diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh
index 548a4a8..b23fc33 100755
--- a/docker/entrypoint.sh
+++ b/docker/entrypoint.sh
@@ -1,5 +1,18 @@
 #!/bin/sh
 
+load_secrets() {
+    if [ -f "/run/secrets/opengist_secrets" ]; then
+        set -a
+        . /run/secrets/opengist_secrets
+        set +a
+    fi
+}
+
+if [ "$(id -u)" -ne 0 ]; then
+    load_secrets
+    exec env HOME=/opengist OG_OPENGIST_HOME=/opengist /app/opengist/opengist --config /config.yml
+fi
+
 export USER=opengist
 UID=${UID:-1000}
 GID=${GID:-1000}
@@ -9,10 +22,6 @@ usermod -o -u "$UID" $USER
 chown -R "$USER:$USER" /opengist
 chown -R "$USER:$USER" /config.yml
 
-if [ -f "/run/secrets/opengist_secrets" ]; then
-    set -a
-    . /run/secrets/opengist_secrets
-    set +a
-fi
+load_secrets
 
 exec su $USER -c "OG_OPENGIST_HOME=/opengist /app/opengist/opengist --config /config.yml"
diff --git a/docs/installation/docker.md b/docs/installation/docker.md
index e8536e9..d7f2903 100644
--- a/docs/installation/docker.md
+++ b/docs/installation/docker.md
@@ -39,3 +39,28 @@ services:
       UID: 1001
       GID: 1001
 ```
+
+## Rootless
+
+By default the container starts as `root` and the entrypoint drops privileges to the
+user defined by `UID`/`GID` (see above). 
+
+If you'd rather have the container run as a
+non-root user from the start — for example with `user:` in Compose, or under rootless
+Docker/Podman — set the `user` key instead:
+
+```yml
+services:
+  opengist:
+    # ...
+    user: "1001:1001"
+    volumes:
+      - "./opengist-data:/opengist"
+```
+
+In this mode the entrypoint runs Opengist directly as that user. 
+Create the Opengist data directory and own it on the host first:
+```shell
+mkdir -p ./opengist-data && sudo chown -R 1001:1001 ./opengist-data
+```
+
diff --git a/helm/opengist/values.yaml b/helm/opengist/values.yaml
index 8265ba2..b8a16a6 100644
--- a/helm/opengist/values.yaml
+++ b/helm/opengist/values.yaml
@@ -66,7 +66,11 @@ statefulSet:
 podSecurityContext:
   fsGroup: 1000
 securityContext: {}
-# allowPrivilegeEscalation: false
+  # runAsUser: 1000
+  # runAsGroup: 1000
+  # runAsNonRoot: true
+  # allowPrivilegeEscalation: false
+  # readOnlyRootFilesystem: true
 
 ## Pod Disruption Budget settings
 ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/