diff --git a/Containers/windmill/Dockerfile b/Containers/windmill/Dockerfile
index 82d8e0d8..f1432e6c 100644
--- a/Containers/windmill/Dockerfile
+++ b/Containers/windmill/Dockerfile
@@ -32,28 +32,33 @@ RUN set -ex; \
         netcat-openbsd; \
     rm -rf /var/lib/apt/lists/*; \
     \
-    # Create the postgres system user and group (without a fixed GID to avoid conflicts)
-    groupadd -r postgres || true; \
-    useradd -r -g postgres --home-dir=/var/lib/postgresql --shell=/bin/bash postgres || true; \
+    # Create a single non-root windmill user (uid=10001) that owns both PostgreSQL
+    # and Windmill processes — no root or privilege-switching needed at runtime
+    groupadd -r windmill --gid=10001; \
+    useradd -r -g windmill --uid=10001 --home-dir=/var/lib/windmill --shell=/sbin/nologin windmill; \
     \
-    # Create required directories
+    # Create required directories and give windmill user full ownership
     mkdir -p \
         /var/lib/postgresql/data \
         /var/run/postgresql \
         /var/log/supervisord \
         /var/run/supervisord \
-        /tmp/windmill/cache; \
-    chown -R postgres:postgres /var/lib/postgresql /var/run/postgresql; \
-    chmod 775 /var/run/postgresql; \
-    chmod 777 \
+        /tmp/windmill/cache \
+        /var/lib/windmill; \
+    chown -R windmill:windmill \
+        /var/lib/postgresql \
+        /var/run/postgresql \
         /var/log/supervisord \
         /var/run/supervisord \
-        /tmp/windmill/cache; \
+        /tmp/windmill/cache \
+        /var/lib/windmill; \
+    chmod 750 /var/run/postgresql; \
+    chmod 750 /var/log/supervisord /var/run/supervisord; \
     \
-    # Create a symlink so 'postgres' and other pg tools are on PATH
+    # Create symlinks so postgres tools are on PATH
     ln -sf /usr/lib/postgresql/17/bin/postgres /usr/local/bin/postgres; \
-    ln -sf /usr/lib/postgresql/17/bin/initdb /usr/local/bin/initdb; \
-    ln -sf /usr/lib/postgresql/17/bin/pg_ctl /usr/local/bin/pg_ctl
+    ln -sf /usr/lib/postgresql/17/bin/initdb   /usr/local/bin/initdb; \
+    ln -sf /usr/lib/postgresql/17/bin/pg_ctl   /usr/local/bin/pg_ctl
 
 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh
@@ -62,6 +67,8 @@ COPY --chmod=664 supervisord.conf /supervisord.conf
 
 VOLUME ["/var/lib/postgresql/data", "/tmp/windmill/cache"]
 
+USER 10001
+
 EXPOSE 8000
 
 ENTRYPOINT ["/start.sh"]
diff --git a/Containers/windmill/start.sh b/Containers/windmill/start.sh
index 6ee0329a..a53d743c 100644
--- a/Containers/windmill/start.sh
+++ b/Containers/windmill/start.sh
@@ -10,21 +10,18 @@ fi
 export TZ="${TZ:-Etc/UTC}"
 PGDATA="/var/lib/postgresql/data"
 
-# Fix runtime directory permissions (tmpfs mounts start owned by root)
-chown postgres:postgres /var/run/postgresql
-chmod 775 /var/run/postgresql
-
-# Initialize PostgreSQL data directory on first run
+# Initialize PostgreSQL data directory on first run.
+# No su/chown needed — we already own PGDATA (uid=10001 owns the volume).
 if [ -z "$(ls -A "$PGDATA" 2>/dev/null)" ]; then
     echo "Initializing PostgreSQL database for Windmill..."
 
-    # Ensure the data directory is owned by postgres before initdb
-    chown postgres:postgres "$PGDATA"
+    initdb -D "$PGDATA" \
+        --username=windmill \
+        --auth-local=trust \
+        --auth-host=trust \
+        --no-instructions
 
-    # Run initdb as the postgres user
-    su postgres -s /bin/bash -c "initdb -D '$PGDATA' --username=postgres --auth-local=trust --auth-host=trust --no-instructions"
-
-    # Allow connections from localhost without a password
+    # Allow local connections without a password; listen only on localhost
     cat > "$PGDATA/pg_hba.conf" << 'EOF'
 # TYPE  DATABASE        USER            ADDRESS                 METHOD
 local   all             all                                     trust
@@ -32,16 +29,16 @@ host    all             all             127.0.0.1/32            trust
 host    all             all             ::1/128                 trust
 EOF
 
-    # Only listen on localhost; the database is not exposed externally
     cat >> "$PGDATA/postgresql.conf" << 'EOF'
 listen_addresses = 'localhost'
 EOF
 
-    # Start PostgreSQL temporarily to create the windmill database and user
-    su postgres -s /bin/bash -c "pg_ctl -D '$PGDATA' start -w -o '-k /var/run/postgresql'"
-    su postgres -s /bin/bash -c "psql -h /var/run/postgresql -c \"CREATE USER windmill;\""
-    su postgres -s /bin/bash -c "psql -h /var/run/postgresql -c \"CREATE DATABASE windmill OWNER windmill;\""
-    su postgres -s /bin/bash -c "pg_ctl -D '$PGDATA' stop"
+    # Start PostgreSQL temporarily to create the windmill database, then stop it.
+    # supervisord will restart it properly afterward.
+    pg_ctl -D "$PGDATA" start -w -o "-k /var/run/postgresql"
+    psql -h /var/run/postgresql -U windmill postgres \
+        -c "CREATE DATABASE windmill OWNER windmill;"
+    pg_ctl -D "$PGDATA" stop -w
 
     echo "PostgreSQL initialization complete."
 fi
diff --git a/Containers/windmill/supervisord.conf b/Containers/windmill/supervisord.conf
index 15c99492..c3d95f91 100644
--- a/Containers/windmill/supervisord.conf
+++ b/Containers/windmill/supervisord.conf
@@ -8,7 +8,6 @@ logfile_backups=10
 loglevel=error
 
 [program:postgresql]
-user=postgres
 command=postgres -D /var/lib/postgresql/data -k /var/run/postgresql
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0