diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index a6f7860..3a085cb 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -40,6 +40,22 @@ jobs:
             # {{major}}-base
             type=semver,enable=${{ matrix.composer_version == '2' && (matrix.latest_major == 'true' || matrix.latest == 'true') }},pattern={{major}},suffix=-base,value=${{ matrix.php_version }}.0
 
+      - name: Docker meta (base-rootless)
+        id: meta-base-rootless
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
+        with:
+          images: |
+            clevyr/php
+            ghcr.io/clevyr/php
+          flavor: latest=false
+          tags: |
+            # {{major}}.{{minor}}-composer{{major}}-base-rootless
+            type=semver,pattern={{major}}.{{minor}},suffix=-composer${{ matrix.composer_version }}-base,value=${{ matrix.php_version }}.0
+            # {{major}}.{{minor}}-base-rootless
+            type=semver,enable=${{ matrix.composer_version == '2' }},pattern={{major}}.{{minor}},suffix=-base-rootless,value=${{ matrix.php_version }}.0
+            # {{major}}-base-rootless
+            type=semver,enable=${{ matrix.composer_version == '2' && (matrix.latest_major == 'true' || matrix.latest == 'true') }},pattern={{major}},suffix=-base-rootless,value=${{ matrix.php_version }}.0
+
       - name: Docker meta (onbuild)
         id: meta-onbuild
         uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
@@ -66,6 +82,30 @@ jobs:
             # {{major}}
             type=semver,enable=${{ matrix.composer_version == '2' && (matrix.latest_major == 'true' || matrix.latest == 'true') }},pattern={{major}},value=${{ matrix.php_version }}.0
 
+      - name: Docker meta (onbuild-rootless)
+        id: meta-onbuild-rootless
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
+        with:
+          images: |
+            clevyr/php
+            ghcr.io/clevyr/php
+          flavor: latest=false
+          tags: |
+            # {{major}}.{{minor}}-composer{{major}}-onbuild-rootless
+            type=semver,pattern={{major}}.{{minor}},suffix=-composer${{ matrix.composer_version }}-onbuild-rootless,value=${{ matrix.php_version }}.0
+            # {{major}}.{{minor}}-composer{{major}}
+            type=semver,pattern={{major}}.{{minor}},suffix=-composer${{ matrix.composer_version }},value=${{ matrix.php_version }}.0
+            # {{major}}.{{minor}}-onbuild-rootless
+            type=semver,enable=${{ matrix.composer_version == '2' }},pattern={{major}}.{{minor}},suffix=-onbuild-rootless,value=${{ matrix.php_version }}.0
+            # {{major}}.{{minor}}
+            type=semver,enable=${{ matrix.composer_version == '2' }},pattern={{major}}.{{minor}},value=${{ matrix.php_version }}.0
+            # {{major}}-composer{{major}}
+            type=semver,enable=${{ (matrix.latest_major == 'true' || matrix.latest == 'true') }},pattern={{major}},suffix=-composer${{ matrix.composer_version }},value=${{ matrix.php_version }}.0
+            # {{major}}-onbuild-rootless
+            type=semver,enable=${{ matrix.composer_version == '2' && (matrix.latest_major == 'true' || matrix.latest == 'true') }},pattern={{major}},suffix=-onbuild-rootless,value=${{ matrix.php_version }}.0
+            # {{major}}
+            type=semver,enable=${{ matrix.composer_version == '2' && (matrix.latest_major == 'true' || matrix.latest == 'true') }},pattern={{major}},value=${{ matrix.php_version }}.0
+
       - name: Set up QEMU
         uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
 
@@ -121,6 +161,22 @@ jobs:
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
+      - name: Build and Push (base-rootless)
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: .
+          pull: true
+          push: ${{ github.ref_name == 'main' }}
+          platforms: ${{ matrix.platforms }}
+          tags: ${{ steps.meta-base-rootless.outputs.tags }}
+          labels: ${{ steps.meta-base-rootless.outputs.labels }}
+          build-args: |
+            COMPOSER_VERSION=${{ matrix.composer_version }}
+            PHP_VERSION=${{ matrix.php_version }}
+          target: base-rootless
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
       - name: Build and Push (onbuild)
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
@@ -135,3 +191,18 @@ jobs:
           target: onbuild
           cache-from: type=gha
           cache-to: type=gha,mode=max
+
+      - name: Build and Push (onbuild-rootless)
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: .
+          push: ${{ github.ref_name == 'main' }}
+          platforms: ${{ matrix.platforms }}
+          tags: ${{ steps.meta-onbuild-rootless.outputs.tags }}
+          labels: ${{ steps.meta-onbuild-rootless.outputs.labels }}
+          build-args: |
+            COMPOSER_VERSION=${{ matrix.composer_version }}
+            PHP_VERSION=${{ matrix.php_version }}
+          target: onbuild-rootless
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
diff --git a/Dockerfile b/Dockerfile
index 6076da6..e485379 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -7,7 +7,6 @@ ARG ALPINE_VERSION
 FROM composer:$COMPOSER_VERSION AS local-composer
 
