diff --git a/.env.sample b/.env.sample
index 4ac97c2..3d6e9e9 100644
--- a/.env.sample
+++ b/.env.sample
@@ -7,6 +7,9 @@ LETS_ENCRYPT_ENV=production
 
 ADMIN_USERNAME=admin
 
+# CUSTOM_THEME_ENABLED=1
+# CUSTOM_THEME_URL=
+
 SECRET_DB_ROOT_PASSWORD_VERSION=v1
 SECRET_DB_PASSWORD_VERSION=v1
 SECRET_ADMIN_PASSWORD_VERSION=v1
diff --git a/abra.sh b/abra.sh
new file mode 100644
index 0000000..5c54e9d
--- /dev/null
+++ b/abra.sh
@@ -0,0 +1 @@
+export ENTRYPOINT_CONF_VERSION=v1
diff --git a/compose.yml b/compose.yml
index 387f95c..17b8b7b 100644
--- a/compose.yml
+++ b/compose.yml
@@ -11,6 +11,8 @@ services:
       - admin_password
       - db_password
     environment:
+      - CUSTOM_THEME_ENABLED
+      - CUSTOM_THEME_URL
       - DB_ADDR=db
       - DB_DATABASE=keycloak
       - DB_PASSWORD_FILE=/run/secrets/db_password
@@ -19,6 +21,11 @@ services:
       - KEYCLOAK_PASSWORD_FILE=/run/secrets/admin_password
       - KEYCLOAK_USER=${ADMIN_USERNAME}
       - PROXY_ADDRESS_FORWARDING=true
+    configs:
+      - source: entrypoint_conf
+        target: /docker-entrypoint.sh
+        mode: 0555
+    entrypoint: /docker-entrypoint.sh
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost:8080"]
       interval: 30s
@@ -75,3 +82,9 @@ secrets:
 
 volumes:
   mariadb:
+
+configs:
+  entrypoint_conf:
+    name: ${STACK_NAME}_entrypoint_conf_${ENTRYPOINT_CONF_VERSION}
+    file: entrypoint.sh.tmpl
+    template_driver: golang
diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl
new file mode 100644
index 0000000..d93843a
--- /dev/null
+++ b/entrypoint.sh.tmpl
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+set -e
+
+{{ if eq (env "CUSTOM_THEME_ENABLED") "1" }}
+microdnf update && microdnf install git
+git clone "$CUSTOM_THEME_URL" "/opt/jboss/keycloak/themes/$CUSTOM_THEME_NAME"
+{{ end }}
+
+# upstream entrypoint
+# https://github.com/keycloak/keycloak-containers/blob/aa2e5515ccb05116e49ab38839d8fcfdd17c45aa/server/Dockerfile#L30
+/usr/local/bin/entrypoint.sh "$@"