diff --git a/Dockerfile b/Dockerfile
index 441f5460..42bbcee0 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,31 +1,44 @@
 FROM node:0.10-slim
 
-WORKDIR /usr/local/ghost
+RUN groupadd user && useradd --create-home --home-dir /home/user -g user user
 
-ENV GHOST_VERSION 0.5.8
+RUN apt-get update \
+	&& apt-get install -y curl \
+	&& rm -rf /var/lib/apt/lists/*
 
-RUN buildDeps=' \
-		curl \
-		ca-certificates \
-		unzip \
-	' \
-	&& set -x \
-	&& apt-get update && apt-get install -y $buildDeps --no-install-recommends && rm -rf /var/lib/apt/lists/* \
-	&& curl -sSL "https://ghost.org/archives/ghost-${GHOST_VERSION}.zip" -o ghost.zip \
-	&& unzip ghost.zip \
-	&& rm ghost.zip && apt-get purge -y --auto-remove $buildDeps
+# grab gosu for easy step-down from root
+RUN gpg --keyserver pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4
+RUN curl -o /usr/local/bin/gosu -SL "https://github.com/tianon/gosu/releases/download/1.2/gosu-$(dpkg --print-architecture)" \
+	&& curl -o /usr/local/bin/gosu.asc -SL "https://github.com/tianon/gosu/releases/download/1.2/gosu-$(dpkg --print-architecture).asc" \
+	&& gpg --verify /usr/local/bin/gosu.asc \
+	&& rm /usr/local/bin/gosu.asc \
+	&& chmod +x /usr/local/bin/gosu
+
+ENV GHOST_SOURCE /usr/src/ghost
+WORKDIR $GHOST_SOURCE
+
+ENV GHOST_VERSION 0.5.8
 
 RUN buildDeps=' \
 		gcc \
 		make \
 		python \
+		unzip \
 	' \
 	&& set -x \
 	&& apt-get update && apt-get install -y $buildDeps --no-install-recommends && rm -rf /var/lib/apt/lists/* \
+	&& curl -sSL "https://ghost.org/archives/ghost-${GHOST_VERSION}.zip" -o ghost.zip \
+	&& unzip ghost.zip \
 	&& npm install --production \
-	&& apt-get purge -y --auto-remove $buildDeps
+	&& apt-get purge -y --auto-remove $buildDeps \
+	&& rm ghost.zip
+
+ENV GHOST_CONTENT /var/lib/ghost
+RUN mkdir -p "$GHOST_CONTENT" && chown -R user:user "$GHOST_CONTENT"
+VOLUME $GHOST_CONTENT
+
+COPY docker-entrypoint.sh /entrypoint.sh
+ENTRYPOINT ["/entrypoint.sh"]
 
-RUN [ ! -e config.js ] \
-	&& sed 's/127.0.0.1/0.0.0.0/g' config.example.js > config.js
 EXPOSE 2368
 CMD ["npm", "start"]
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
new file mode 100755
index 00000000..2d27b34f
--- /dev/null
+++ b/docker-entrypoint.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+set -e
+
+if [[ "$*" == npm*start* ]]; then
+	if [ ! -e "$GHOST_CONTENT/config.js" ]; then
+		tar -c --one-file-system -C "$GHOST_SOURCE/content" . | tar xC "$GHOST_CONTENT"
+
+		sed -r '
+			s/127\.0\.0\.1/0.0.0.0/g;
+			s!path.join\(__dirname, (.)/content!path.join(process.env.GHOST_CONTENT, \1!g;
+		' "$GHOST_SOURCE/config.example.js" > "$GHOST_CONTENT/config.js"
+	fi
+
+	ln -sf "$GHOST_CONTENT/config.js" "$GHOST_SOURCE/config.js"
+
+	chown -R user "$GHOST_CONTENT"
+
+	set -- gosu user "$@"
+fi
+
+exec "$@"