diff --git a/.env.sample b/.env.sample
index 3992a83..98d1b56 100644
--- a/.env.sample
+++ b/.env.sample
@@ -25,4 +25,8 @@ COMPOSE_FILE="compose.yml"
 #REDIRECT_TYPE=permanent
 
 # Optionally handle all URL requests using a single file (commonly index.html)
-#SINGLE_PAGE_SITE_HANDLER=/index.html
\ No newline at end of file
+#SINGLE_PAGE_SITE_HANDLER=/index.html
+
+# Enable an SSH server to allow SFTP uploads to the web root
+#COMPOSE_FILE="$COMPOSE_FILE:compose.sftp.yml"
+#PUBLIC_KEY="ssh-ed25519 AAAAC3NzaJ1lZDI1NTE5AAAAIXqf4nxUxuGmLOaxXXXXXXXXoM/GwhcrAgmtbgXToaYmCJ user@host" # Replace with a public key you generate
\ No newline at end of file
diff --git a/README.md b/README.md
index 51d2480..c375358 100644
--- a/README.md
+++ b/README.md
@@ -28,5 +28,20 @@ Custom HTML website, served using Nginx.
 abra app cp YOURAPPDOMAIN index.html app:/usr/share/nginx/html
 ```
 
+## Allowing upload via SSH/SFTP
+To allow management of your site's files using scp, rsync or other SSH-based tools:
+1. If you don't already have one, generate an SSH keypair using `ssh-keygen`
+1. `abra app config YOURAPPDOMAIN`
+2. Uncomment these lines and add your public key:
+```
+#COMPOSE_FILE="$COMPOSE_FILE:compose.sftp.yml"
+#PUBLIC_KEY="ssh-ed25519 AAAAC3NzaJ1lZDI1NTE5AAAAIXqf4nxUxuGmLOaxXXXXXXXXoM/GwhcrAgmtbgXToaYmCJ user@host" # Replace with a public key you generate
+```
+3. `abra app undeploy YOURAPPDOMAIN`
+3. `abra app deploy YOURAPPDOMAIN`
+4. Test the SSH connection: `ssh -p 2220 sftp@YOURAPPDOMAIN`
+5. You can copy local files into the server's web root with a command like: `scp -r -P 2220 * sftp@YOURAPPDOMAIN:/content`
+
+
 [`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra
 [`coop-cloud/traefik`]: https://git.autonomic.zone/coop-cloud/traefik
diff --git a/compose.sftp.yml b/compose.sftp.yml
new file mode 100644
index 0000000..399f305
--- /dev/null
+++ b/compose.sftp.yml
@@ -0,0 +1,41 @@
+version: "3.8"
+services:
+  ssh:
+    image: lscr.io/linuxserver/openssh-server:latest
+    networks:
+      - proxy
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Etc/UTC
+      - USER_NAME=sftp
+      - PUBLIC_KEY
+    volumes:
+      - content:/content:rw
+    ports:
+      - 2220:2222
+    deploy:
+      restart_policy:
+        condition: on-failure
+  # The following is an admittedly hacky way of setting the owner
+  # of the `content` volume to the unprivileged `sftp` user, so
+  # that content can be transferred through the unprivileged sshd process
+  # using `scp` etc.
+  sshstart:
+    image: lscr.io/linuxserver/openssh-server:latest
+    user: root
+    depends_on:
+      - ssh
+    deploy:
+      restart_policy:
+        condition: none
+    volumes:
+      - content:/content:rw
+    entrypoint: [ "bash", "-c", "sleep 10 && chown -R 1000:1000 /content"]
+
+volumes:
+  content:
+
+networks:
+  proxy:
+    external: true