diff --git a/Dockerfile b/Dockerfile
index abde6986..bbce2fc9 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,7 +2,7 @@
 
 FROM ghcr.io/linuxserver/unrar:latest AS unrar
 
-FROM ghcr.io/linuxserver/baseimage-alpine:3.20
+FROM ghcr.io/linuxserver/baseimage-alpine:3.21
 
 # set version label
 ARG BUILD_DATE
@@ -53,7 +53,7 @@ RUN \
   pip install -U --no-cache-dir \
     pip \
     wheel && \
-  pip install -U --no-cache-dir --find-links https://wheel-index.linuxserver.io/alpine-3.20/ \
+  pip install -U --no-cache-dir --find-links https://wheel-index.linuxserver.io/alpine-3.21/ \
     -r /app/bazarr/bin/requirements.txt \
     -r /app/bazarr/bin/postgres-requirements.txt && \
   printf "Linuxserver.io version: ${VERSION}\nBuild-date: ${BUILD_DATE}" > /build_version && \
diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64
index 9c056052..27e3fd2e 100644
--- a/Dockerfile.aarch64
+++ b/Dockerfile.aarch64
@@ -2,7 +2,7 @@
 
 FROM ghcr.io/linuxserver/unrar:arm64v8-latest AS unrar
 
-FROM ghcr.io/linuxserver/baseimage-alpine:arm64v8-3.20
+FROM ghcr.io/linuxserver/baseimage-alpine:arm64v8-3.21
 
 # set version label
 ARG BUILD_DATE
@@ -53,7 +53,7 @@ RUN \
   pip install -U --no-cache-dir \
     pip \
     wheel && \
-  pip install -U --no-cache-dir --find-links https://wheel-index.linuxserver.io/alpine-3.20/ \
+  pip install -U --no-cache-dir --find-links https://wheel-index.linuxserver.io/alpine-3.21/ \
     -r /app/bazarr/bin/requirements.txt \
     -r /app/bazarr/bin/postgres-requirements.txt && \
   printf "Linuxserver.io version: ${VERSION}\nBuild-date: ${BUILD_DATE}" > /build_version && \
diff --git a/README.md b/README.md
index 65372858..725783b2 100644
--- a/README.md
+++ b/README.md
@@ -66,6 +66,10 @@ The architectures supported by this image are:
 
 This image can be run with a read-only container filesystem. For details please [read the docs](https://docs.linuxserver.io/misc/read-only/).
 
+## Non-Root Operation
+
+This image can be run with a non-root user. For details please [read the docs](https://docs.linuxserver.io/misc/non-root/).
+
 ## Usage
 
 To help you get started creating a container from this image you can either use docker-compose or the docker cli.
@@ -118,6 +122,7 @@ Containers are configured using parameters passed at runtime (such as those abov
 | `-e TZ=Etc/UTC` | specify a timezone to use, see this [list](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List). |
 | `-v /config` | Persistent config files |
 | `--read-only=true` | Run container with a read-only filesystem. Please [read the docs](https://docs.linuxserver.io/misc/read-only/). |
+| `--user=1000:1000` | Run container with a non-root user. Please [read the docs](https://docs.linuxserver.io/misc/non-root/). |
 
 ## Environment variables from files (Docker secrets)
 
@@ -281,6 +286,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
 
 ## Versions
 
+* **24.12.24:** - Rebase to Alpine 3.21.
 * **06.06.24:** - Rebase to Alpine 3.20.
 * **23.12.23:** - Rebase to Alpine 3.19.
 * **19.09.23:** - Install unrar from [linuxserver repo](https://github.com/linuxserver/docker-unrar).
diff --git a/readme-vars.yml b/readme-vars.yml
index 218feb73..c3d6192b 100644
--- a/readme-vars.yml
+++ b/readme-vars.yml
@@ -19,6 +19,7 @@ param_usage_include_ports: true
 param_ports:
   - {external_port: "6767", internal_port: "6767", port_desc: "Allows HTTP access to the internal webserver."}
 readonly_supported: true
+nonroot_supported: true
 # application setup block
 app_setup_block_enabled: true
 app_setup_block: |
@@ -69,6 +70,7 @@ init_diagram: |
   "bazarr:development" <- Base Images
 # changelog
 changelogs:
+  - {date: "24.12.24:", desc: "Rebase to Alpine 3.21."}
   - {date: "06.06.24:", desc: "Rebase to Alpine 3.20."}
   - {date: "23.12.23:", desc: "Rebase to Alpine 3.19."}
   - {date: "19.09.23:", desc: "Install unrar from [linuxserver repo](https://github.com/linuxserver/docker-unrar)."}
diff --git a/root/etc/s6-overlay/s6-rc.d/init-bazarr-config/run b/root/etc/s6-overlay/s6-rc.d/init-bazarr-config/run
index 3a13f422..e0c72335 100755
--- a/root/etc/s6-overlay/s6-rc.d/init-bazarr-config/run
+++ b/root/etc/s6-overlay/s6-rc.d/init-bazarr-config/run
@@ -1,5 +1,7 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash
 
-# permissions
-lsiown -R abc:abc \
-    /config
+if [[ -z ${LSIO_NON_ROOT_USER} ]]; then
+    lsiown -R abc:abc \
+        /config
+fi
diff --git a/root/etc/s6-overlay/s6-rc.d/svc-bazarr/run b/root/etc/s6-overlay/s6-rc.d/svc-bazarr/run
index 56ca65d7..3df693aa 100755
--- a/root/etc/s6-overlay/s6-rc.d/svc-bazarr/run
+++ b/root/etc/s6-overlay/s6-rc.d/svc-bazarr/run
@@ -1,5 +1,12 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash
 
-exec \
-    s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z localhost 6767" \
-        s6-setuidgid abc python3 /app/bazarr/bin/bazarr.py --no-update --config /config
+if [[ -z ${LSIO_NON_ROOT_USER} ]]; then
+    exec \
+        s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z localhost 6767" \
+            cd /app/bazarr/bin s6-setuidgid abc python3 /app/bazarr/bin/bazarr.py --no-update --config /config
+else
+    exec \
+        s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z localhost 6767" \
+            cd /app/bazarr/bin python3 /app/bazarr/bin/bazarr.py --no-update --config /config
+fi