modules/coder/git-clone
+module "git-clone" {
+  count    = data.coder_workspace.me.start_count
+  source   = "registry.coder.com/coder/git-clone/coder"
+  agent_id = coder_agent.main.id
+  url      = data.coder_parameter.repo_url.value
+  base_dir = "~"
+  # This ensures that the latest non-breaking version of the module gets
+  # downloaded, you can also pin the module version to prevent breaking
+  # changes in production.
+  version = "~> 1.0"
+}
+
+# Automatically start the devcontainer for the workspace.
+resource "coder_devcontainer" "repo" {
+  count            = data.coder_workspace.me.start_count
+  agent_id         = coder_agent.main.id
+  workspace_folder = "~/${module.git-clone[0].folder_name}"
+}
+
+resource "docker_volume" "home_volume" {
+  name = "coder-${data.coder_workspace.me.id}-home"
+  # Protect the volume from being deleted due to changes in attributes.
+  lifecycle {
+    ignore_changes = all
+  }
+  # Add labels in Docker to keep track of orphan resources.
+  labels {
+    label = "coder.owner"
+    value = data.coder_workspace_owner.me.name
+  }
+  labels {
+    label = "coder.owner_id"
+    value = data.coder_workspace_owner.me.id
+  }
+  labels {
+    label = "coder.workspace_id"
+    value = data.coder_workspace.me.id
+  }
+  # This field becomes outdated if the workspace is renamed but can
+  # be useful for debugging or cleaning out dangling volumes.
+  labels {
+    label = "coder.workspace_name_at_creation"
+    value = data.coder_workspace.me.name
+  }
+}
+
+resource "docker_volume" "docker_volume" {
+  name = "coder-${data.coder_workspace.me.id}-docker"
+  # Protect the volume from being deleted due to changes in attributes.
+  lifecycle {
+    ignore_changes = all
+  }
+  # Add labels in Docker to keep track of orphan resources.
+  labels {
+    label = "coder.owner"
+    value = data.coder_workspace_owner.me.name
+  }
+  labels {
+    label = "coder.owner_id"
+    value = data.coder_workspace_owner.me.id
+  }
+  labels {
+    label = "coder.workspace_id"
+    value = data.coder_workspace.me.id
+  }
+  # This field becomes outdated if the workspace is renamed but can
+  # be useful for debugging or cleaning out dangling volumes.
+  labels {
+    label = "coder.workspace_name_at_creation"
+    value = data.coder_workspace.me.name
+  }
+}
+
+resource "docker_container" "workspace" {
+  count = data.coder_workspace.me.start_count
+  image = local.workspace_image
+
+  # NOTE: The `privileged` mode is one way to run Docker-in-Docker,
+  # which is required for the devcontainer to work. If this is not
+  # desired, you can remove this line. However, you will need to ensure
+  # that the devcontainer can run Docker commands in some other way.
+  # Mounting the host Docker socket is strongly discouraged because
+  # workspaces will then compete for control of the devcontainers.
+  # For more information, see:
+  # https://coder.com/docs/admin/templates/extending-templates/docker-in-workspaces
+  privileged = true
+
+  # Uses lower() to avoid Docker restriction on container names.
+  name = "coder-${data.coder_workspace_owner.me.name}-${lower(data.coder_workspace.me.name)}"
+  # Hostname makes the shell more user friendly: coder@my-workspace:~$
+  hostname = data.coder_workspace.me.name
+  # Use the docker gateway if the access URL is 127.0.0.1
+  command = ["sh", "-c", replace(coder_agent.main.init_script, "/localhost|127\\.0\\.0\\.1/", "host.docker.internal")]
+  env = [
+    "CODER_AGENT_TOKEN=${coder_agent.main.token}"
+  ]
+  host {
+    host = "host.docker.internal"
+    ip   = "host-gateway"
+  }
+
+  # Workspace home volume persists user data across workspace restarts.
+  volumes {
+    container_path = "/home/coder"
+    volume_name    = docker_volume.home_volume.name
+    read_only      = false
+  }
+
+  # Workspace docker volume persists Docker data across workspace
+  # restarts, allowing the devcontainer cache to be reused.
+  volumes {
+    container_path = "/var/lib/docker"
+    volume_name    = docker_volume.docker_volume.name
+    read_only      = false
+  }
+
+  # Add labels in Docker to keep track of orphan resources.
+  labels {
+    label = "coder.owner"
+    value = data.coder_workspace_owner.me.name
+  }
+  labels {
+    label = "coder.owner_id"
+    value = data.coder_workspace_owner.me.id
+  }
+  labels {
+    label = "coder.workspace_id"
+    value = data.coder_workspace.me.id
+  }
+  labels {
+    label = "coder.workspace_name"
+    value = data.coder_workspace.me.name
+  }
+}
diff --git a/registry/sharkymark/templates/docker-devcontainer/scripts/init-docker-in-docker.sh b/registry/sharkymark/templates/docker-devcontainer/scripts/init-docker-in-docker.sh
new file mode 100755
index 000000000..57022d22a
--- /dev/null
+++ b/registry/sharkymark/templates/docker-devcontainer/scripts/init-docker-in-docker.sh
@@ -0,0 +1,101 @@
+#!/bin/sh
+set -e
+
+# Docker-in-Docker setup for Coder dev containers using host.docker.internal
+# URLs. When Docker runs inside a container, the "docker0" bridge interface
+# can interfere with host.docker.internal DNS resolution, breaking
+# connectivity to the Coder server.
