diff --git a/.docker/app-rootless/Dockerfile b/.docker/app-rootless/Dockerfile
new file mode 100644
index 000000000..00b3a2e53
--- /dev/null
+++ b/.docker/app-rootless/Dockerfile
@@ -0,0 +1,101 @@
+ARG PROXY_REGISTRY
+
+FROM ${PROXY_REGISTRY}alpine:3.20
+EXPOSE 9000/tcp
+
+ARG ALPINE_MIRROR
+
+ENV SCRIPT_ROOT=/opt/tt-rss
+ENV SRC_DIR=/src/tt-rss/
+
+# overriding those without rebuilding image won't do much
+ENV OWNER_UID=1000
+ENV OWNER_GID=1000
+
+RUN [ ! -z ${ALPINE_MIRROR} ] && \
+		sed -i.bak "s#dl-cdn.alpinelinux.org#${ALPINE_MIRROR}#" /etc/apk/repositories ; \
+	apk add --no-cache dcron php83 php83-fpm php83-phar php83-sockets php83-pecl-apcu \
+	php83-pdo php83-gd php83-pgsql php83-pdo_pgsql php83-xmlwriter php83-opcache \
+	php83-mbstring php83-intl php83-xml php83-curl php83-simplexml \
+	php83-session php83-tokenizer php83-dom php83-fileinfo php83-ctype \
+	php83-json php83-iconv php83-pcntl php83-posix php83-zip php83-exif \
+	php83-openssl git postgresql-client sudo php83-pecl-xdebug rsync tzdata && \
+	sed -i 's/\(memory_limit =\) 128M/\1 256M/' /etc/php83/php.ini && \
+	sed -i -e 's/^listen = 127.0.0.1:9000/listen = 9000/' \
+		-e 's/;\(clear_env\) = .*/\1 = no/i' \
+		-e 's/;\(pm.status_path = \/status\)/\1/i' \
+		-e 's/;\(pm.status_listen\) = .*/\1 = 9001/i' \
+		-e 's/^\(user\|group\) = .*/\1 = app/i' \
+		-e 's/;\(php_admin_value\[error_log\]\) = .*/\1 = \/tmp\/error.log/' \
+		-e 's/;\(php_admin_flag\[log_errors\]\) = .*/\1 = on/' \
+			/etc/php83/php-fpm.d/www.conf && \
+	mkdir -p /var/www ${SCRIPT_ROOT}/config.d && \
+	addgroup -g $OWNER_GID app && \
+	adduser -D -h /var/www/html -G app -u $OWNER_UID app && \
+	update-ca-certificates && \
+	chown -R $OWNER_UID /etc/php83 /var/log/php83
+
+ARG CI_COMMIT_BRANCH
+ENV CI_COMMIT_BRANCH=${CI_COMMIT_BRANCH}
+
+ARG CI_COMMIT_SHORT_SHA
+ENV CI_COMMIT_SHORT_SHA=${CI_COMMIT_SHORT_SHA}
+
+ARG CI_COMMIT_TIMESTAMP
+ENV CI_COMMIT_TIMESTAMP=${CI_COMMIT_TIMESTAMP}
+
+ARG CI_COMMIT_SHA
+ENV CI_COMMIT_SHA=${CI_COMMIT_SHA}
+
+ADD .docker/app-rootless/startup.sh ${SCRIPT_ROOT}
+ADD .docker/app-rootless/updater.sh ${SCRIPT_ROOT}
+
+ADD .docker/app-rootless/index.php ${SCRIPT_ROOT}
+ADD .docker/app-rootless/config.docker.php ${SCRIPT_ROOT}
+
+COPY . ${SRC_DIR}
+
+ARG ORIGIN_REPO_XACCEL=https://git.tt-rss.org/fox/ttrss-nginx-xaccel.git
+
+RUN git clone --depth=1 ${ORIGIN_REPO_XACCEL} ${SRC_DIR}/plugins.local/nginx_xaccel
+
+USER $OWNER_UID
+
+ENV PHP_WORKER_MAX_CHILDREN=5
+ENV PHP_WORKER_MEMORY_LIMIT=256M
+
+# these are applied on every startup, if set
+ENV ADMIN_USER_PASS=""
+# see classes/UserHelper.php ACCESS_LEVEL_*
+# setting this to -2 would effectively disable built-in admin user
+# unless single user mode is enabled
+ENV ADMIN_USER_ACCESS_LEVEL=""
+
+# these are applied unless user already exists
+ENV AUTO_CREATE_USER=""
+ENV AUTO_CREATE_USER_PASS=""
+ENV AUTO_CREATE_USER_ACCESS_LEVEL="0"
+ENV AUTO_CREATE_USER_ENABLE_API=""
+
+# TODO: remove prefix from container variables not used by tt-rss itself:
+#
+# - TTRSS_NO_STARTUP_PLUGIN_UPDATES -> NO_STARTUP_PLUGIN_UPDATES
+# - TTRSS_XDEBUG_... -> XDEBUG_...
