diff --git a/.env.sample b/.env.sample
index 34d4b1b..e4e4609 100644
--- a/.env.sample
+++ b/.env.sample
@@ -49,10 +49,15 @@ SECRET_EMAIL_PASS_VERSION=v1
 # EMAIL_SUBJECT="Account Recovery"
 # EMAIL_TOKEN_EXPIRY_MINUTES=30
 
+## assets
 COPY_ASSETS="flow_background.jpg|app:/web/dist/assets/images/"
 COPY_ASSETS="$COPY_ASSETS icon_left_brand.svg|app:/web/dist/assets/icons/"
 COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 
+# store custom CSS in a css-volume
+#COMPOSE_FILE="$COMPOSE_FILE:compose.css-volume.yml"
+# NOTE: this causes the authentik container to run as `root` initially; it uses `su` to drop privileges but technically could introduce a security risk. proceed with caution!
+
 # Default CSS customisation
 # COMPOSE_FILE="$COMPOSE_FILE:compose.css.yml"
 # BACKGROUND_FONT_COLOR=white
diff --git a/abra.sh b/abra.sh
index 40725ab..ddcb3df 100644
--- a/abra.sh
+++ b/abra.sh
@@ -18,6 +18,7 @@ export HEDGEDOC_CONFIG_VERSION=v2
 export MONITORING_CONFIG_VERSION=v3
 export DB_ENTRYPOINT_VERSION=v1
 export PG_BACKUP_VERSION=v2
+export ENTRYPOINT_CSS_VERSION=v1
 
 customize() {
     if [ -z "$1" ]
diff --git a/compose.css-volume.yml b/compose.css-volume.yml
new file mode 100644
index 0000000..5e72a99
--- /dev/null
+++ b/compose.css-volume.yml
@@ -0,0 +1,16 @@
+---
+version: "3.8"
+
+services:
+  app:
+    user: root
+    entrypoint: /docker-entrypoint.sh
+    configs:
+      - source: entrypoint_css
+        target: /docker-entrypoint.sh
+        mode: 0555
+
+configs:
+  entrypoint_css:
+    name: ${STACK_NAME}_entrypoint_css_${ENTRYPOINT_CSS_VERSION}
+    file: entrypoint-css-volume.sh
diff --git a/entrypoint-css-volume.sh b/entrypoint-css-volume.sh
new file mode 100644
index 0000000..cf0afce
--- /dev/null
+++ b/entrypoint-css-volume.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+cp -f /web/dist/assets/custom.css /web/dist/custom.css
+
+su $(id -un 1000) -s /bin/bash -c 'dumb-init -- ak server'