+
+if [ "${CODER_AGENT_URL#*host.docker.internal}" = "$CODER_AGENT_URL" ]; then
+	# External access URL detected, no networking workarounds needed.
+	sudo service docker start
+	exit 0
+fi
+
+# host.docker.internal URL detected. Docker's default bridge network creates
+# a "docker0" interface that can shadow the host.docker.internal hostname
+# resolution. This typically happens when Docker starts inside a devcontainer,
+# as the inner Docker daemon creates its own bridge network that conflicts
+# with the outer one.
+
+# Enable IP forwarding to allow packets to route between the host network and
+# the devcontainer networks. Without this, traffic cannot flow properly
+# between the different Docker bridge networks.
+echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
+sudo iptables -t nat -A POSTROUTING -j MASQUERADE
+
+# Set up port forwarding to the host Docker gateway (typically 172.17.0.1).
+# We resolve host.docker.internal to get the actual IP and create NAT rules
+# to forward traffic from this workspace to the host.
+host_ip=$(getent hosts host.docker.internal | awk '{print $1}')
+
+echo "Host IP for host.docker.internal: $host_ip"
+
+# Extract the port from CODER_AGENT_URL. The URL format is typically
+# http://host.docker.internal:port/.
+port="${CODER_AGENT_URL##*:}"
+port="${port%%/*}"
+case "$port" in
+[0-9]*)
+	# Specific port found, forward it to the host gateway.
+	sudo iptables -t nat -A PREROUTING -p tcp --dport "$port" -j DNAT --to-destination "$host_ip:$port"
+	echo "Forwarded port $port to $host_ip"
+	;;
+*)
+	# No specific port or non-numeric port, forward standard web ports.
+	sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination "$host_ip:80"
+	sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination "$host_ip:443"
+	echo "Forwarded default ports 80/443 to $host_ip"
+	;;
+esac
+
+# Start Docker service, which creates the "docker0" interface if it doesn't
+# exist. We need the interface to extract the second IP address for DNS
+# resolution.
+sudo service docker start
+
+# Configure DNS resolution to avoid requiring devcontainer project modifications.
+# While devcontainers can use the "--add-host" flag, it requires explicit
+# definition in devcontainer.json. Using a DNS server instead means every
+# devcontainer project doesn't need to accommodate this.
+
+# Wait for the workspace to acquire its Docker bridge IP address. The
+# "hostname -I" command returns multiple IPs: the first is typically the host
+# Docker bridge (172.17.0.0/16 range) and the second is the workspace Docker
+# bridge (172.18.0.0/16). We need the second IP because that's where
+# devcontainers will be able to reach us.
+dns_ip=
+while [ -z "$dns_ip" ]; do
+	dns_ip=$(hostname -I | awk '{print $2}')
+	if [ -z "$dns_ip" ]; then
+		echo "Waiting for hostname -I to return a valid second IP address..."
+		sleep 1
+	fi
+done
+
+echo "Using DNS IP: $dns_ip"
+
+# Install dnsmasq to provide custom DNS resolution. This lightweight DNS
+# server allows us to override specific hostname lookups without affecting
+# other DNS queries.
+sudo apt-get update -y
+sudo apt-get install -y dnsmasq
+
+# Configure dnsmasq to resolve host.docker.internal to this workspace's IP.
+# This ensures devcontainers can find the Coder server even when the "docker0"
+# interface would normally shadow the hostname resolution.
+echo "no-hosts" | sudo tee /etc/dnsmasq.conf
+echo "address=/host.docker.internal/$dns_ip" | sudo tee -a /etc/dnsmasq.conf
+echo "resolv-file=/etc/resolv.conf" | sudo tee -a /etc/dnsmasq.conf
+echo "no-dhcp-interface=" | sudo tee -a /etc/dnsmasq.conf
+echo "bind-interfaces" | sudo tee -a /etc/dnsmasq.conf
+echo "listen-address=127.0.0.1,$dns_ip" | sudo tee -a /etc/dnsmasq.conf
+
+sudo service dnsmasq restart
+
+# Configure Docker daemon to use our custom DNS server. This is the critical
+# piece that ensures all containers (including devcontainers) use our dnsmasq
+# server for hostname resolution, allowing them to properly resolve
+# host.docker.internal.
+echo "{\"dns\": [\"$dns_ip\"]}" | sudo tee /etc/docker/daemon.json
+sudo service docker restart