+
+# don't try to update local plugins on startup
+ENV TTRSS_NO_STARTUP_PLUGIN_UPDATES=""
+
+# TTRSS_XDEBUG_HOST defaults to host IP if unset
+ENV TTRSS_XDEBUG_ENABLED=""
+ENV TTRSS_XDEBUG_HOST=""
+ENV TTRSS_XDEBUG_PORT="9000"
+
+ENV TTRSS_DB_TYPE="pgsql"
+ENV TTRSS_DB_HOST="db"
+ENV TTRSS_DB_PORT="5432"
+
+ENV TTRSS_MYSQL_CHARSET="UTF8"
+ENV TTRSS_PHP_EXECUTABLE="/usr/bin/php83"
+ENV TTRSS_PLUGINS="auth_internal, note, nginx_xaccel"
+
+CMD ${SCRIPT_ROOT}/startup.sh
diff --git a/.docker/app-rootless/config.docker.php b/.docker/app-rootless/config.docker.php
new file mode 100644
index 000000000..fbf42e43b
--- /dev/null
+++ b/.docker/app-rootless/config.docker.php
@@ -0,0 +1,8 @@
+<?php
+
+	$snippets = glob(getenv("SCRIPT_ROOT")."/config.d/*.php");
+
+	foreach ($snippets as $snippet) {
+		require_once $snippet;
+	}
+
diff --git a/.docker/app-rootless/index.php b/.docker/app-rootless/index.php
new file mode 100644
index 000000000..78e5c3f88
--- /dev/null
+++ b/.docker/app-rootless/index.php
@@ -0,0 +1,3 @@
+<?php 
+   header("Location: /tt-rss/");
+   return;
diff --git a/.docker/app-rootless/startup.sh b/.docker/app-rootless/startup.sh
new file mode 100644
index 000000000..6cce6f565
--- /dev/null
+++ b/.docker/app-rootless/startup.sh
@@ -0,0 +1,155 @@
+#!/bin/sh -e
+
+while ! pg_isready -h $TTRSS_DB_HOST -U $TTRSS_DB_USER; do
+	echo waiting until $TTRSS_DB_HOST is ready...
+	sleep 3
+done
+
+# We don't need those here (HTTP_HOST would cause false SELF_URL_PATH check failures)
+unset HTTP_PORT
+unset HTTP_HOST
+
+DST_DIR=/var/www/html/tt-rss
+
+if [ ! -w $DST_DIR -a ! -w /var/www/html ]; then
+	echo please make sure both /var/www/html and $DST_DIR are writable to current user $(id)
+	exit 1
+fi
+
+[ -e $DST_DIR ] && rm -f $DST_DIR/.app_is_ready
+
+export PGPASSWORD=$TTRSS_DB_PASS
+
+[ ! -e /var/www/html/index.php ] && cp ${SCRIPT_ROOT}/index.php /var/www/html
+
+if [ -z $SKIP_RSYNC_ON_STARTUP ]; then
+	if [ ! -d $DST_DIR ]; then
+		mkdir -p $DST_DIR
+
+		rsync -a --no-owner \
+			$SRC_DIR/ $DST_DIR/
+	else
+		rsync -a --no-owner --delete \
+			--exclude /cache \
+			--exclude /lock \
+			--exclude /feed-icons \
+			--exclude /plugins/af_comics/filters.local \
+			--exclude /plugins.local \
+			--exclude /templates.local \
+			--exclude /themes.local \
+			$SRC_DIR/ $DST_DIR/
+
+		rsync -a --no-owner --delete \
+			$SRC_DIR/plugins.local/nginx_xaccel \
+			$DST_DIR/plugins.local/nginx_xaccel
+	fi
+else
+	echo "warning: working copy in $DST_DIR won't be updated, make sure you know what you're doing."
+fi
+
+for d in cache lock feed-icons plugins.local themes.local templates.local cache/export cache/feeds cache/images cache/upload; do
+	mkdir -p $DST_DIR/$d
+done
+
+for d in cache lock feed-icons; do
+	chmod 777 $DST_DIR/$d
+	find $DST_DIR/$d -type f -exec chmod 666 {} \;
+done
+
+cp ${SCRIPT_ROOT}/config.docker.php $DST_DIR/config.php
+chmod 644 $DST_DIR/config.php
+
+if [ -z "$TTRSS_NO_STARTUP_PLUGIN_UPDATES" ]; then
+	echo updating all local plugins...
+
+	find $DST_DIR/plugins.local -mindepth 1 -maxdepth 1 -type d | while read PLUGIN; do
+		if [ -d $PLUGIN/.git ]; then
+			echo updating $PLUGIN...
+
+			cd $PLUGIN && \
+				git config core.filemode false && \
+				git config pull.rebase false && \
+				git pull origin master || echo warning: attempt to update plugin $PLUGIN failed.
+		fi
+	done
+else
+	echo skipping local plugin updates, disabled.