 FROM php:$PHP_VERSION-fpm-alpine$ALPINE_VERSION AS base
-WORKDIR /app
 
 COPY --from=mlocati/php-extension-installer:2.8.5 /usr/bin/install-php-extensions /usr/bin/
 
@@ -36,7 +35,7 @@ RUN <<EOT
       -e 's/^;?(expose_php).*/\1 = Off/' \
       php.ini-production
   ln -s php.ini-production php.ini
-  mkdir -p /run/nginx
+  mkdir -p /run/nginx /var/lib/nginx/tmp /var/log/nginx
   sed -ri -e 's/#(tcp_nopush on;)/\1/' /etc/nginx/nginx.conf
   if [ -d /etc/nginx/http.d ]; then
     mv /etc/nginx/http.d /etc/nginx/conf.d
@@ -91,6 +90,24 @@ COPY rootfs/ /
 
 CMD ["s6-svscan", "/etc/services.d"]
 
+FROM base AS base-rootless
+
+RUN <<EOT
+  sed -ri \
+    -e 's/^;(user) = .*/\1 = www-data/' \
+    -e 's/^;(group) = .*/\1 = www-data/' \
+    "$PHP_INI_DIR"/../php-fpm.d/www.conf
+  sed -i 's/^user .*;/user www-data;/' /etc/nginx/nginx.conf
+  chown -R www-data:www-data /run/nginx /var/lib/nginx /var/log/nginx
+EOT
+
+ENV NGINX_PORT=8080
+
+USER www-data:www-data
+WORKDIR /app
+
+CMD ["s6-svscan-rootless", "/etc/services.d"]
+
 FROM base AS onbuild
 
 ONBUILD ARG PHP_FPM_PM_MAX_CHILDREN
@@ -128,6 +145,59 @@ ONBUILD ARG INSTALL_MYSQL
 ONBUILD ARG INSTALL_SQLSRV
 ONBUILD ARG INSTALL_XDEBUG
 
+ONBUILD ARG NGINX_PORT
+ONBUILD ARG NGINX_ROOT
+ONBUILD ARG NGINX_EXPIRES
+
+ONBUILD ARG COMPOSER_VERSION
+
+ONBUILD ARG IPE_GD_WITHOUTAVIF=1
+
+ONBUILD RUN <<EOT
+  set -eux
+  if [ "${SKIP_BUILD:-}" != "true" ]; then
+    clevyr-build
+  fi
+EOT
+
+FROM base-rootless AS onbuild-rootless
+
+ONBUILD ARG PHP_FPM_PM_MAX_CHILDREN
+ONBUILD ENV PHP_FPM_PM_MAX_CHILDREN=${PHP_FPM_PM_MAX_CHILDREN:-20}
+ONBUILD ARG PHP_FPM_PM_START_SERVERS
+ONBUILD ENV PHP_FPM_PM_START_SERVERS=${PHP_FPM_PM_START_SERVERS:-2}
+ONBUILD ARG PHP_FPM_PM_MIN_SPARE_SERVERS
+ONBUILD ENV PHP_FPM_PM_MIN_SPARE_SERVERS=${PHP_FPM_PM_MIN_SPARE_SERVERS:-1}
+ONBUILD ARG PHP_FPM_PM_MAX_SPARE_SERVERS
+ONBUILD ENV PHP_FPM_PM_MAX_SPARE_SERVERS=${PHP_FPM_PM_MAX_SPARE_SERVERS:-3}
+ONBUILD ARG PHP_FPM_PM_MAX_REQUESTS
+ONBUILD ENV PHP_FPM_PM_MAX_REQUESTS=${PHP_FPM_PM_MAX_REQUESTS:-0}
+
+ONBUILD ARG PHP_MAX_EXECUTION_TIME
+ONBUILD ENV PHP_MAX_EXECUTION_TIME=${PHP_MAX_EXECUTION_TIME:-30}
+ONBUILD ARG PHP_MAX_INPUT_VARS
+ONBUILD ENV PHP_MAX_INPUT_VARS=${PHP_MAX_INPUT_VARS:-1000}
+ONBUILD ARG PHP_MEMORY_LIMIT
+ONBUILD ENV PHP_MEMORY_LIMIT=${PHP_MEMORY_LIMIT:-256M}
+ONBUILD ARG PHP_POST_MAX_SIZE
+ONBUILD ENV PHP_POST_MAX_SIZE=${PHP_POST_MAX_SIZE:-32M}
+ONBUILD ARG PHP_UPLOAD_MAX_FILESIZE
+ONBUILD ENV PHP_UPLOAD_MAX_FILESIZE=${PHP_UPLOAD_MAX_FILESIZE:-8M}
+ONBUILD ARG PHP_MAX_FILE_UPLOADS
+ONBUILD ENV PHP_MAX_FILE_UPLOADS=${PHP_MAX_FILE_UPLOADS:-20}
+
+ONBUILD ARG SKIP_BUILD
+ONBUILD ARG DEPS
+ONBUILD ARG INSTALL
+
+ONBUILD ARG INSTALL_GD
+ONBUILD ARG INSTALL_IMAGICK
+ONBUILD ARG INSTALL_MOSQUITTO
+ONBUILD ARG INSTALL_MYSQL
+ONBUILD ARG INSTALL_SQLSRV
+ONBUILD ARG INSTALL_XDEBUG
+
+ONBUILD ARG NGINX_PORT
 ONBUILD ARG NGINX_ROOT
 ONBUILD ARG NGINX_EXPIRES
 