+fi
+
+PSQL="psql -q -h $TTRSS_DB_HOST -U $TTRSS_DB_USER $TTRSS_DB_NAME"
+
+$PSQL -c "create extension if not exists pg_trgm"
+
+RESTORE_SCHEMA=${SCRIPT_ROOT}/restore-schema.sql.gz
+
+if [ -r $RESTORE_SCHEMA ]; then
+	$PSQL -c "drop schema public cascade; create schema public;"
+	zcat $RESTORE_SCHEMA | $PSQL
+fi
+
+# this was previously generated
+rm -f $DST_DIR/config.php.bak
+
+if [ ! -z "${TTRSS_XDEBUG_ENABLED}" ]; then
+	if [ -z "${TTRSS_XDEBUG_HOST}" ]; then
+		export TTRSS_XDEBUG_HOST=$(ip ro sh 0/0 | cut -d " " -f 3)
+	fi
+	echo enabling xdebug with the following parameters:
+	env | grep TTRSS_XDEBUG
+	cat > /etc/php83/conf.d/50_xdebug.ini <<EOF
+zend_extension=xdebug.so
+xdebug.mode=debug
+xdebug.start_with_request = yes
+xdebug.client_port = ${TTRSS_XDEBUG_PORT}
+xdebug.client_host = ${TTRSS_XDEBUG_HOST}
+EOF
+fi
+
+sed -i.bak "s/^\(memory_limit\) = \(.*\)/\1 = ${PHP_WORKER_MEMORY_LIMIT}/" \
+	/etc/php83/php.ini
+
+sed -i.bak "s/^\(pm.max_children\) = \(.*\)/\1 = ${PHP_WORKER_MAX_CHILDREN}/" \
+	/etc/php83/php-fpm.d/www.conf
+
+php83 $DST_DIR/update.php --update-schema=force-yes
+
+if [ ! -z "$ADMIN_USER_PASS" ]; then
+	php83 $DST_DIR/update.php --user-set-password "admin:$ADMIN_USER_PASS"
+else
+	if php83 $DST_DIR/update.php --user-check-password "admin:password"; then
+		RANDOM_PASS=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 16 ; echo '')
+
+		echo "*****************************************************************************"
+		echo "* Setting initial built-in admin user password to '$RANDOM_PASS'        *"
+		echo "* If you want to set it manually, use ADMIN_USER_PASS environment variable. *"
+		echo "*****************************************************************************"
+
+		php83 $DST_DIR/update.php --user-set-password "admin:$RANDOM_PASS"
+	fi
+fi
+
+if [ ! -z "$ADMIN_USER_ACCESS_LEVEL" ]; then
+	php83 $DST_DIR/update.php --user-set-access-level "admin:$ADMIN_USER_ACCESS_LEVEL"
+fi
+
+if [ ! -z "$AUTO_CREATE_USER" ]; then
+	/bin/sh -c "php83 $DST_DIR/update.php --user-exists $AUTO_CREATE_USER ||
+		php83 $DST_DIR/update.php --force-yes --user-add \"$AUTO_CREATE_USER:$AUTO_CREATE_USER_PASS:$AUTO_CREATE_USER_ACCESS_LEVEL\""
+
+	if [ ! -z "$AUTO_CREATE_USER_ENABLE_API" ]; then
+		# TODO: remove || true later
+		/bin/sh -c "php83 $DST_DIR/update.php --user-enable-api \"$AUTO_CREATE_USER:$AUTO_CREATE_USER_ENABLE_API\"" || true
+	fi
+
+fi
+
+rm -f /tmp/error.log && mkfifo /tmp/error.log && chown app:app /tmp/error.log
+
+(tail -q -f /tmp/error.log >> /proc/1/fd/2) &
+
+unset ADMIN_USER_PASS
+unset AUTO_CREATE_USER_PASS
+
+touch $DST_DIR/.app_is_ready
+
+exec /usr/sbin/php-fpm83 --nodaemonize --force-stderr
diff --git a/.docker/app-rootless/updater.sh b/.docker/app-rootless/updater.sh
new file mode 100644
index 000000000..5fdddd1d1
--- /dev/null
+++ b/.docker/app-rootless/updater.sh
@@ -0,0 +1,33 @@
+#!/bin/sh -e
+
+# We don't need those here (HTTP_HOST would cause false SELF_URL_PATH check failures)
+unset HTTP_PORT
+unset HTTP_HOST
+
+unset ADMIN_USER_PASS
+unset AUTO_CREATE_USER_PASS
+
+# wait for the app container to delete .app_is_ready and perform rsync, etc.
+sleep 30
+
+if ! id app; then
+	addgroup -g $OWNER_GID app
+	adduser -D -h /var/www/html -G app -u $OWNER_UID app
+fi
+
+while ! pg_isready -h $TTRSS_DB_HOST -U $TTRSS_DB_USER; do
+	echo waiting until $TTRSS_DB_HOST is ready...
+	sleep 3
+done
+
+sed -i.bak "s/^\(memory_limit\) = \(.*\)/\1 = ${PHP_WORKER_MEMORY_LIMIT}/" \
+	/etc/php83/php.ini
+
+DST_DIR=/var/www/html/tt-rss
+
+while [ ! -s $DST_DIR/config.php -a -e $DST_DIR/.app_is_ready ]; do
+	echo waiting for app container...
+	sleep 3
+done
+
+sudo -E -u app /usr/bin/php83 /var/www/html/tt-rss/update_daemon2.php "$@"