@@ -135,9 +205,13 @@ ONBUILD ARG COMPOSER_VERSION
 
 ONBUILD ARG IPE_GD_WITHOUTAVIF=1
 
+ONBUILD USER root
+
 ONBUILD RUN <<EOT
   set -eux
   if [ "${SKIP_BUILD:-}" != "true" ]; then
     clevyr-build
   fi
 EOT
+
+ONBUILD USER www-data:www-data
diff --git a/rootfs/etc/nginx/conf.d/default.conf.tpl b/rootfs/etc/nginx/conf.d/default.conf.tpl
index 9d9f172..1d15edc 100644
--- a/rootfs/etc/nginx/conf.d/default.conf.tpl
+++ b/rootfs/etc/nginx/conf.d/default.conf.tpl
@@ -1,6 +1,6 @@
 server {
-    listen 80;
-    listen [::]:80 default ipv6only=on;
+    listen $NGINX_PORT;
+    listen [::]:$NGINX_PORT default ipv6only=on;
 
     server_name _;
 
diff --git a/rootfs/usr/bin/clevyr-build b/rootfs/usr/bin/clevyr-build
index 46769be..b0a8c12 100755
--- a/rootfs/usr/bin/clevyr-build
+++ b/rootfs/usr/bin/clevyr-build
@@ -64,8 +64,9 @@ install-php-extensions "${INSTALL[@]}"
 # Template nginx config
 log 'Templating nginx config'
 export NGINX_ROOT="${NGINX_ROOT:-/app/public}" \
-    NGINX_EXPIRES="${NGINX_EXPIRES:-7d}"
-envsubst '$NGINX_ROOT $NGINX_EXPIRES' < /etc/nginx/conf.d/default.conf.tpl > /etc/nginx/conf.d/default.conf
+    NGINX_EXPIRES="${NGINX_EXPIRES:-7d}" \
+    NGINX_PORT="${NGINX_PORT:-80}"
+envsubst '$NGINX_ROOT $NGINX_EXPIRES $NGINX_PORT' < /etc/nginx/conf.d/default.conf.tpl > /etc/nginx/conf.d/default.conf
 
 log 'Removing all tmp files'
 rm -rf /tmp/*
diff --git a/rootfs/usr/bin/s6-svscan-rootless b/rootfs/usr/bin/s6-svscan-rootless
new file mode 100755
index 0000000..f68e10b
--- /dev/null
+++ b/rootfs/usr/bin/s6-svscan-rootless
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+set -euo pipefail
+
+# Wrapper to run s6-svscan from a writable directory
+# s6-svscan creates .s6-svscan in the service directory, so we need to copy services to /tmp
+
+# See https://skarnet.org/software/s6/scandir.html
+
+SERVICE_DIR="$1"
+
+if [ -z "$SERVICE_DIR" ]; then
+    echo "Usage: $0 <service-directory>" >&2
+    exit 1
+fi
+
+# Create a unique directory in /tmp for our services
+TEMP_SERVICE_DIR="/tmp/s6-services-$$"
+mkdir -p "$TEMP_SERVICE_DIR"
+
+# Copy the service directory contents to /tmp
+cp -r "$SERVICE_DIR"/* "$TEMP_SERVICE_DIR/" 2>/dev/null || cp -r "$SERVICE_DIR"/. "$TEMP_SERVICE_DIR/"
+
+# Run s6-svscan against the copied services
+exec s6-svscan "$TEMP_SERVICE_DIR"